Skip to content

Allow both hackney 1.x and 4.x#170

Open
legoscia wants to merge 1 commit into
lau:masterfrom
legoscia:hackney-1.x-4.x
Open

Allow both hackney 1.x and 4.x#170
legoscia wants to merge 1 commit into
lau:masterfrom
legoscia:hackney-1.x-4.x

Conversation

@legoscia

Copy link
Copy Markdown

Let's allow both old and new hackney versions in order to make the transition easier for downstream projects.

Closes #155.


This is an alternative to #168.

Let's allow both old and new hackney versions in order to make the
transition easier for downstream projects.

Closes lau#155.
@xu-chris

Copy link
Copy Markdown

@lau this is a good fix. Any thoughts?

@heywhy

heywhy commented Jun 27, 2026

Copy link
Copy Markdown

@lau hi, i hope you're doing great. this pr contains important changes to mitigate the vulnerability with hackney, i hope you can speed up the resolution process.

@gilbertwong96

Copy link
Copy Markdown

Hi, @lau Any chance to merge it and bump a new version for tzdata ?

# Hackney 4.x returns the body as a binary in the result from :hackney.get
{:ok, result}
end
defp get_body(client_ref) do

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's best to drop support for Hackney 1.x considering hackney 1.x is vulnerable and this major version won't be maintained anymore.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Longer term, absolutely. My goal with this change is to make it easier for a project with a complex dependency tree to move towards Hackney 4.x. If one dependency depends on Hackney 1.x and another depends on 4.x, the upgrade is blocked, but if tzdata allows both versions, then progress towards Hackney 4.x can be made step by step.

end
defp get_body(client_ref) do
# Hackney 1.x returns a client_ref that we can fetch the body from
:hackney.body(client_ref)

@stepchud stepchud Jul 1, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should there be a deprecation warning here?

@Kariiem

Kariiem commented Jul 1, 2026

Copy link
Copy Markdown

can hackney be also declared as a optional dep? since the client itself checks if it's loaded or not, and there is Tzdata.Http.Client behaviour.

@legoscia

legoscia commented Jul 1, 2026

Copy link
Copy Markdown
Author

can hackney be also declared as a optional dep? since the client itself checks if it's loaded or not, and there is Tzdata.Http.Client behaviour.

That is a good point. I think it makes sense to declare it as optional. I wasn't sure whether to include it in this pull request or as a separate change, but maybe that's worth doing.

@lwld

lwld commented Jul 3, 2026

Copy link
Copy Markdown

+1
@lau this would be REALLY good to do soon as it blocks updating hackney versions with vulnerabilities

“A bunch of vulnerabilities I reported in hackney were just disclosed. Please upgrade to 4.0.1 ASAP. I know this is gonna start dependency hell so please take some time for this. Please repost for reach. #ElixirLang”

https://www.linkedin.com/feed/update/urn:li:activity:7464785377061605376/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAEtYLIBXsVotWn8wDbLS0eyvk4VDJxtCoc

Also see #155

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Please upgrade your hackney dependency when possible

9 participants