build(deps): bump hackney from 1.20.1 to 3.0.2

[dependabot]

Bumps hackney from 1.20.1 to 3.0.2.

Release notes

Sourced from hackney's releases.

3.0.2

Bug Fixes

• Add default Content-Type: application/octet-stream header when sending a body without explicit Content-Type (#823). This restores 1.x behavior and follows RFC 7231 recommendations.

Dependencies

• Bump certifi to 2.16.0 (#824)

1.25.0 - 2025-07-24

IMPORTANT CHANGE

• change: insecure_basic_auth now defaults to true instead of false

  This restores backward compatibility with pre-1.24.0 behavior where basic auth was allowed over HTTP connections. If you need strict HTTPS-only basic auth:

  • Set globally: application:set_env(hackney, insecure_basic_auth, false)
  • Or per-request: {insecure_basic_auth, false} in options

Hex.pm : https://hex.pm/packages/hackney/1.25.0 Doc: https://hexdocs.pm/hackney/readme.html

1.24.1 - 2025-05-26

Changes

1.24.1 - 2025-05-26

• fix: remove unused variable warning in hackney.erl

1.24.0 - 2025-05-26

• security: fix basic auth credential exposure vulnerability
• security: add application variable support for insecure_basic_auth
• fix: NXDOMAIN error in Docker Compose environments (issue #764)
• fix: stream_body timeout after first chunk (issue #762)
• fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
• fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
• fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
• fix: controlling_process error handling in happy eyeballs and connection pool return
• improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Breaking Change

The new insecure_basic_auth application variable defaults to false for security. If your application relies on insecure basic auth over HTTP, you must explicitly set application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

... (truncated)

Changelog

Sourced from hackney's changelog.

3.0.2 - 2026-02-02

Bug Fixes

• Add default Content-Type: application/octet-stream header when sending a body without explicit Content-Type (#823). This restores 1.x behavior and follows RFC 7231 recommendations.

Dependencies

• Bump certifi to 2.16.0 (#824)

3.0.1 - 2026-01-28

Bug Fixes

• Fix dialyzer warning in follow_redirect by removing dead code branch that checked is_pid() on a value that was always binary
• Store final redirect location in connection process state so it can be retrieved via hackney:location/1
• Clean up request_ret() type spec to accurately reflect return values

3.0.0 - 2026-01-27

BREAKING CHANGES

This is a major release with breaking changes to the high-level API. See Migration Guide for detailed upgrade instructions.

Response Format Change

The high-level API now returns the response body directly in the tuple, consistent across all protocols (HTTP/1.1, HTTP/2, HTTP/3):

%% Before (2.x) - HTTP/1.1
{ok, 200, Headers, ConnPid} = hackney:get(URL),
{ok, Body} = hackney:body(ConnPid).
%% After (3.x) - All protocols
{ok, 200, Headers, Body} = hackney:get(URL).

Removed Functions

The following deprecated functions have been removed:

Function	Replacement
hackney:body/1	Body returned directly in response tuple
hackney:body/2	Body returned directly in response tuple
hackney:stream_body/1	Use async mode with [async] or [{async, once}]
hackney:skip_body/1	Not needed - body always consumed

... (truncated)

Commits

• 1b6f536 release: version 3.0.2
• fdd65fe docs: add streaming request body examples to migration guide
• 6c8046d release: version 3.0.1
• 515745f fix: store final redirect location in connection process
• bee5ae0 fix: resolve dialyzer warning in follow_redirect
• 38d8baa Merge pull request #822 from benoitc/fix/consistent-response-format
• 491faa3 fix(docs): use edoc quote syntax for inline code
• b4436d3 docs: update version references to 3.0.0
• 854d57a docs: add manual connection management documentation
• 64412e6 release: version 3.0.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)