Skip to content

chore(deps-dev): bump the dev-dependencies group with 4 updates#36

Merged
jimsynz merged 1 commit into
mainfrom
dependabot/hex/dev-dependencies-94ea10fa6e
Jun 3, 2026
Merged

chore(deps-dev): bump the dev-dependencies group with 4 updates#36
jimsynz merged 1 commit into
mainfrom
dependabot/hex/dev-dependencies-94ea10fa6e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Copy link
Copy Markdown
Contributor

Bumps the dev-dependencies group with 4 updates: bandit, doctor, ex_doc and plug.

Updates bandit from 1.10.4 to 1.11.1

Changelog

Sourced from bandit's changelog.

1.11.1 (13 May 2026)

Fixes

Changes

  • We no longer disallow . and .. path components in HTTP/2 absolute paths (#581)

1.11.0 (1 May 2026)

Fixes

Enhancements

  • Define a new max_inflate_ratio WebSocket configuration option that defines a maximum allowable decompression ratio to help mitigate inflate bombing. Defaults to 25:1
  • Define a new max_fragmented_message_size WebSocket configuration option which defines the maximum allowed WebSocket frame size (inclusive of continuation frames). Defaults to 8MB

Changes

  • The default value of the max_frame_size WebSocket option has changed from :infinity to 8MB
  • Zero length non-fin continuation frames are now disallowed (we now skip Autobahn 6.1.2 as a result)
  • Multiple content-length fields in an HTTP/1 request are now disallowed (CVE-2026-39805, commit f2ca636, thanks @​PJUllrich & @​maennchen!)
  • We now only use the underlying transport when determining scheme (CVE-2026-39807, commit 45feea2, thanks @​PJUllrich & @​maennchen!)
Commits

Updates doctor from 0.22.0 to 0.23.0

Release notes

Sourced from doctor's releases.

0.23.0

[0.23.0] - 2025-05-15

Changed

  • Updated to Decimal 3.1
Changelog

Sourced from doctor's changelog.

[0.23.0] - 2025-05-15

Changed

  • Updated to Decimal 3.1
Commits

Updates ex_doc from 0.40.1 to 0.40.3

Changelog

Sourced from ex_doc's changelog.

v0.40.3 (2026-05-21)

  • Enhancements
    • Add autolinking for Erlang/OTP 29 native records

v0.40.2 (2026-05-08)

  • Bug fixes
    • Add rel="nofollow" to external links in HTML output
    • Use blockquote in llms.txt description
    • Void elements in epub, such wbr, must be terminated by the matching end-tag
    • Fix content container scrolling in older versions of Safari
    • Skip HTML comments when computing synopsis
    • Fix markdown backend code fence language and opaque type display
    • Fix false positive warning when linking to asset files
    • Prevent #search selector from impacting user content
    • Raise on extras that conflict with reserved filenames
    • Fix styling of admonition blocks
Commits

Updates plug from 1.19.1 to 1.19.2

Changelog

Sourced from plug's changelog.

v1.19.2 (2026-05-14)

Security

  • [Plug.Parsers.MULTIPART] Consider overall length when decoding multipart headers
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the dev-dependencies group with 4 updates: [bandit](https://github.com/mtrudel/bandit), [doctor](https://github.com/akoutmos/doctor), [ex_doc](https://github.com/elixir-lang/ex_doc) and [plug](https://github.com/elixir-plug/plug).


Updates `bandit` from 1.10.4 to 1.11.1
- [Changelog](https://github.com/mtrudel/bandit/blob/main/CHANGELOG.md)
- [Commits](mtrudel/bandit@1.10.4...1.11.1)

Updates `doctor` from 0.22.0 to 0.23.0
- [Release notes](https://github.com/akoutmos/doctor/releases)
- [Changelog](https://github.com/akoutmos/doctor/blob/master/CHANGELOG.md)
- [Commits](akoutmos/doctor@0.22.0...0.23.0)

Updates `ex_doc` from 0.40.1 to 0.40.3
- [Release notes](https://github.com/elixir-lang/ex_doc/releases)
- [Changelog](https://github.com/elixir-lang/ex_doc/blob/main/CHANGELOG.md)
- [Commits](elixir-lang/ex_doc@v0.40.1...v0.40.3)

Updates `plug` from 1.19.1 to 1.19.2
- [Changelog](https://github.com/elixir-plug/plug/blob/main/CHANGELOG.md)
- [Commits](elixir-plug/plug@v1.19.1...v1.19.2)

---
updated-dependencies:
- dependency-name: bandit
  dependency-version: 1.11.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: doctor
  dependency-version: 0.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: ex_doc
  dependency-version: 0.40.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
- dependency-name: plug
  dependency-version: 1.19.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code labels Jun 2, 2026
@jimsynz jimsynz merged commit 9beb123 into main Jun 3, 2026
25 checks passed
@dependabot dependabot Bot deleted the dependabot/hex/dev-dependencies-94ea10fa6e branch June 3, 2026 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant