Releases: hexpm/hex_core
Releases · hexpm/hex_core
Release list
v0.18.0
- Add support for the
Policyregistry resource: signed organization dependency policies that opted-in clients honor at resolution time. - Add
hex_repo:get_policy/2to fetch and verify a policy resource from a repository. - Add
hex_registry:build_policy/2,hex_registry:unpack_policy/4,hex_registry:encode_policy/1, andhex_registry:decode_policy/3.
v0.17.0
v0.16.1
v0.16.0
- Validate tarball file paths and symlink targets when creating package and docs tarballs.
- Add
tarball_files_rootconfig for tarball source paths, defaulting to the current directory and allowing absolute paths only inside that root. - Add streaming
metadata.configdecoding and increase max metadata size to 1024KB. - Add
metadata_fieldsconfig to decode only selected package metadata fields. - Add security advisory fields to package and versions registry resources.
- Add
hex_repo:fingerprint/1andhex_repo:fingerprint_equal/2for repository public key verification. - Return response headers from
hex_http_httpc:request_to_file/6. - Accept SPDX
LicenseRef-*license identifiers.
v0.15.0
- Add
request_to_filecallback tohex_httpbehaviour for streaming HTTP response body directly to a file. - Add
hex_repo:get_tarball_to_file/4andhex_repo:get_docs_to_file/4for downloading tarballs and docs directly to disk. - Implement
request_to_fileinhex_http_httpcusing httpc's{stream, Filename}option.
v0.14.1
v0.14.0
- Stream tar extraction to disk, writing file entries in chunks instead of loading into memory.
- Add
{file, Path}support tohex_tarball:unpack_docs/2,3to read doc tarballs from disk. - Add
noneoutput mode tohex_tarball:unpack/2,3to extract only metadata and checksums, skipping contents.
v0.13.0
v0.12.1
- Fix unsafe deserialization of Erlang terms in API responses (CVE-2026-21619)
v0.12.0
- Add short URL API
hex_api_short_url:create/2. - Add OAuth API:
hex_api_oauth:device_authorization/3,4hex_api_oauth:poll_device_token/3hex_api_oauth:refresh_token/3hex_api_oauth:revoke_token/3hex_api_oauth:client_credentials_token/4,5
- Support 2FA authentication, any API request can now return
{error, otp_required | invalid_totp}
if 2FA is required. The config optionapi_otpcan be used to provide the TOTP code. - Differentiate between registry verification errors.
{error, unverified}has been replaced with
{error, bad_repo_name | bad_signature}. - Support nested maps in
extrapackage metadata field.