build(deps-dev): bump the dev-dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the dev-dependencies group with 4 updates in the / directory: credo, ex_doc, floki and req.

Updates credo from 1.7.18 to 1.7.19

Release notes

Sourced from credo's releases.

v1.17.19

Check it out on Hex: https://hex.pm/packages/credo/1.7.19

• Fix compatibility & compiler warnings with Elixir 1.20.0

Changelog

Sourced from credo's changelog.

1.7.19

• Fix compatibility & compiler warnings with Elixir 1.20.0

Commits

• d4a88d4 Bump version to 1.7.19
• b87f0b6 Update CHANGELOG
• c4ed6df Use mix format
• 9172f39 Fix token error
• a6de9b5 Add reproducing test for #1275
• b726ad4 Run mix format
• ccd27fb Add test for sigil_p position
• 8a03b78 Clean stale deps
• a902c97 Set "old credo" to 1.7.18
• cc2ce91 Update GitHub actions
• Additional commits viewable in compare view

Updates ex_doc from 0.40.2 to 0.40.3

Changelog

Sourced from ex_doc's changelog.

v0.40.3 (2026-05-21)

• Enhancements
  • Add autolinking for Erlang/OTP 29 native records

Commits

• 07a6abc Release v0.40.3
• 02904bb Fix record autolink - and bump CI (#2240)
• See full diff in compare view

Updates floki from 0.38.1 to 0.38.3

Release notes

Sourced from floki's releases.

v0.38.3

Fixed

• Fix Floki.text/2 when document contains a "PI" tag by @​philss in philss/floki#696

Full Changelog: philss/floki@v0.38.2...v0.38.3

v0.38.2

Performance

This is another juicy patch version with performance improvements made by @​preciz.

• [Optimize multiple selectors deduping - #667](philss/floki#667)
• [Optimize DeepText by using plain recursion - #668](philss/floki#668)
• [Optimize get_descendant_ids by removing Enum.reverse calls - #669](philss/floki#669)
• [Optimize HTMLTree.to_tuple_list/1 using tail recursion - #670](philss/floki#670)
• [Optimize Floki.TextExtractor by removing Enum iterations - #675](philss/floki#675)
• [Simplify class attribute matching - #677](philss/floki#677)
• [Refactor attribute_values to use for comprehension with pattern matching - #679](philss/floki#679)
• [Optimize CSS class matching to avoid list subtraction - #680](philss/floki#680)
• [Optimize iodata by avoiding empty separators in DeepText and FlatText - #682](philss/floki#682)
• [Simplify HTMLTree.build/1 by avoiding redundant build_tree calls - #683](philss/floki#683)
• [Optimize Floki.text/2 by extracting text in a single pass - #684](philss/floki#684)
• [Optimize HTMLTree updates and deletions - #687](philss/floki#687)
• [Refactor attribute retrieval functions for a 1.2-1.5x speedup - #689](philss/floki#689)
• [Optimize case-insensitive attribute includes match - #690](philss/floki#690)
• [Optimize selector traversal - #611](philss/floki#691)

Please check the pull requests to see the improvements.

Fixed

• Fix compiler warnings for the upcoming Elixir v1.20.
• Fix typespecs of Floki.attribute/3.
• Fix documentation for some functions.

All pull requests

• Require Elixir v1.16 by @​philss in philss/floki#666 (reverted for this release)
• Optimize multiple selectors deduping by @​preciz in philss/floki#667
• Optimize DeepText by using plain recursion by @​preciz in philss/floki#668
• Optimize get_descendant_ids by removing Enum.reverse calls by @​preciz in philss/floki#669
• Optimize HTMLTree.to_tuple_list/1 using tail recursion by @​preciz in philss/floki#670
• Fix docs inaccuracies by @​preciz in philss/floki#671
• docs: update Mix.Config to import Config in HTMLParser docs by @​preciz in philss/floki#673
• docs: remove :html_parser option from Floki.text/2 docs by @​preciz in philss/floki#674
• Fix typespecs: remove binary from Floki.attribute/3 typespec by @​preciz in philss/floki#672
• Optimize Floki.TextExtractor by removing Enum iterations by @​preciz in philss/floki#675
• Fix Elixir 1.20 compiler warnings for bitstring match pin operators by @​preciz in philss/floki#676
• Simplify class attribute matching by @​preciz in philss/floki#677

... (truncated)

Changelog

Sourced from floki's changelog.

[0.38.3] - 2026-05-21

Fixed

• Fix a regression with Floki.text/2 when a document contains a "processing instruction" tag. This is the case for a XML tag.

[0.38.2] - 2026-05-18

Performance

This is another juicy patch version with performance improvements made by @​preciz.

• [Optimize multiple selectors deduping - #667](philss/floki#667)
• [Optimize DeepText by using plain recursion - #668](philss/floki#668)
• [Optimize get_descendant_ids by removing Enum.reverse calls - #669](philss/floki#669)
• [Optimize HTMLTree.to_tuple_list/1 using tail recursion - #670](philss/floki#670)
• [Optimize Floki.TextExtractor by removing Enum iterations - #675](philss/floki#675)
• [Simplify class attribute matching - #677](philss/floki#677)
• [Refactor attribute_values to use for comprehension with pattern matching - #679](philss/floki#679)
• [Optimize CSS class matching to avoid list subtraction - #680](philss/floki#680)
• [Optimize iodata by avoiding empty separators in DeepText and FlatText - #682](philss/floki#682)
• [Simplify HTMLTree.build/1 by avoiding redundant build_tree calls - #683](philss/floki#683)
• [Optimize Floki.text/2 by extracting text in a single pass - #684](philss/floki#684)
• [Optimize HTMLTree updates and deletions - #687](philss/floki#687)
• [Refactor attribute retrieval functions for a 1.2-1.5x speedup - #689](philss/floki#689)
• [Optimize case-insensitive attribute includes match - #690](philss/floki#690)
• [Optimize selector traversal - #611](philss/floki#691)

Please check the pull requests to see the improvements.

Fixed

• Fix compiler warnings for the upcoming Elixir v1.20.
• Fix typespecs of Floki.attribute/3.
• Fix documentation for some functions.

Commits

• 82d021a Release v0.38.3
• f9816ec Fix Floki.text/2 when document contains a "PI" tag (#696)
• 561f135 Release v0.38.2 (#694)
• 8d76085 Bump ex_doc from 0.40.1 to 0.40.2 (#693)
• 1cbd12b Bump jason from 1.4.4 to 1.4.5 (#692)
• b7f9ddd Optimize selector traversal (#691)
• 9be11cf Bump html5ever from 0.17.0 to 0.18.0 (#686)
• 5804991 Optimize case-insensitive attribute includes match (#690)
• 66738b6 Refactor attribute retrieval functions for a 1.2-1.5x speedup (#689)
• a5cd540 Optimize HTMLTree updates and deletions (#687)
• Additional commits viewable in compare view

Updates req from 0.5.17 to 0.6.1

Release notes

Sourced from req's releases.

v0.6.1

• compressed, decompress_body: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0

• encode_body: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Changelog

Sourced from req's changelog.

v0.6.1 (2026-06-08)

• [compressed], [decompress_body]: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0 (2026-06-08)

• [encode_body]: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

  Custom decoders are supported via {format, codec} tuples, where codec is a module exporting decode/1 or a 1-arity function returning an :ok/:error tuple, for example:

... (truncated)

Commits

• 36a8252 Release v0.6.1
• ea5506f compressed, decompress_body: Disable automatic decompression
• 8e7425f Release v0.6.0
• 584a490 decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding
• 2d77dbe encode_body: Security fix for :form_multipart header injection
• 53c3b99 Release v0.5.18
• dc1f3be Update ex_doc
• dbd145c Update CHANGELOG.md
• 75f077e retry: Automatically retry on :pool_not_available
• 4cfbf54 run_finch: Normalize Finch.TransportError,HTTPError (Finch 0.22+) (#544)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions