Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@novasoftwarefoundation/prism	0.1.5 → 0.1.6			dependencies	patch
appsignal_phoenix (source)	2.7.0 → == 2.8.1			prod	minor
cldr_utils (source)	2.28.3 → == 2.29.5			prod	minor
credo (source)	1.7.12 → == 1.7.18			dev	patch
debian	trixie-20260406 → trixie-20260421			stage	patch
dialyxir (source)	1.4.6 → == 1.4.7			dev	patch
ecto_sql (source)	3.13.2 → == 3.13.5			prod	patch
elixir	1.18.4-otp-27 → 1.19.5-otp-27			stage	minor
elixir (source)	1.18.4-otp-28 → 1.19.5				minor
erlang	28.1 → 28.5				minor
ex_aws_s3 (source)	2.5.8 → == 2.5.9			prod	patch
ex_cldr (source)	2.43.2 → == 2.47.2			prod	minor
ex_cldr_dates_times (source)	2.24.0 → == 2.25.6			prod	minor
ex_cldr_numbers (source)	2.35.2 → == 2.38.1			prod	minor
ex_doc (source)	0.38.4 → == 0.40.1			dev	minor
image (source)	0.62.0 → == 0.67.0			prod	minor
kadabra (source)	0.6.1 → == 0.6.2			prod	patch
lazy_html (source)	0.1.8 → == 0.1.11			dev	patch
node	20.20.0 → 20.20.2			uses-with	patch
node (source)	24.9.0 → 24.15.0				minor
oban (source)	2.20.1 → == 2.22.1			prod	minor
pdfjs-dist (source)	5.4.296 → 5.7.284			dependencies	minor
phoenix (source)	1.8.1 → == 1.8.5			prod	patch
phoenix_ecto (source)	4.6.5 → == 4.7.0			prod	minor
phoenix_live_reload (source)	1.6.1 → == 1.6.2			dev	patch
phoenix_live_view (source)	1.1.13 → == 1.1.29			prod	patch
plug_cowboy (source)	2.7.4 → == 2.8.1			prod	minor
postgrex (source)	0.21.1 → == 0.22.0			prod	minor
prettier (source)	3.6.2 → 3.8.3			devDependencies	minor
ranch (source)	2.1.0 → == 2.2.0			prod	minor
tailwind (source)	0.4.0 → == 0.4.1			prod	patch
tidewave (source)	0.5.2 → == 0.5.6			dev	patch
wallaby (source)	0.30.9 → == 0.30.12			dev	patch

---

Release Notes

novasoftwarefoundation/prism (@​novasoftwarefoundation/prism)

v0.1.6

Compare Source

appsignal/appsignal-elixir-phoenix (appsignal_phoenix)

v2.8.1

Compare Source

Published on 2025-11-21.

Fixed

• Fix issue when running AppSignal for Phoenix in CI (patch de10616)

v2.8.0

Compare Source

Published on 2025-11-20.

Added

• Report LiveComponent traces and events separately from LiveView traces and events.

  Traces in AppSignal representing updates and event handlers in components will no longer be represented as calls to the view in which the component is mounted, and their events will be part of the live_component group.

  This makes it possible to obtain performance measurements for each component individually, instead of grouped by the view that mounts the component.

  (minor 1146f7f)

• Group samples for calls to handle_event/3 in LiveView and LiveComponent by the event that is being handled. (patch 0c376b2)

elixir-cldr/cldr_utils (cldr_utils)

v2.29.5

Compare Source

This is the changelog for Cldr Utils v2.29.5 released on March 16th, 2026. For older changelogs please consult the release tag on GitHub

Bug Fixes

• Fix clause ordering in Cldr.Digits, fixing a compiler warning on Elixir 1.20.0-rc.2.

v2.29.4

Compare Source

This is the changelog for Cldr Utils v2.29.4 released on January 25th, 2026. For older changelogs please consult the release tag on GitHub

Bug Fixes

• Fixes the catch-all error return for Cldr.Http.get/2 which in turn fixes that case clause error reported in #​9.

v2.29.3

Compare Source

This is the changelog for Cldr Utils v2.29.3 released on January 24th, 2026. For older changelogs please consult the release tag on GitHub

Bug Fixes

• Fix resolving the path of the certificate file when the path is not ASCII. Thanks to @​Massedil for the report. Closes #​9.

v2.29.2

Compare Source

This is the changelog for Cldr Utils v2.29.2 released on January 17th, 2026. For older changelogs please consult the release tag on GitHub

Bug Fixes

• Fix compile warnings for Elixir 1.20.

v2.29.1

Compare Source

This is the changelog for Cldr Utils v2.29.1 released on November 1st, 2025. For older changelogs please consult the release tag on GitHub

Bug Fixes

• Fix range warning in Cldr.Math.float_to_ratio/2.

v2.29.0

Compare Source

This is the changelog for Cldr Utils v2.29.0 released on October 9th, 2025. For older changelogs please consult the release tag on GitHub

Enhancements

• Adds Cldr.Math.float_to_ratio/2. This function supports formatting numbers as fractions in the upcoming CLDR 48 and the relevant ex_cldr version. Note that decimals are not currently supported.

rrrene/credo (credo)

v1.7.18

Compare Source

Check it out on Hex: https://hex.pm/packages/credo/1.7.18

• Fix compatibility & compiler warnings with Elixir 1.20.0-rc.4
• Fix problem with transitive deps in umbrella apps
• Credo.Check.Warning.UnusedMapOperation fix false positives

v1.7.17

Compare Source

• Credo.Check.Readability.ModuleDoc add new param :ignore_modules_using (defaults to [Credo.Check, Ecto.Schema, Phoenix.LiveView, ~r/\.Web$/])
• Credo.Check.Warning.UnusedOperation update :modules param: instead of a list of functions to check, :all can be given to check all functions in a module
• New Check: Credo.Check.Refactor.CondInsteadOfIfElse
• New Check: Credo.Check.Warning.WrongTestFilename

v1.7.16

Compare Source

• Fix compatibility & compiler warnings with Elixir 1.20.0-rc.1
• Credo.Check.Refactor.PassAsyncInTestCases add new param :force_comment_on_explicit_false (defaults to false)
• Credo.Check.Warning.Dbg add new param :allow_captures (defaults to false)
• New Check: Credo.Check.Warning.UnusedMapOperation
• New Check: Credo.Check.Warning.UnusedOperation

v1.7.15

Compare Source

• Improve performance on large projects
• Parse token_metadata for source files
• Credo.Check.Warning.ExpensiveEmptyEnumCheck have better issue messages
• Credo.Check.Refactor.MatchInCondition add new param :allow_operators
• Credo.Check.Refactor.MatchInCondition fix false positive
• Credo.Check.Readability.AliasOrder fix false positive
• Credo.Check.Readability.FunctionNames fix false positive
• Credo.Check.Readability.SinglePipe add new param :allow_blocks (defaults to true)
• Credo.Check.Refactor.ModuleDependencies fix false positive

v1.7.14

Compare Source

• Fix regression for DuplicatedCode
• Expand Credo.Check.Warning.ExpensiveEmptyEnumCheck to cover less obvious cases
• New Check: Credo.Check.Warning.StructFieldAmount

v1.7.13

Compare Source

• Fix compatibility & compiler warnings with Elixir 1.19
• Credo.Check.Refactor.ABCSize fixed false positive

jeremyjh/dialyxir (dialyxir)

v1.4.7

Compare Source

elixir-ecto/ecto_sql (ecto_sql)

v3.13.5

Compare Source

• [postgrex] Map :restrict_violation to :foreign_key constraint (required by PostgreSQL 18)

v3.13.4

Compare Source

Bug fixes

• [mysql] Do not crash mix ecto.load with large dumped databases

v3.13.3

Compare Source

Enhancements

• [sql] Tag generated functions as :generated
• [sql] Add :wrap_in_transaction option to explain

Bug fixes

• [mysql] Fix structure_load/2 for MySQL 9.4+

elixir-lang/elixir (elixir)

v1.19.5

Compare Source

1. Enhancements

Elixir

• [Protocol] Optimize protocol consolidation to no longer load structs

2. Bug fixes

Elixir

• [Kernel] Fix unnecessary recompilation when dbg_callback is modified at runtime
• [Kernel] Fix parser crash on missing parentheses on expression following operator not in
• [Kernel] Support fetching abstract code for modules compiled with Elixir v1.14 and earlier
• [Protocol] Ensure protocol consolidation no longer stores outdated struct types. As a consequence, protocols types only track struct names at the moment
• [Stream] Revert optimization which caused nested streams in Stream.flat_map/2 to crash

IEx

• [IEx] Fix usage of #iex:break as part of multi-line prompts

Logger

• [Logger.Backends] Do not crash on invalid metadata

v1.19.4

Compare Source

1. Enhancements

Mix

• [mix xref] Add --min-cycle-label to help projects adapt to the more precise mix xref graph reports in Elixir v1.19. In previous versions, Elixir would break a large compilation cycle into several smaller ones, and therefore developers would check for --min-cycle-size on CI. However, the issue is not the size of the cycle (it has no implication in the amount of compiled files), but how many compile-time dependencies (aka compile labels) in a cycle. The new option allows developers to filter on the label parameter

2. Bug fixes

Elixir

• [File] Ensure File.cp_r/3 reports non-existing destination properly (instead of source)

ExUnit

• [ExUnit] Fix formatter crash when diffing takes too long
• [ExUnit] Ensure parallel matches in assert propagate type information

Logger

• [Logger] Fix regression where formatter would crash when given chardata (the crash would happen when logging non-ASCII characters)

Mix

• [mix help] Ensure app:APP works when the project or its dependencies were not yet compiled
• [mix escript.build] Ensure the hex application can be included in escripts

v1.19.3

Compare Source

1. Enhancements

Elixir

• [Kernel] Support /E modifier for regular expressions in config files

Mix

• [mix compile] Allow forcing specific compilers, such as --force-elixir, --force-app, etc
• [mix help app:APP] Support showing helps for apps in Elixir and Erlang standard libraries

2. Bug fixes

ExUnit

• [ExUnit.Case] Fix crash when formatting errors caused by a linked/trapped exit during setup_all

Mix

• [mix compile.app] Ensure functions in the format &Mod.fun/arity can be written to .app files
• [mix compile.app] Ensure strings with Unicode characters can be written to .app files

v1.19.2

Compare Source

1. Enhancements

Elixir

• [Kernel] Measure and optimize writing of .beam files in the compiler
• [Kernel] Optimize rare scenarios where type checking took too long

Mix

• [mix compile] Add flag --no-check-cwd to skip compiler check to aid debugging

2. Bug fixes

Elixir

• [IO] Fix dialyzer warning on IO.inspect :label
• [Kernel] Ensure we warn on deprecated ~~~ unary operator

Logger

• [Logger] Reset ansi escapes before newlines in Logger

Mix

• [mix compile] Warn if elixirc_paths is not a list of string paths
• [mix compile] Address regression where umbrella children were compiled too early and without respecting compilation flags
• [mix deps.compile] Improve reliability of MIX_OS_DEPS_COMPILE_PARTITION_COUNT across mix escript.install, mix archive.install, and others

v1.19.1

Compare Source

1. Bug fixes

EEx

• [EEx] Address Dialyzer warnings when invoking EEx.compile_string

Elixir

• [Kernel] Optimize how types are computed for pretty printing
• [Kernel] Optimize how differences are computed in the type system
• [Macro] Do not escape options given to dbg/2
• [Protocol] Improve protocol violation warnings

Mix

• [mix compile] Do not attempt to touch deleted files when compilation fails and then resumed with missing files
• [mix deps.compile] Do not spawn partitions when all dependencies are local and already compiled

v1.18.4

Compare Source

This release includes initial support for Erlang/OTP 28, for those who want to try it out. In such cases, you may use Elixir v1.18.4 precompiled for Erlang/OTP 27, as it is binary compatible with Erlang/OTP 28. Note, however, that Erlang/OTP 28 no longer allows regexes to be defined in the module body and interpolated into an attribute. If you do this:

@​some_attribute ~r/foo/
def some_fun, do: @​some_attribute

You must rewrite it to:

def some_fun, do: ~r/foo/

1. Enhancements

IEx

• [IEx.Helpers] Add IEx.Helpers.process_info/1 which prints process information

Mix

• [mix compile] Support the --no-listeners option
• [mix local] Retry HTTP requests with disabled middlebox comp mode depending on the failure reason
• [mix local.hex] Install Hex per OTP release
• [mix local.rebar] Install Hex per OTP release
• [mix run] Support the --no-listeners option

2. Bug fixes

Elixir

• [Kernel] Emit trace events for @on_definition callbacks
• [Kernel] Emit trace events for @on_load callbacks
• [Kernel] Emit trace events for super calls
• [Kernel] Emit trace events for imported function calls
• [Kernel] Optimize map unions to avoid building long lists
• [Kernel] Do not crash when type checking nested bitstrings in patterns
• [Kernel] Do not crash when non-binary bitstring is given as struct default value
• [Kernel] Recompile regexes when escaped from module attributes for Erlang/OTP 28 compatibility
• [Kernel] Preserve backwards compatibility in elixir_erl

Mix

• [mix deps.get] Ensure git checkout works when there are untracked files in the dependency
• [mix loadpaths] Do not run listeners when not checking the deps

erlang/otp (erlang)

v28.5: OTP 28.5

Compare Source

Patch Package:           OTP 28.5
Git Tag:                 OTP-28.5
Date:                    2026-04-23
Trouble Report Id:       OTP-16607, OTP-19162, OTP-19967, OTP-20038,
                         OTP-20043, OTP-20082, OTP-20094, OTP-20098,
                         OTP-20101, OTP-20106
Seq num:                 GH-10667, GH-10812, GH-10915, GH-10967,
                         OTP-16608, PR-10431, PR-10881, PR-10908,
                         PR-10924, PR-10957, PR-10976, PR-11002,
                         PR-11045
System:                  OTP
Release:                 28
Application:             erl_interface-5.7, erts-16.4, mnesia-4.25.3,
                         ssl-11.6
Predecessor:             OTP 28.4.3

Check out the git tag OTP-28.5, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

HIGHLIGHTS

• There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.

  Own Id: OTP-20043
  Application(s): otp
  Related Id(s): PR-10431

OTP-28.5

Improvements and New Features

• There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.

  Own Id: OTP-20043
  Related Id(s): PR-10431

  *** HIGHLIGHT ***

erl_interface-5.7

The erl_interface-5.7 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• A new configure option --{enable,disable}-use-embedded-3pp-alternatives has been added. When enabled, configure is forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled, configure will use all internal embedded 3pps. Currently this option affects zstd, zlib, ryu (with STL), openssl and tcl. The default is to use all built-in embedded 3pps except for zlib which by default will use zlib on the OS if available.

  Requirements for alternatives:

  • zstd - Static library and include files of at least version 1.5.6 needs to be available.
  • zlib - Library and include files of at least version 1.2.5 needs to be available.
  • ryu (with STL) - A usable C++ compiler with C++17 support.
  • openssl - No requirements. Our own MD5 implementation will be used.
  • tcl - The strerrorname_np() function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.

  The argument embedded_3pps has been added to erlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.

  Own Id: OTP-20106
  Related Id(s): PR-11045

Known Bugs and Problems

• The ei API for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled.

  Own Id: OTP-16607
  Related Id(s): OTP-16608

erts-16.4

The erts-16.4 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed bug in enif_make_map_from_arrays for arrays with at least 33 keys. If duplicate keys existed, instead of failing, it would skip the duplicates. If less than 33 unique keys existed, an internally inconsistent and broken map was returned.

  Own Id: OTP-20098
  Related Id(s): PR-10976

• Fixed an issue when supplying the args_file option to erl.exe on windows that did not handle unicode characters correctly.

  Own Id: OTP-20101
  Related Id(s): GH-10667

Improvements and New Features

• A new configure option --{enable,disable}-use-embedded-3pp-alternatives has been added. When enabled, configure is forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled, configure will use all internal embedded 3pps. Currently this option affects zstd, zlib, ryu (with STL), openssl and tcl. The default is to use all built-in embedded 3pps except for zlib which by default will use zlib on the OS if available.

  Requirements for alternatives:

  • zstd - Static library and include files of at least version 1.5.6 needs to be available.
  • zlib - Library and include files of at least version 1.2.5 needs to be available.
  • ryu (with STL) - A usable C++ compiler with C++17 support.
  • openssl - No requirements. Our own MD5 implementation will be used.
  • tcl - The strerrorname_np() function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.

  The argument embedded_3pps has been added to erlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.

  Own Id: OTP-20106
  Related Id(s): PR-11045

Full runtime dependencies of erts-16.4

kernel-9.0, sasl-3.3, stdlib-4.1

mnesia-4.25.3

The mnesia-4.25.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Added documentation for user_properties and functions read_table_property/2, write_table_property/2, delete_table_property. Enhanced documentation for frag_properties.

  Own Id: OTP-20038
  Related Id(s): GH-10812, PR-10881

• Fixed a bug where stacktrace was not returned from mnesia:transaction/1 when transaction aborts with an error exception.

  Own Id: OTP-20094
  Related Id(s): GH-10967, PR-11002

Full runtime dependencies of mnesia-4.25.3

erts-9.0, kernel-5.3, stdlib-5.0

ssl-11.6

Note! The ssl-11.6 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.20.3 (first satisfied in OTP 28.4.2)

Fixed Bugs and Malfunctions

• Preserve inet option order, as inet_backend option must be first option. Will make inet_backend option work for ssl independently of number of inet supplied options.

  Own Id: OTP-19162
  Related Id(s): PR-10908

• Missing conformance check for signature algorithms in TLS-1.3 could cause selection of incompatible certificate when a server is configured with more than one possible certificate.

  Own Id: OTP-20082
  Related Id(s): GH-10915, PR-10924

Improvements and New Features

• Avoid unnecessary memory consumption for temporary processes in a supervision tree.

  Own Id: OTP-19967
  Related Id(s): PR-10957

Full runtime dependencies of ssl-11.6

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

felipe stival, Hewwho, Hugo Baraúna, Nick Vatamaniuc, Viktor Söderqvist, William Yang

v28.4.3: OTP 28.4.3

Compare Source

Patch Package:           OTP 28.4.3
Git Tag:                 OTP-28.4.3
Date:                    2026-04-21
Trouble Report Id:       OTP-20081, OTP-20086, OTP-20104
Seq num:                 #​10968, CVE-2026-32147, PR-10985, PR-11027
System:                  OTP
Release:                 28
Application:             kernel-10.6.3, ssh-5.5.2
Predecessor:             OTP 28.4.2

Check out the git tag OTP-28.4.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-28.4.3

Fixed Bugs and Malfunctions

• Fix the otp_patch_apply script to properly handle installation of documentation for OTP versions with more than one digit in version parts less significant than the major version.

  Own Id: OTP-20086
  Related Id(s): PR-10985

kernel-10.6.3

The kernel-10.6.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• On Windows, sockets has to be bound when using 'socket'. Therefor when using gen_tcp with inet_backend = socket, gen_tcp_socket bind even if the caller has not provided an explicit bind address. In that case it attempts to locate a "proper" address on its own. But if the connect address is the loopback address, this could lead to an attempt to bind to an external interface. So, this has now been changed so that if the connect address is the loopback address, the loopback address will also be used when binding.

  Own Id: OTP-20104
  Related Id(s): #​10968

Full runtime dependencies of kernel-10.6.3

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

ssh-5.5.2

Note! The ssh-5.5.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• Fixed a vulnerability in the SFTP server where file attributes could be modified outside the configured root directory. When using FSETSTAT on an open file handle, the operation used the path stored in the handle without verifying it was within the root directory, allowing attribute changes to files outside the chroot boundary.

  Thanks to John Downey.

  Own Id: OTP-20081
  Related Id(s): PR-11027, CVE-2026-32147

Full runtime dependencies of ssh-5.5.2

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

v28.4.2: OTP 28.4.2

Compare Source

Patch Package:           OTP 28.4.2
Git Tag:                 OTP-28.4.2
Date:                    2026-04-07
Trouble Report Id:       OTP-19506, OTP-19889, OTP-19931, OTP-20027,
                         OTP-20037, OTP-20042, OTP-20044, OTP-20046,
                         OTP-20047, OTP-20049, OTP-20050, OTP-20052,
                         OTP-20053, OTP-20056, OTP-20060, OTP-20064,
                         OTP-20065, OTP-20068
Seq num:                 CVE-2026-28810, CVE-2026-32144, ERIERL-1310,
                         ERIERL-1311, ERIERL-1312, GH-10454, GH-10562,
                         GH-10606, GH-10785, GH-10876, GH-10901,
                         GH-7156, GH-9476, PR-10456, PR-10569,
                         PR-10620, PR-10788, PR-10864, PR-10866,
                         PR-10867, PR-10873, PR-10874, PR-10889,
                         PR-10893, PR-10899, PR-10904, PR-10906,
                         PR-10911, PR-10941, PR-9481
System:                  OTP
Release:                 28
Application:             compiler-9.0.6, erts-16.3.1, eunit-2.10.3,
                         inets-9.6.2, kernel-10.6.2,
                         public_key-1.20.3, sasl-4.3.2, snmp-5.20.2,
                         ssl-11.5.4
Predecessor:             OTP 28.4.1

Check out the git tag OTP-28.4.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

POTENTIAL INCOMPATIBILITIES

• When OCSP stapling is enabled via the {stapling, staple} or {stapling, #{...}} options, the handshake now fails if the server does not provide an OCSP stapled response.

  Previously, a missing OCSP staple was silently accepted (soft-fail). Since Erlang/OTP only supports OCSP via stapling with no fallback to direct OCSP queries or CRL checking, soft-fail meant no revocation check at all.

  Applications that need the previous soft-fail behavior can use a custom verify_fun that accepts {bad_cert, missing_ocsp_staple}.

  Own Id: OTP-20064
  Application(s): ssl
  Related Id(s): PR-10941, CVE-2026-32144

compiler-9.0.6

The compiler-9.0.6 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The type inference for maps:from_list/1 was incorrect: when the provided list was statically known to be bogus when non-empty (e.g. a list of atoms), the compiler assumed it would also fail when the list was empty.

  Own Id: OTP-19506
  Related Id(s): GH-9476, PR-9481

• Fixed a bug in the type analysis pass that could erroneously eliminate code blocks.

  Own Id: OTP-19931
  Related Id(s): GH-10562, PR-10569

• A binary as the value of a -moduledoc() attribute would be silently ignored.

  Own Id: OTP-20065
  Related Id(s): GH-10901, PR-10904

Full runtime dependencies of compiler-9.0.6

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

erts-16.3.1

The erts-16.3.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a JIT bug that miscompiled expressions like X * X + X * X.

  Own Id: OTP-19889
  Related Id(s): GH-10454, PR-10456

• Fixed bug on windows that made tools dialyzer, erlc and typer unusable in powershell or cmd.exe, when there are spaces in the installation path.

  Own Id: OTP-20027
  Related Id(s): PR-10620

• Fixed a bug with prim_tty that could occur on windows if we cannot get the console mode, mark the TTY as unavailable. This can happen when the input handle is a pipe, but the output handle is a console.

  Own Id: OTP-20060
  Related Id(s): PR-10899

Full runtime dependencies of erts-16.3.1

kernel-9.0, sasl-3.3, stdlib-4.1

eunit-2.10.3

The eunit-2.10.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed EUnit {node, ...} instantiation by passing node name (instead of pid) and restored net_kernel auto-start for non-distributed nodes.

  Own Id: OTP-20047
  Related Id(s): PR-10788

Full runtime dependencies of eunit-2.10.3

erts-9.0, kernel-8.3, stdlib-6.0

inets-9.6.2

The inets-9.6.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed authentication bypass in httpd when script_alias maps a URL to a directory outside document_root with mod_auth directory-based access controls. The mod_alias:which_alias/1 function now includes script_alias entries so authorization is evaluated against the correct path before CGI execution. CVE-2026-28808.

  Own Id: OTP-20068

Improvements and New Features

• Fixed typo in http_server.md guide

  Own Id: OTP-20044
  Related Id(s): GH-10785, PR-10867

• Expected error accept_socket_timeout in httpd_request_handler now exits gracefully, without generating a crash and supervisor reports.

  Own Id: OTP-20052
  Related Id(s): ERIERL-1310, PR-10893

Full runtime dependencies of inets-9.6.2

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6.2

The kernel-10.6.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Before this patch, the Erlang/OTP built-in DNS resolver (inet_res) used a sequential, process-global 16-bit transaction ID for UDP queries and did not implement source port randomization. Response validation relied almost entirely on this ID. Together, this made DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. The design conflicted with RFC 5452 recommendations for mitigating forged DNS answers.

  inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where faked DNS responses are possible.

  Therefore, the documentation is been updated to clarify that inet_res should only be used in trusted networks and with trusted recursive resolvers.

  The implementation is also improved to use strong random DNS transaction IDs and source ports for every DNS transaction. This should give ample protection against brute forcing fake DNS replies, known as DNS cache poisoning, but it still does not protect against, for example, an adversary in the path of the DNS transaction that can observe the random values before faking malicious replies, an attack known as DNS spoofing.

  For randomization to happen, the Crypto application has to be loaded, which most probably already should be the case for an Erlang node in an exposed network.

  If performance should become an issue, for applications within safe network environments, the previous light weight behaviour can be configured by setting the resolver option random to false.

  Own Id: OTP-20037
  Related Id(s): PR-10864, CVE-2026-28810

Full runtime dependencies of kernel-10.6.2

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

public_key-1.20.3

Note! The public_key-1.20.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)

Fixed Bugs and Malfunctions

• OCSP designated responder certificate verification now checks the CA's cryptographic signature on the responder certificate. Previously, only the issuer DN match and id-kp-OCSPSigning EKU were verified, which meant a forged self-signed certificate with the CA's subject DN would be accepted as a valid designated responder (Case 2 in RFC 6960 §4.2.2.2).

  Own Id: OTP-20042
  Related Id(s): PR-10873, CVE-2026-32144

• Update handling of encoding 'OTPSubjectPublicKeyInfo' in public_key:pkix_encode/3, so that it works for update spec added in OTP-28.

  Own Id: OTP-20050
  Related Id(s): GH-10876, PR-10889

Improvements and New Features

• Relax upper bound of common names in certificates for pragmatic interoperability reasons.

  Own Id: OTP-20049
  Related Id(s): GH-10606, PR-10866

Full runtime dependencies of public_key-1.20.3

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

sasl-4.3.2

The sasl-4.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed the typespec of release_handler:eval_appup_script/4.

  Own Id: OTP-20053
  Related Id(s): PR-10906

Full runtime dependencies of sasl-4.3.2

erts-15.0, kernel-6.0, stdlib-4.0, tools-2.6.14

snmp-5.20.2

The snmp-5.20.2 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• The SNMP manager now propagates msgAuthoritativeEngineID and msgUserName from USM security parameters through to the snmpm_user:handle_error/3 callback when an incoming message is discarded due to an unknown EngineID (usmStatsUnknownEngineIDs).

  This enables users to programmatically discover the correct authoritative EngineID from the error callback and re-register USM credentials, supporting SNMPv3 USM EngineID discovery as described in RFC 3414, Section 4. The failed_processing_message variant has been added to the snmpm:user:handle_error/3 callback type specification.

  Own Id: OTP-20056
  Related Id(s): ERIERL-1312, GH-7156, PR-10911

Full runtime dependencies of snmp-5.20.2

asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-5.0

ssl-11.5.4

Note! The ssl-11.5.4 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.20.3 (first satisfied in OTP 28.4.2)

Fixed Bugs and Malfunctions

• Server supporting TLS-1.3 and TLS-1.2, with SLH-DSA algorithms for TLS-1.3, now correctly filter out those algorithms if client is TLS-1.2 only, instead of failing with internal error.

  Own Id: OTP-20046
  Related Id(s): ERIERL-1311, PR-10874

• When OCSP stapling is enabled via the {stapling, staple} or {stapling, #{...}} options, the handshake now fails if the server does not provide an OCSP stapled response.

  Previously, a missing OCSP staple was silently accepted (soft-fail). Since Erlang/OTP only supports OCSP via stapling with no fallback to direct OCSP queries or CRL checking, soft-fail meant no revocation check at all.

  Applications that need the previous soft-fail behavior can use a custom verify_fun that accepts {bad_cert, missing_ocsp_staple}.

  Own Id: OTP-20064
  Related Id(s): PR-10941, CVE-2026-32144

  *** POTENTIAL INCOMPATIBILITY ***

Full runtime dependencies of ssl-11.5.4

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

Linus Marton, williamthome

v28.4.1: OTP 28.4.1

Compare Source

Patch Package:           OTP 28.4.1
Git Tag:                 OTP-28.4.1
Date:                    2026-03-12
Trouble Report Id:       OTP-20007, OTP-20009, OTP-20011, OTP-20012,
                         OTP-20014, OTP-20018, OTP-20022
Seq num:                 CVE-2026-23941, CVE-2026-23942,
                         CVE-2026-23943, ERIERL-1303, ERIERL-1305,
                         GH-10694, PR-10707, PR-10798, PR-10809,
                         PR-10811, PR-10813, PR-10825, PR-10833
System:                  OTP
Release:                 28
Application:             crypto-5.8.3, inets-9.6.1, kernel-10.6.1,
                         ssh-5.5.1, ssl-11.5.3
Predecessor:             OTP 28.4

Check out the git tag OTP-28.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

crypto-5.8.3

The crypto-5.8.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix memory leak in crypo:engine_load if called with incorrect commands.

  Own Id: OTP-20014
  Related Id(s): [PR-10798]

Full runtime dependencies of crypto-5.8.3

erts-9.0, kernel-6.0, stdlib-3.9

inets-9.6.1

The inets-9.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The httpd server now rejects HTTP requests containing multiple Content-Length headers with different values, returning a 400 Bad Request response. This prevents potential HTTP request smuggling attacks. Thanks Luigino Camastra at Aisle Research for responsibly disclosing this vulnerability

  Own Id: OTP-20007
  Related Id(s): [PR-10833], [CVE-2026-23941]

Full runtime dependencies of inets-9.6.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6.1

The kernel-10.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• A vulnerability has been resolved in the (undocumented, unsupported and unused in OTP) inet_dns_tsig module that leads to a validation bypass.

  If a request contained an error code (forbidden by spec), it was treated as a response and skipped the verification of the MAC. The user of the module would then receive an "all ok" response, depending on the use case, this could lead to such things as AXFR or UPDATE being allowed.

  The code has also been tightening up of the client side to make sure too large (bad) MAC sizes cannot be selected and the limit is the output size of the algorithm chosen.

  Own Id: OTP-20012
  Related Id(s): [PR-10825]

Full runtime dependencies of kernel-10.6.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

ssh-5.5.1

Note! The ssh-5.5.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• Fixe

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Amsterdam)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[mellelieuwes]

Closing: includes httpoison 2.3.0 which is blocked by packmatic. Renovate config updated to exclude httpoison — next run should create a clean PR without it.