hackney 4.0.0

Hackney 4 trims the client down. The HTTP/2 and HTTP/3 stacks are now delegated to erlang_h2 and erlang_quic, so hackney no longer ships its own framing, HPACK / QPACK codecs, control streams or state machines. The HTTP/3 path is fully RFC 9114 compliant via quic_h3, with ALPN negotiation, Alt-Svc discovery (RFC 7838), and the same hackney:request/5 API as HTTP/1.1.

The bundled metrics subsystem is gone. In its place a Go-style middleware chain runs around hackney:request/1..5, configured per request with {middleware, [Fun, ...]} or globally via application:set_env(hackney, middleware, [...]). Users plug in prometheus, telemetry or anything else without hackney owning the policy. See the Middleware Guide and the HTTP/3 Guide.

Breaking

• Removed hackney_metrics, hackney_metrics_backend, hackney_metrics_prometheus, hackney_metrics_dummy. The metrics_backend app env is no longer read. Migration recipes for prometheus and telemetry are in guides/middleware.md. Pool state is still observable through hackney_pool:get_stats/1.
• HTTP/2 and HTTP/3 low-level message tags and modules moved to the new libraries. The user-facing hackney:request/5 API is unchanged.

What's new

• Middleware chain (hackney_middleware): outermost-first composition, request rewrite, response rewrite, short-circuit, per-request or global config.
• HTTP/3 via quic_h3: pure Erlang QUIC stack, no NIFs. ALPN-negotiated, opt-in with {protocols, [http3, http2, http1]} or application:set_env(hackney, default_protocols, [http3, http2, http1]).
• Alt-Svc auto-discovery: server Alt-Svc headers are now parsed and cached on every response (HTTP/1.1, HTTP/2 and HTTP/3), so subsequent requests can upgrade to HTTP/3 transparently. Honors clear and merges multiple Alt-Svc headers per RFC 7230 §3.2.2.
• HTTP/2 connection-pooling stability fixes for sustained concurrent load (#836).

Deps

• h2 0.4.0
• quic 1.0.0

Full changelog: https://github.com/benoitc/hackney/blob/4.0.0/NEWS.md

3.2.1

Bug Fixes

• Fix recv_timeout option being ignored for pooled connections (#832)
• Fix off-by-one error in HPACK decoding (#831)
• Fix invalid match in handle_h2_frame/2 for HTTP/2 window updates (#829)
• Fix binary syntax in EDoc comment to fix XML parsing error

3.2.0

Refactor

• Replace all cowlib modules with hackney-native implementations
• Remove src/libs/ directory (all modules moved to src/)

Performance

• HTTP/2 state machine optimizations:
  • Stream caching for recently accessed streams
  • gb_sets for lingering streams (O(log N) vs O(N) lookups)
  • IOList accumulation for header fragments
• HPACK and QPACK header compression with O(1) static table lookups
• WebSocket: use rand:bytes/1 instead of crypto:strong_rand_bytes/1 for mask keys

Added

• h2spec HTTP/2 compliance testing (95% pass rate - 139/146 tests)
  • h2spec_server.erl: Minimal HTTP/2 server for compliance testing
  • h2spec_SUITE.erl: CT suite for running h2spec tests
  • Makefile target: make h2spec-test
• HTTP/3 E2E tests against real servers
  • hackney_http3_e2e_SUITE.erl: Tests against Cloudflare, Google, quic.tech
  • Makefile targets: make http3-e2e-test, make all-e2e-test
• HTTP/2 machine benchmarks (hackney_http2_machine_bench.erl)

Bug Fixes

• Fix HTTP/2 flow control for body sending (use send_or_queue_data/4)
• Fix async 204/304/HEAD responses not sending done message
• Fix unknown HTTP/2 frame types not being ignored (RFC 7540 4.1)
• Fix HTTP/2 frame size validation

3.1.2

Dependencies

• Bump quic dependency to 0.10.1

3.1.1

Bug Fixes

• Fix HTTP/3 Fin flag handling for HEAD requests and responses without body
• Bump quic dependency to 0.7.1 (fixes packet number reconstruction)

Added

• Add TLS options support in hackney_quic (verify, cacerts, cacertfile, SNI)
• Add redirect following in hackney_h3 (follow_redirect, max_redirect options)
• Add HTTP/3 integration and redirect test suites (36 new tests)

3.1.0

Refactor

• Replace QUIC NIF with pure Erlang implementation. HTTP/3 now works with zero external dependencies - no CMake, Go, or C compiler needed. Just rebar3 compile.

Removed

• Remove c_src/ directory containing lsquic, BoringSSL, and NIF code (~1.3M lines of C)
• Remove do_cmake.sh and do_quic.sh build scripts

Added

• Add hackney_qpack.erl for QPACK header compression (RFC 9204)

Changed

• hackney_quic:is_available/0 now always returns true (pure Erlang is always available)
• Update documentation to reflect no C dependencies

Dependencies

• Add quic ~>0.5.1 (pure Erlang QUIC implementation)

3.0.3

Bug Fixes

• Restore function-based streaming body support (#821). Functions passed to send_body/2 now work correctly for iterative body streaming, supporting both stateless fun() -> {ok, Data} | eof and stateful fun(State) -> {ok, Data, NewState} | eof forms.

CI

• Fix FreeBSD CI job by adding pcre2 package to resolve git linker error

3.0.2

Bug Fixes

• Add default Content-Type: application/octet-stream header when sending a body without explicit Content-Type (#823). This restores 1.x behavior and follows RFC 7231 recommendations.

Dependencies

• Bump certifi to 2.16.0 (#824)

1.25.0 - 2025-07-24

IMPORTANT CHANGE

• change: insecure_basic_auth now defaults to true instead of false

  This restores backward compatibility with pre-1.24.0 behavior where basic auth
  was allowed over HTTP connections. If you need strict HTTPS-only basic auth:

  • Set globally: application:set_env(hackney, insecure_basic_auth, false)
  • Or per-request: {insecure_basic_auth, false} in options

Hex.pm : https://hex.pm/packages/hackney/1.25.0
Doc: https://hexdocs.pm/hackney/readme.html

1.24.1 - 2025-05-26

Changes

1.24.1 - 2025-05-26

• fix: remove unused variable warning in hackney.erl

1.24.0 - 2025-05-26

• security: fix basic auth credential exposure vulnerability
• security: add application variable support for insecure_basic_auth
• fix: NXDOMAIN error in Docker Compose environments (issue #764)
• fix: stream_body timeout after first chunk (issue #762)
• fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
• fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
• fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
• fix: controlling_process error handling in happy eyeballs and connection pool return
• improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Breaking Change

The new insecure_basic_auth application variable defaults to false for security.
If your application relies on insecure basic auth over HTTP, you must explicitly set
application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Hex.pm : https://hex.pm/packages/hackney/1.24.1
Doc: https://hexdocs.pm/hackney/readme.html