Releases: benoitc/hackney
hackney 4.0.0
Hackney 4 trims the client down. The HTTP/2 and HTTP/3 stacks are now delegated to erlang_h2 and erlang_quic, so hackney no longer ships its own framing, HPACK / QPACK codecs, control streams or state machines. The HTTP/3 path is fully RFC 9114 compliant via quic_h3, with ALPN negotiation, Alt-Svc discovery (RFC 7838), and the same hackney:request/5 API as HTTP/1.1.
The bundled metrics subsystem is gone. In its place a Go-style middleware chain runs around hackney:request/1..5, configured per request with {middleware, [Fun, ...]} or globally via application:set_env(hackney, middleware, [...]). Users plug in prometheus, telemetry or anything else without hackney owning the policy. See the Middleware Guide and the HTTP/3 Guide.
Breaking
- Removed
hackney_metrics,hackney_metrics_backend,hackney_metrics_prometheus,hackney_metrics_dummy. Themetrics_backendapp env is no longer read. Migration recipes for prometheus and telemetry are inguides/middleware.md. Pool state is still observable throughhackney_pool:get_stats/1. - HTTP/2 and HTTP/3 low-level message tags and modules moved to the new libraries. The user-facing
hackney:request/5API is unchanged.
What's new
- Middleware chain (
hackney_middleware): outermost-first composition, request rewrite, response rewrite, short-circuit, per-request or global config. - HTTP/3 via
quic_h3: pure Erlang QUIC stack, no NIFs. ALPN-negotiated, opt-in with{protocols, [http3, http2, http1]}orapplication:set_env(hackney, default_protocols, [http3, http2, http1]). - Alt-Svc auto-discovery: server
Alt-Svcheaders are now parsed and cached on every response (HTTP/1.1, HTTP/2 and HTTP/3), so subsequent requests can upgrade to HTTP/3 transparently. Honorsclearand merges multipleAlt-Svcheaders per RFC 7230 §3.2.2. - HTTP/2 connection-pooling stability fixes for sustained concurrent load (#836).
Deps
h20.4.0quic1.0.0
Full changelog: https://github.com/benoitc/hackney/blob/4.0.0/NEWS.md
3.2.1
3.2.0
Refactor
- Replace all cowlib modules with hackney-native implementations
- Remove
src/libs/directory (all modules moved tosrc/)
Performance
- HTTP/2 state machine optimizations:
- Stream caching for recently accessed streams
- gb_sets for lingering streams (O(log N) vs O(N) lookups)
- IOList accumulation for header fragments
- HPACK and QPACK header compression with O(1) static table lookups
- WebSocket: use
rand:bytes/1instead ofcrypto:strong_rand_bytes/1for mask keys
Added
- h2spec HTTP/2 compliance testing (95% pass rate - 139/146 tests)
h2spec_server.erl: Minimal HTTP/2 server for compliance testingh2spec_SUITE.erl: CT suite for running h2spec tests- Makefile target:
make h2spec-test
- HTTP/3 E2E tests against real servers
hackney_http3_e2e_SUITE.erl: Tests against Cloudflare, Google, quic.tech- Makefile targets:
make http3-e2e-test,make all-e2e-test
- HTTP/2 machine benchmarks (
hackney_http2_machine_bench.erl)
Bug Fixes
- Fix HTTP/2 flow control for body sending (use
send_or_queue_data/4) - Fix async 204/304/HEAD responses not sending
donemessage - Fix unknown HTTP/2 frame types not being ignored (RFC 7540 4.1)
- Fix HTTP/2 frame size validation
3.1.2
3.1.1
Bug Fixes
- Fix HTTP/3 Fin flag handling for HEAD requests and responses without body
- Bump
quicdependency to 0.7.1 (fixes packet number reconstruction)
Added
- Add TLS options support in
hackney_quic(verify, cacerts, cacertfile, SNI) - Add redirect following in
hackney_h3(follow_redirect, max_redirect options) - Add HTTP/3 integration and redirect test suites (36 new tests)
3.1.0
Refactor
- Replace QUIC NIF with pure Erlang implementation. HTTP/3 now works with zero external dependencies - no CMake, Go, or C compiler needed. Just
rebar3 compile.
Removed
- Remove c_src/ directory containing lsquic, BoringSSL, and NIF code (~1.3M lines of C)
- Remove do_cmake.sh and do_quic.sh build scripts
Added
- Add
hackney_qpack.erlfor QPACK header compression (RFC 9204)
Changed
hackney_quic:is_available/0now always returnstrue(pure Erlang is always available)- Update documentation to reflect no C dependencies
Dependencies
- Add
quic~>0.5.1 (pure Erlang QUIC implementation)
3.0.3
Bug Fixes
- Restore function-based streaming body support (#821). Functions passed to
send_body/2now work correctly for iterative body streaming, supporting both statelessfun() -> {ok, Data} | eofand statefulfun(State) -> {ok, Data, NewState} | eofforms.
CI
- Fix FreeBSD CI job by adding pcre2 package to resolve git linker error
3.0.2
1.25.0 - 2025-07-24
IMPORTANT CHANGE
-
change:
insecure_basic_authnow defaults totrueinstead offalseThis restores backward compatibility with pre-1.24.0 behavior where basic auth
was allowed over HTTP connections. If you need strict HTTPS-only basic auth:- Set globally:
application:set_env(hackney, insecure_basic_auth, false) - Or per-request:
{insecure_basic_auth, false}in options
- Set globally:
Hex.pm : https://hex.pm/packages/hackney/1.25.0
Doc: https://hexdocs.pm/hackney/readme.html
1.24.1 - 2025-05-26
Changes
1.24.1 - 2025-05-26
- fix: remove unused variable warning in hackney.erl
1.24.0 - 2025-05-26
- security: fix basic auth credential exposure vulnerability
- security: add application variable support for insecure_basic_auth
- fix: NXDOMAIN error in Docker Compose environments (issue #764)
- fix: stream_body timeout after first chunk (issue #762)
- fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
- fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
- fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
- fix: controlling_process error handling in happy eyeballs and connection pool return
- improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies
Breaking Change
The new insecure_basic_auth application variable defaults to false for security.
If your application relies on insecure basic auth over HTTP, you must explicitly set
application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.
Hex.pm : https://hex.pm/packages/hackney/1.24.1
Doc: https://hexdocs.pm/hackney/readme.html