Skip to content

chore(deps): bump decimal from 2.4.1 to 3.1.1#24

Merged
Rolf Håvard Blindheim (rhblind) merged 1 commit into
mainfrom
dependabot/hex/decimal-3.1.1
Jun 18, 2026
Merged

chore(deps): bump decimal from 2.4.1 to 3.1.1#24
Rolf Håvard Blindheim (rhblind) merged 1 commit into
mainfrom
dependabot/hex/decimal-3.1.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps decimal from 2.4.1 to 3.1.1.

Release notes

Sourced from decimal's releases.

v3.1.0

Enhancements

  • Decimal.new/2 now accepts an optional opts keyword list and forwards it to Decimal.parse/2, allowing callers to override :max_digits and :max_exponent when constructing a decimal from a string.

Bug fixes

  • Fix infinite loop in Decimal.to_integer/1 when the coefficient is zero and the exponent is negative (e.g. Decimal.new("0.0")). Such values now correctly convert to the integer 0.

v3.0.0

Note on the new defaults

The new decimal128 defaults are more than sufficient for currency and other real-world numeric use cases. With precision: 34 and a scale of 2 (two digits after the decimal point for cents), values from 0.00 up to roughly 99_999_999_999_999_999_999_999_999_999_999.99 (~10³², 100 nonillion) round-trip without rounding. Most upgrades from 2.x require no code changes.

Security

  • Make the v2.4.0 mitigations for CVE-2026-32686 the default. The default Decimal.Context and the public parse, cast, and to_string functions now follow IEEE 754 decimal128 limits, rejecting inputs such as 1e1000000000 without materializing them.

Breaking changes

  • Decimal.Context defaults change from precision 28 and unbounded emax/emin to decimal128 values: precision: 34, emax: 6_144, emin: -6_143. Operation results whose adjusted exponent leaves that band signal overflow or underflow.
  • Decimal.parse/1 and Decimal.cast/1 reject inputs whose digit count exceeds 34 (decimal128 precision) or whose absolute exponent exceeds 6_144 (decimal128 emax). Use parse/2 / cast/2 with max_digits: :infinity and max_exponent: :infinity to restore unbounded behavior.
  • Decimal.parse/2 and Decimal.cast/2 default :max_digits to 34 and :max_exponent to 6_144 when not specified.
  • Decimal.to_string/2 and Decimal.to_string/3 raise ArgumentError when the rendered output would exceed 6_178 digit characters (precision + emax — the worst-case :normal width of any in-range decimal128 value). Inspect, String.Chars, and JSON.Encoder protocol implementations pass max_digits: :infinity so debug output always succeeds.
Changelog

Sourced from decimal's changelog.

v3.1.1 (2026-05-27)

Bug fixes

  • Fix Decimal.parse/2 and Decimal.new/2 rejecting inspect output for values at the context's full precision with negative exponents (e.g. Decimal.new("0.3162277660168379331998893544432719")). The :max_digits limit no longer counts non-significant leading zeros.

v3.1.0 (2026-05-08)

Enhancements

  • Decimal.new/2 now accepts an optional opts keyword list and forwards it to Decimal.parse/2, allowing callers to override :max_digits and :max_exponent when constructing a decimal from a string.

Bug fixes

  • Fix infinite loop in Decimal.to_integer/1 when the coefficient is zero and the exponent is negative (e.g. Decimal.new("0.0")). Such values now correctly convert to the integer 0.

v3.0.0 (2026-05-07)

Note on the new defaults

The new decimal128 defaults are more than sufficient for currency and other real-world numeric use cases. With precision: 34 and a scale of 2 (two digits after the decimal point for cents), values from 0.00 up to roughly 99_999_999_999_999_999_999_999_999_999_999.99 (~10³², 100 nonillion) round-trip without rounding. Most upgrades from 2.x require no code changes.

Security

  • Make the v2.4.0 mitigations for CVE-2026-32686 the default. The default Decimal.Context and the public parse, cast, and to_string functions now follow IEEE 754 decimal128 limits, rejecting inputs such as 1e1000000000 without materializing them.

Breaking changes

  • Decimal.Context defaults change from precision 28 and unbounded emax/emin to decimal128 values: precision: 34, emax: 6_144, emin: -6_143. Operation results whose adjusted exponent leaves that band signal overflow or underflow.
  • Decimal.parse/1 and Decimal.cast/1 reject inputs whose digit count exceeds 34 (decimal128 precision) or whose absolute exponent exceeds

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [decimal](https://github.com/ericmj/decimal) from 2.4.1 to 3.1.1.
- [Release notes](https://github.com/ericmj/decimal/releases)
- [Changelog](https://github.com/ericmj/decimal/blob/main/CHANGELOG.md)
- [Commits](ericmj/decimal@v2.4.1...v3.1.1)

---
updated-dependencies:
- dependency-name: decimal
  dependency-version: 3.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code labels Jun 18, 2026
@rhblind Rolf Håvard Blindheim (rhblind) merged commit 9d63a1b into main Jun 18, 2026
10 checks passed
@dependabot dependabot Bot deleted the dependabot/hex/decimal-3.1.1 branch June 18, 2026 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant