1# CHANGELOG
2
3## v1.0.1 (2021-12-14)
4
5### Bug fixes
6
7* Fix compatibility with some Elixir and OTP combinations
8
9## v1.0.0 (2021-12-13)
10
11### Enhancements
12
13* Set exit code to 1 when `mix hex.publish` fails
14* Validate OSS licenses
15* Read authorization credentials from `~/.netrc`
16* Error if building package with an `app: false` dependency
17
18### Bug fixes
19
20* Do not error if the organization authorization key could not be verified, this improves handling of API server issues
21* Improvements to version solver to prevent scenarios where it takes a long time to find a solution
22* Improve error when update checker times out
23
24## v0.21.3 (2021-09-18)
25
26### Enhancements
27
28* Add config `no_short_urls` and env var `HEX_NO_SHORT_URLS` to disable short URL generation
29* Mention `mix hex.sponsor` when fetching packages that accept sponsorship
30* Add `--key` option to `mix hex.repo show NAME` to print repository key
31* Improve output when update check fails
32* Print hint if version resolution is slow
33
34### Bug fixes
35
36* Improve version backtracking to fix slow version resolutions and downgrading of dependencies
37
38## v0.21.2 (2021-04-14)
39
40### Enhancements
41
42* Add support for `mix hex.package fetch PACKAGE` (without version)
43
44### Bug fixes
45
46* Gracefully handle missing hex metadata in sponsor task
47* Fix building hex registry
48* Update ssl opts for host validation on redirect
49* Store correct password after confirmation failure
50
51## v0.21.1 (2021-01-15)
52
53### Enhancements
54
55* Warn when using ssl-10.2
56* Disable API write operations when using ssl-10.2
57
58## v0.21.0 (2021-01-14)
59
60### Enhancements
61
62* Add `--epub` option to `mix hex.docs offline`
63* Add `--replace` option to `mix hex.publish`
64* Add locked version to `mix hex.info <package>`
65* Clarify publish message around ownership
66* Remove reliance on colors for hex.outdated
67* Follow XDG Base Directory Specification
68* Add link to diffs page in footer of `mix hex.outdated`
69* Introduce `latest` branch to install Hex using `mix archive.install git ...`
70* Add `--repo` flag to `mix hex.package` task
71* Make `mix hex.package diff` more CLI-friendly
72* Customize hostname check to allow also wildcard certificates
73* Use API for dependency config in mix hex.info
74* Do not pass --canonical to docs task
75* Always add `*.DS_Store` to `:exclude_patterns`
76* Add note about updatable packages to `mix hex.outdated` task
77* Use tarball outer checksum to check cache freshness
78* Add `--within-requirements` flag to `mix hex.outdated`
79* Add `--fetch-public-key FINGERPRINT` to `mix hex.repo add`
80* Return non-zero exit when package or release are not found in `mix hex.info`
81* Add `no_proxy` configuration
82* Add `mix hex.package diff APP VERSION`
83* Add `mix hex.sponsor` for listing all dependencies ask for sponsors or support
84* Add `mix hex.registry build` for building registries locally
85
86### Bug fixes
87
88* Fix order of organizations displayed on `mix hex.publish`
89* Fix stacktrace warning
90* Hide `mix hex.install` private task
91* Fix `mix hex.repo remove` command doc
92* Fix backtracking on single parent
93* Do not unpack the tarball on `mix hex.package fetch` unless `--unpack` is passed
94* Re-fetch stale cached package if registry checksum changed
95* Fix compatibility with OTP 24
96
97## v0.20.6 (2020-10-20)
98
99### Bug fixes
100
101* Fix compatibility with OTP 24
102
103## v0.20.5 (2020-02-05)
104
105### Enhancements
106
107* Add timestamps to entries in registry cache for easier debugging
108* Bump registry cache version to invalidate old caches
109* Warn if fetching registry without outer checksum
110
111### Bug fixes
112
113* Do not require that the registry supports outer checksums
114* Missing outer checksum is not a mismatch, this will fix "out of date" errors when the manifest is newer than the lockfile
115
116## v0.20.4 (2020-02-04)
117
118### Bug fixes
119
120* Fix tarball file extraction through symlinks
121
122## v0.20.3 (2020-02-03)
123
124### Enhancements
125
126* Fetch the latest non-prerelease version of a package in `mix hex.docs `
127
128### Bug fixes
129
130* Correctly handle old manifest files without crashing
131
132## v0.20.2 (2020-02-03)
133
134### Enhancements
135
136* Add `--output` option to `mix hex.package fetch` task
137* Add `cacerts_path` configuration for custom CA certificate files
138* Improve output in `mix hex.publish` to make it more clear to what repository you are publishing
139* Explain red colors in hex.outdated
140
141### Bug fixes
142
143* Fix HTTP timeout config
144* Do not allow creating empty packages
145
146### Security fixes
147
148* Fix for directory traversal vulnerability for symlinks in tarballs
149* Update package checksum to include the entire tarball instead of specific files inside it
150
151## v0.20.1 (2019-06-10)
152
153### Bug fixes
154
155* Do not print transfer message when not transferring
156
157## v0.20.0 (2019-06-09)
158
159### Enhancements
160
161* Add per-project Hex configuration. Configure Hex under the `:hex` key inside your project configuration in `mix.exs`
162* Show location of package after running `mix hex.build`
163* List all available Hex tasks when running `mix hex`
164* List subtasks when running `mix hex`
165* Remove tarball if it is invalid to avoid it being as cache in the future
166* Show umbrella children `mix.exs` location in `mix hex.outdated`
167* Add `mix hex.owner transfer` task
168* Show improved error message on invalid configs
169* Add `mix hex.package fetch` task
170* Add `mix hex.package diff` task
171
172### Bug fixes
173
174* Fix `mirror_url` config
175* Fix `api_url` config
176* Do no try to remove docs after reverting package – docs are already automatically removed
177
178## v0.19.0 (2019-01-15)
179
180### Enhancements
181
182* Improve output of `mix hex.config`
183* Print publisher in `mix hex.info PACKAGE VERSION`
184* Add organization flag to dependency config in `mix hex.info PACKAGE`
185
186### Bug fixes
187
188* Don't follow symlinks when adding files to tarballs
189* Error with a descriptive msg when building a package with git dependencies
190* Improve listing of incompatible package versions when displaying backtrack error message
191* Improve resolver performance when it needs to do a lot of backtracking
192
193### Security fixes
194
195* Verify authenticity of registry records. This fixes a vulnerability that would allow a malicious mirror to serve modified versions of Hex packages. A new check has been introduced that requires the latest registry record version, if you are using a repository or mirror that has not been updated yet you can disable this check by setting the environment variable `HEX_NO_VERIFY_REPO_ORIGIN=1`. Further clarification of this issue will come at a later stage.
196
197## v0.18.2 (2018-11-08)
198
199### Enhancements
200
201* Add checks before publishing docs
202* Update generated protobuf files for Registry with OTP 21 compatibility
203* No longer list tasks in `mix hex` task
204* Use hexdocs organization URLs
205* Adds `--dry-run` option to publish tasks
206* Do not print "Unchanged" dependencies on mix deps.get in green
207* Validate hex config keys
208* Add `c_src/` and `Makefile` to default package files
209* Publish Mix task docs on <https://hexdocs.pm/hex>
210* Add recommendation when retiring and require `--message` flag
211
212### Bug fixes
213
214* Use rebar3, not rebar, when guessing build tool
215* Fix issue saving write key when resetting local password
216
217## v0.18.1 (2018-07-06)
218
219### Bug fixes
220
221* Fix normalization of repo paths when authenticating organization
222
223## v0.18.0 (2018-07-05)
224
225### API keys
226
227When authenticating with `mix hex.user auth` two API keys are generated instead of single one. One key is unencrypted with read access and the other is encrypted with your local password and has full read/write access to the API. Now commands that don't make any changes will not require a password.
228
229Additionally, we generate a single key that gives access to all your organization repositories, instead of one key for each repository. It also has the added benefit that you don't have to reauthenticate if you are added to a new organization.
230
231We have also added support for keys owned directly by an organization instead of a specific user, these keys can be accessed through `mix hex.organization`. This is useful when generating keys for a CI environment, previously when personal keys were used, a person leaving an organization or revoking the key could negatively affect CI workflow.
232
233### Improvements to continuous integration workflows
234
235The `HEX_API_KEY` environment variable has been introduced to be able run commands that require an authentication without having to authenticate manually with `mix hex.user auth` which has user input prompts. The key set with `HEX_API_KEY` can be generated with `mix hex.user key generate` or `mix hex.organization key ORGANIZATION generate`. It also makes it possible to run commands such as `mix hex.publish` without being prompted for a password.
236
237By passing the `--yes` flag to `mix hex.publish` you can publish your package (together with `HEX_API_KEY`) without any confirmation prompts. This allows you to publish your package as part of your CI build process.
238
239### Ignoring `:maintainers` field
240
241In previous Hex versions we required `:maintainers` key to be present when publishing package. At the same time, on hex.pm we are also showing package owners (controlled by the `mix hex.owner` task). It was confusing to show both maintainers and owners and figure out which really control the package, so we've dropped showing maintainers on hex.pm and the field will no longer be added to package's metadata.
242
243If maintainers field was used to give credit to current and/or past contributors we encourage to mention that in project's README instead.
244
245### Enhancements
246
247* Add `--yes` flag to `hex.publish` for publishing without any confirmation prompts
248* Add `HEX_API_KEY` environment variable for setting and overriding the key used when authenticating against the API
249* Generate a single key for all organization repositories when authenticating a new user
250* Return a non-zero exit code from `hex.outdated` when dependencies are outdated
251* Generate two API keys when authenticating, one encrypted with write access, and one unencrypted with only read access
252* Add ownership levels to `hex.owner` task
253* When resolving, try all possible backtrack branches and select the best solution
254* Improve formatting of multi-line validation errors
255* Do not use `:maintainers` package configuration field
256* Change `hex.organization` to generate keys owned by organization instead of the user generating them
257* Add options to `hex.organization key` for revoking and listing keys owned by organization
258* Improve interface for `hex.user key` and `hex.organization key`, the following commands have changed:
259  * `hex.user key --generate` => `hex.user key generate`
260  * `hex.user key --list` => `hex.user key list`
261  * `hex.user key --revoke KEY_NAME` => `hex.user key revoke KEY_NAME`
262  * `hex.user key --revoke-all` => `hex.user key revoke --all`
263  * `hex.organization key ORGANIZATION` => `hex.organization key ORGANIZATION generate`
264
265## v0.17.8 (2018-07-01)
266
267### Bug fixes
268
269* Fix private packages on Windows
270
271## v0.17.7 (2018-04-20)
272
273### Bug fixes
274
275* Fix crash when unpacking tarballs with broken symlinks
276* Correct the type of build tools package metadata
277
278## v0.17.6 (2018-04-18)
279
280### Bug fixes
281
282* Fix crash when printing resolver output when having lock entries from other SCMs
283
284## v0.17.5 (2018-04-18)
285
286### Bug fixes
287
288* Fix crash when printing resolver output for old lock files
289
290## v0.17.4 (2018-04-18)
291
292### Enhancements
293
294* Tarball and registry code has been extracted to the `hex_erl` package
295* Hide retired versions when showing latest release in `hex.info` task
296* Add `hex.docs offline` and `hex.docs` online tasks
297* Add `--key-name` flag to key generation tasks
298* Add `:exclude_patterns` to package config for excluding files from package
299* Resolver now backtracks children before parents to improve versions selected when backtracking
300* Change some errors to warnings when building private packages
301* Group resolved dependency output into unchanged, updated, and downgraded when running `deps.get` and `deps.update` tasks
302* Add authentication to `hex.docs` task for showing private package documentation
303* Improve error message when package fetch times out
304* General improvements to tasks when accessing organizations
305
306### Bug fixes
307
308* Fix wrong publish message when using `--organization` flag in `hex.publish` task
309* Set file times inside tarballs to 2000-01-01 to fix tars on FAT file systems
310* Fix `hex.docs open` task on Windows
311
312## v0.17.3 (2018-01-17)
313
314### Bug fixes
315
316* Handle missing package descriptions in `hex.search` task
317* Fix printing of package checksum after publishing
318
319## v0.17.2 (2018-01-16)
320
321### Enhancements
322
323* Increase `hex.publish` timeouts and make it configurable with `:http_timeout` config and `HEX_HTTP_TIMEOUT` variable
324* Test key before adding it with `hex.organization auth NAME --key KEY`
325* Remove pre-release publish restriction for private packages
326* Add package descriptions to `hex.search` task
327* Improve error message when there are no versions matching requirement
328* Add latest stable version to `hex.search` task
329* Add `metadata.config` file to checked out dependency directory
330* Warn if we detect a lock entry from a newer Hex version
331* Add `hex.build --output` and `hex.build --unpack` tasks
332* Preserve symlinks and empty directories in tar
333* Simplify Hex output on deps.get
334* General improvements to tarball creation and unpacking
335* List umbrella children's top level dependencies in `hex.outdated`
336* Include `.formatter.exs` file in default package builds
337* Prompt user when authentication is required
338* Automatically auth all organizations when authing user with `hex.user auth`
339* Highlight if a package release has been retired in `hex.info`
340* Display package website links in `mix hex.owner packages`
341
342### Bug fixes
343
344* Do not crash if failing to write tarball
345* Disable HTTP pipelining to avoid bugs in HTTP client
346* Also purge registry etags when repository source changed
347* Retry HTTP requests on `:socket_closed_remotely` errors
348* Fix package tarballs being reproducible
349* Authenticate HTTP requests for `hex.search`
350* Populate managers when initially getting dependencies
351* Check dependencies on `hex.audit` and `hex.publish`
352* Fix fetching of private packages that overrides public packages
353* Fix HTTP redirect handling
354* Don't display internal configs in `hex.config`
355
356## v0.17.1 (2017-08-29)
357
358### Enhancements
359
360* Improve error message when package does not exist
361* Improve error message when no versions exist for given requirement
362* Add `--key` flag to `hex.organization auth` to authorize by giving a key directly without supplying a password
363* Add `hex.organization key` to generate a key for accessing the organization's repository
364
365## v0.17.0 (2017-08-28)
366
367### Private packages and organizations
368
369Hex.pm is adding support for private packages with organizations. See https://hex.pm/docs/private for more details. To authorize an organization on your machine run `mix hex.organization auth acme`, this will store the organization's repository details in Hex so that you can fetch packages from the repository. As soon as you are added as a member to an organization you can administer and publish packages, if you have the appropriate role, with the `--organization` flag or by setting the `:organization` option on the package configuration.
370
371Different from the last release packages will always be pulled from the default `hexpm` repository and you have to override it with the `:organization` or `:repo` options on the dependency configuration.
372
373### Enhancements
374
375* Add `hex.organization` task
376* Rename `hex.user key` flag `--remove*` to `--revoke*` to clarify what it does
377* Add `--organization` flag to tasks working on packages
378* Add `:organization` option to package configuration
379* Add support for publishing to organizations
380* Improve error message when docs task is missing
381* Add `--confirm` flag to `hex.publish` task
382
383### Bug fixes
384
385* Fix version validation exceptions
386* Reintroduce `HEX_MIRROR` environment variable
387* Preserve file modes when building tarball
388* Disallow `:app` option for dependencies
389
390## v0.16.1 (2017-06-22)
391
392### Enhancements
393
394* Add `mix hex.repo show` task for showing repo configuration
395* Improve error message if there are no releases for given requirement in the registry
396* Add `mix hex.audit` task for checking for retired packages
397
398### Bug fixes
399
400* Do not try to publish docs if package publish failed
401* Do not update lock entry if only metadata changed
402* Do not show authentication details when printing URLs
403* Fix password reset
404* Fix race condition where some entries may not be cached if they were added just before application closed
405* Support PAX tarballs, created on OTP 20, when using older OTP versions. Additionally, make it less likely PAX tarballs are created
406
407## v0.16.0 (2017-04-18)
408
409### Multiple repository support
410
411This version adds support for using packages from multiple repositories. With the `hex.repo` task additional repositories can be added to Hex. With it you can add additional repositories or replace the default "hexpm" repository by running `mix hex.repo add hexpm ...`, check the docs for more information. To use a dependency from another repository add `repo: :my_other_repo` to the dependency definition in `mix.exs` and make sure you have added `my_other_repo` with `mix hex.repo add my_other_repo`. Dependencies of a package will be automatically pulled from the same repository as the parent package unless otherwise stated with the `:repo` option on the dependency definition.
412
413### Enhancements
414
415* Add `hex.repo` task
416* Move `hex.key` tasks to `hex.user keys`
417* Warn or error if publishing a package with pre-release dependencies
418
419### Bug fixes
420
421* Do not check for updates when running in offline mode
422* Fix an issue where dependency resolution could take a very long time
423* Do not publish docs if publishing the package failed
424* Fix an issue where HTTP timeouts could cause the application to freeze
425* Ensure managers always exist in the lock
426
427## v0.15.0 (2016-12-24)
428
429### Package retirement
430
431With this new release you can mark versions of your packages as retired when you no longer recommend its use. This can be because the release has a serious security flaw, something went wrong with the release so that it's unusable or because the package has been renamed or deprecated. A retired version is still usable and fetchable but it will show as retired on hex.pm and when resolved Hex will show a warning to the user with the retirement message.
432
433### Enhancements
434
435* Add --module flag to `hex.docs` task
436* Changed `hex.outdated` task to show if a dependency can be updated
437* Add `hex.retire` task for package retirement
438* Warn when resolving retired packages
439* Restrict number of default SSL ciphers
440
441### Bug fixes
442
443* Do not make conditional HTTP request if file is missing
444* Ensure cache file is saved when Hex exits
445
446## v0.14.1 (2016-11-24)
447
448### Enhancements
449
450* Add environment variable `HEX_HTTP_CONCURRENCY` for limiting number of concurrent HTTP requests
451
452### Bug fixes
453
454* Fix compatibilities with older Elixir version (<= 1.1)
455* Ensure build tools are unique in mix.lock and when publishing
456* Fix `hex.docs open` opening websites on Unix systems
457* Do not crash on diverged dependencies with conflicting SCMs
458* Fix some duplicate HTTP requests on slow networks
459* Limit concurrent registry HTTP requests
460
461## v0.14.0 (2016-10-28)
462
463### New registry format
464
465Hex has switched to a new registry format that is more efficient and will scale better as the registry grows. The new registry format is encoded with protocol buffers and is split into multiple files (one file per package) to avoid fetching one big file with data you will not need. The resolver will make more HTTP requests but will in total fetch much less data. The specification for the new format can be found here: https://github.com/hexpm/specifications/pull/10. The old ETS based registry format is no longer supported in the client but will continue to be available from the registry for the foreseeable future.
466
467### Enhancements
468
469* `hex.docs open` will by default open the online hexdocs for the given package
470* An `--offline` option has been added to `hex.docs open` for opening docs stored on your local filesystem and it will automatically fetch the docs if they are not available locally
471* Only support secure SSL ciphers and safe SSL versions (support for SSLv3 has been dropped)
472* Improvements to the language in the resolver error messages
473
474### Bug fixes
475
476* Fix an issue where duplicate build tool names could be added to the package metadata
477
478## v0.13.2 (2016-09-19)
479
480### Bug fixes
481
482* Only error on non-Hex dependencies when building
483
484## v0.13.1 (2016-09-19)
485
486### Enhancements
487
488* Most warnings on `hex.publish` are now errors
489
490### Bug fixes
491
492* Fix bug where the old config format was not readable
493* Convert old config format to new format on every read
494* Fix `HEX_UNSAFE_REGISTRY` negation
495
496## v0.13.0 (2016-07-30)
497
498### Enhancements
499
500* Inform about new Hex version in `hex.info`
501* Support `extra` metadata field
502* Print package checksum when building and publishing
503* Warn if using registry from cache
504* Show creation time of API keys in `hex.keys list`
505* Improve the error message if OTP has broken SNI in `:ssl` application
506* Verify dependencies from registry against lock
507* Hex will now automatically encrypt your local API key, use `hex.user passphrase` to change the encryption passphrase
508* Improve resolver error message to mention behavior of pre-releases and overrides
509* Improve error message if a dependency has configured the OTP application name incorrectly for another dependency
510* `hex.publish` now also publishes docs by default, use `hex.publish package` and `hex.publish docs` to respectively publish package and docs independently
511* `hex.docs` will now open or fetch documentation tarballs
512* `hex.key remove` will now also de-auth the user if the local API key was removed
513* Add status messages when publishing and reverting
514
515### Bug fixes
516
517* Fix bug where the client was fetching packages even when lock is OK
518* Fix resolver sometimes not producing any backtrack output
519* Verify certificate against correct hostname after redirect
520
521## v0.12.1 (2016-05-31)
522
523### Enhancements
524
525* Only show proxy settings when MIX_DEBUG=1
526* Add retries to idempotent requests
527
528### Bug fixes
529
530* Fix crash when you get multiple backtrack messages
531
532## v0.12.0 (2016-05-15)
533
534### Enhancements
535
536* Add package checksums to lock, ensuring a locked package can not change its content
537* Add managers and deps to lock, allowing Hex to run without loading the registry
538* Align deps fetching output from scm
539* Update hex.pm repo URL to https://repo.hex.pm
540* Link to policies when registering account
541* Update CoC links
542* Improve conflict messages
543* Improve error messages when ex_doc is missing when publishing docs
544* Show app name of dependency in `hex.info`
545* Warn about long package descriptions
546
547### Bug fixes
548
549* Fix `HEX_UNSAFE_HTTPS` environment variable and `unsafe_https` config
550
551## v0.11.5 (2016-04-07)
552
553### Enhancements
554
555* Add more registry metrics to `hex.info`
556
557### Bug fixes
558
559* Fix a bug where Hex was about a bit too enthusiastic when informing the user of new versions
560* Fix some missing future-proofing of lock
561
562## v0.11.4 (2016-04-06)
563
564### Enhancements
565
566* Use HTTPS to Hex.pm repository
567* Make lock backwards compatible by treating it as a list and only matching on the front
568
569### Bug fixes
570
571* Correctly show update notification
572* Remove duplicate parents from backtrack messages
573* Fix invalid message in `hex.outdated` if locked version is a pre-release
574
575## v0.11.3 (2016-03-14)
576
577### Bug fixes
578
579* Do not crash if registry fails to fetch
580* Remove force update of registry if it is more than a week old
581
582## v0.11.2 (2016-03-11)
583
584### Enhancements
585
586* Verify registry signature against public key
587* Improve missing registry error message
588* Deprecate `HEX_CDN` in favor of `HEX_REPO` and `HEX_MIRROR`. See the `hex` task for more information
589* Deprecate `:cdn_url` config in favor of `:repo_url` and `mirror_url`. See the `hex.config` task for more information
590* Improve performance of parallel package fetching
591* Use fastly instead of S3 for the Hex.pm repository
592* Add `--delete` option to `hex.config` task
593
594### Bug fixes
595
596* Show local time in hex.info
597* Correctly unlock all dependencies on `deps.update`
598* Always fetch registry if it's missing or known to be old
599
600## v0.11.1 (2016-03-03)
601
602### Bug fixes
603
604* Fix incorrect build version check
605* Fix parsing of requirements without spaces
606
607## v0.11.0 (2016-03-03)
608
609### Enhancements
610
611* Append the OTP version to the user_agent function
612* Improve output of http request timeout errors
613* Warn if `:manager` or `:compile` is set on dependencies when publishing
614* Add `--pre` flag to `hex.outdated`
615* Use erlang binary term encoding for API instead of elixir encoding
616* Pull package name from correct source when publish docs
617* Pass canonical url to ex_doc task
618* Change hexdocs links to use https
619* Add `hex.outdated APP` to list all requirements on given dependency
620* Do not allow pre-releases for dependencies unless the requirement uses a pre-release version
621* Optimize version cache memory usage
622
623### Bug fixes
624
625* Fix incorrect build version check for dev versions of Elixir
626* Fix loop when backtracking in resolver
627* Fix timeout errors on slow systems
628
629## v0.10.4 (2016-01-26)
630
631### Enhancements
632
633* Make the experimental resolver the default
634
635### Bug fixes
636
637* Ensure registry can be opened/closed multiple times
638* Ensure `hex.search` task handles empty results
639* Fix experimental resolvers only backtracking on parents that had requirements that failed
640* Fix merging of overlapping parent and package versions in backtrack messages
641
642## v0.10.3 (2016-01-23)
643
644### Bug fixes
645
646* Fix bug when umbrella child has dependency with `:only`
647
648## v0.10.2 (2016-01-22)
649
650### Enhancements
651
652* General optimizations in dependency resolver
653* Add experimental faster backtracker that does more aggressive backtracking, set environment variable `HEX_EXPERIMENTAL_RESOLVER=1` to use it
654* Merge backtrack messages that have similar parents
655* Merge multiple versions into version ranges when possible for more succinct backtrack messages
656
657### Bug fixes
658
659* Reduce memory usage when resolver produces many backtrack messages
660
661## v0.10.1 (2016-01-15)
662
663### Bug fixes
664
665* Fix a crash when a dependency is missing its version requirement
666
667## v0.10.0 (2016-01-14)
668
669### Enhancements
670
671* Add support for authentication when using HTTP proxies
672* Add more build information to `hex.info` task to ease debugging
673* Greatly improve backtracking error messages
674* Prevent packages for being published without a description
675* Improve error printing when S3 return errors
676* Improve output from `hex.outdated` task
677* Warn if a package dependency is missing its requirement
678* Improve error message from `hex.docs` task when `ex_doc` dependency is missing
679* Remove useless output when fetching dependencies
680* Improve package output in `hex.info` task
681
682### Bug fixes
683
684* Fix a rare bug that could cause the resolver to go into an infinite loop
685* UTF8 encode package metadata
686* Only list missing files if `:files` is set
687* Fix bug when umbrella child has dependency with `:only`
688
689## v0.9.0 (2015-09-25)
690
691### Enhancements
692
693* Pass build tool information to Mix (supported in Elixir 1.1.0)
694* Make Hex a proper OTP application
695* Update CA store
696* Warn if files are missing when building package
697* Improve error message when resolution fails because of a locked dependency
698* Add `hex.registry` task for loading and dumping registry
699* Add `HEX_OFFLINE` for running in offline mode which skips fetching registry and packages
700* Add `hex.build` task for building package without publishing
701* Reduce noise when users gets lots of resolution errors and generally improve their output
702* Add Server Name Indication support for HTTPS requests
703* Add `HEX_UNSAFE_HTTPS` for disabling certificate checking
704* Rename `:contributors` metadata to `:maintainers` to better reflect purpose of field
705
706### Bug fixes
707
708* `HEX_API` no longer automatically adds `api/` to URL
709* Fix crash when user doesn't explicitly override Hex package when needed
710* Fix bug where metadata in package tarball was not properly UTF8 encoded
711* Fix error message when registry file is missing
712* Support `hex.outdated` task for umbrella projects
713* Do not raise on bad data in a users old lock
714
715## v0.8.3 (2015-07-17)
716
717### Security fixes
718
719* Fix a bug that would trust any certificate in the certificate chain signed by a trusted CA, this could allow the certificate, that is not a CA, to issue and sign new certificates for any host
720
721## v0.8.2 (2015-07-13)
722
723### Enhancements
724
725* Sort dependency resolver results
726
727### Bug fixes
728
729* Fix build_tools metadata being sent incorrectly
730
731## v0.8.1 (2015-07-12)
732
733### Enhancements
734
735* Warn if registry file is missing when loading deps
736
737### Bug fixes
738
739* Consider new optional requirements for already activated dependency
740* Add multiple build tools to metadata
741
742## v0.8.0 (2015-05-19)
743
744### Enhancements
745
746* Warn if using insecure SSL because of old OTP version
747* Use yellow test for warning text
748* Include build_tools in release metadata
749* Print more metadata when publishing
750
751### Bug fixes
752
753* Fix an error when printing an http status codes
754* Always fetch new registry if it's older than 7 days
755
756## v0.7.5 (2015-04-12)
757
758### Enhancements
759
760* Add task `hex.user test` for testing user authentication.
761* Add task `hex.outdated` for listing outdated packages compared to the registry.
762* Update CA store as of April 3.
763* Inform user if authentication failed because they did not confirm email.
764* Improve error message for unsupported tarball version.
765
766### Bug fixes
767
768* Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding at least two levels deep in the dependency tree
769
770## v0.7.4 (2015-03-16)
771
772### Bug fixes
773
774* Include all conflicting requirements in backtrack message
775* Fix a bug where backtrack message failed on optional requests
776
777## v0.7.3 (2015-03-04)
778
779### Bug fixes
780
781* Fix an error when merging locked and optional dependencies
782
783## v0.7.2 (2015-03-04)
784
785### Enhancements
786
787* Print messages on backtracks if dependency resolution failed, this is intended to help users resolve conflicts
788
789### Bug fixes
790
791* Fix a bug where a dependency converged in mix did not consider all its requirements
792* Fix a bug where dependencies in the lock was considered even if they weren't requested
793
794## v0.7.1 (2015-02-15)
795
796### Bug fixes
797
798* Fix updating the registry
799
800## v0.7.0 (2015-02-15)
801
802### Enhancements
803
804* Print proxy options on startup
805* Add `mix hex.user password reset` and remove `mix hex.user update`
806* Create version 3 tarballs with erlang term encoded metadata
807
808### Bug fixes
809
810* Verify peer certificate against CA certificate public key in `partial_chain`
811* Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding happened in a sub-dependency
812* Create hex directory before writing registry
813
814## v0.6.2 (2015-01-02)
815
816### Enhancements
817
818* Add PKIX hostname verification according to RFC6125
819* Improve error messages from HTTP error codes
820* Improve HTTP performance
821* Add config options `api_url`, `cdn_url`, `http_proxy` and `https_proxy`
822* Support both doc/ and docs/ as documentation directory
823
824## v0.6.1 (2014-12-11)
825
826### Enhancements
827
828* Convert config file to erlang term file
829
830## v0.6.0 (2014-10-12)
831
832### Enhancements
833
834* Add support for packages with a different OTP application name than the package name
835* Add task `mix hex.docs` for uploading project documentation
836* Add email confirmation
837
838### Bug fixes
839
840* Allow you to change your password with `mix hex.user update`
841* Correctly display dependencies in `mix hex.info PACKAGE VERSION`
842* Verify peer certificates when fetching tarball
843
844## v0.5.0 (2014-09-19)
845
846### Enhancements
847
848* Verify peer certificate for SSL (only available in OTP 17.3)
849* Reduce archive size with compiler option `debug_info: false`
850* Add support for config as an erlang term file
851* Warn if Hex was built against a different major.minor Elixir version
852
853## v0.4.3 (2014-09-06)
854
855## v0.4.2 (2014-08-31)
856
857### Enhancements
858
859* Add task `hex.user whoami` that prints the locally authorized user
860* Add task `hex.user deauth` to deauthorize the local user
861* Rename environment variable `HEX_URL` to `HEX_API` to not confuse it with `HEX_CDN`
862
863### Bug fixes
864
865* Print newline after progress bar
866
867## v0.4.1 (2014-08-12)
868
869### Enhancements
870
871* Add progress bar for uploading the tarball when publishing
872* Compare tarball checksum against checksum in registry
873* Bump tarball support to version 3
874* Rename task for authenticating on the local machine from `hex.key new` to `hex.user auth`
875* Remove the ability to pass password as a CLI parameter
876
877### Bug fixes
878
879* Support lower-case proxy environment variables
880* Remove any timeouts when fetching package tarballs
881