1# CHANGELOG 2 3## v1.0.1 (2021-12-14) 4 5### Bug fixes 6 7* Fix compatibility with some Elixir and OTP combinations 8 9## v1.0.0 (2021-12-13) 10 11### Enhancements 12 13* Set exit code to 1 when `mix hex.publish` fails 14* Validate OSS licenses 15* Read authorization credentials from `~/.netrc` 16* Error if building package with an `app: false` dependency 17 18### Bug fixes 19 20* Do not error if the organization authorization key could not be verified, this improves handling of API server issues 21* Improvements to version solver to prevent scenarios where it takes a long time to find a solution 22* Improve error when update checker times out 23 24## v0.21.3 (2021-09-18) 25 26### Enhancements 27 28* Add config `no_short_urls` and env var `HEX_NO_SHORT_URLS` to disable short URL generation 29* Mention `mix hex.sponsor` when fetching packages that accept sponsorship 30* Add `--key` option to `mix hex.repo show NAME` to print repository key 31* Improve output when update check fails 32* Print hint if version resolution is slow 33 34### Bug fixes 35 36* Improve version backtracking to fix slow version resolutions and downgrading of dependencies 37 38## v0.21.2 (2021-04-14) 39 40### Enhancements 41 42* Add support for `mix hex.package fetch PACKAGE` (without version) 43 44### Bug fixes 45 46* Gracefully handle missing hex metadata in sponsor task 47* Fix building hex registry 48* Update ssl opts for host validation on redirect 49* Store correct password after confirmation failure 50 51## v0.21.1 (2021-01-15) 52 53### Enhancements 54 55* Warn when using ssl-10.2 56* Disable API write operations when using ssl-10.2 57 58## v0.21.0 (2021-01-14) 59 60### Enhancements 61 62* Add `--epub` option to `mix hex.docs offline` 63* Add `--replace` option to `mix hex.publish` 64* Add locked version to `mix hex.info <package>` 65* Clarify publish message around ownership 66* Remove reliance on colors for hex.outdated 67* Follow XDG Base Directory Specification 68* Add link to diffs page in footer of `mix hex.outdated` 69* Introduce `latest` branch to install Hex using `mix archive.install git ...` 70* Add `--repo` flag to `mix hex.package` task 71* Make `mix hex.package diff` more CLI-friendly 72* Customize hostname check to allow also wildcard certificates 73* Use API for dependency config in mix hex.info 74* Do not pass --canonical to docs task 75* Always add `*.DS_Store` to `:exclude_patterns` 76* Add note about updatable packages to `mix hex.outdated` task 77* Use tarball outer checksum to check cache freshness 78* Add `--within-requirements` flag to `mix hex.outdated` 79* Add `--fetch-public-key FINGERPRINT` to `mix hex.repo add` 80* Return non-zero exit when package or release are not found in `mix hex.info` 81* Add `no_proxy` configuration 82* Add `mix hex.package diff APP VERSION` 83* Add `mix hex.sponsor` for listing all dependencies ask for sponsors or support 84* Add `mix hex.registry build` for building registries locally 85 86### Bug fixes 87 88* Fix order of organizations displayed on `mix hex.publish` 89* Fix stacktrace warning 90* Hide `mix hex.install` private task 91* Fix `mix hex.repo remove` command doc 92* Fix backtracking on single parent 93* Do not unpack the tarball on `mix hex.package fetch` unless `--unpack` is passed 94* Re-fetch stale cached package if registry checksum changed 95* Fix compatibility with OTP 24 96 97## v0.20.6 (2020-10-20) 98 99### Bug fixes 100 101* Fix compatibility with OTP 24 102 103## v0.20.5 (2020-02-05) 104 105### Enhancements 106 107* Add timestamps to entries in registry cache for easier debugging 108* Bump registry cache version to invalidate old caches 109* Warn if fetching registry without outer checksum 110 111### Bug fixes 112 113* Do not require that the registry supports outer checksums 114* Missing outer checksum is not a mismatch, this will fix "out of date" errors when the manifest is newer than the lockfile 115 116## v0.20.4 (2020-02-04) 117 118### Bug fixes 119 120* Fix tarball file extraction through symlinks 121 122## v0.20.3 (2020-02-03) 123 124### Enhancements 125 126* Fetch the latest non-prerelease version of a package in `mix hex.docs ` 127 128### Bug fixes 129 130* Correctly handle old manifest files without crashing 131 132## v0.20.2 (2020-02-03) 133 134### Enhancements 135 136* Add `--output` option to `mix hex.package fetch` task 137* Add `cacerts_path` configuration for custom CA certificate files 138* Improve output in `mix hex.publish` to make it more clear to what repository you are publishing 139* Explain red colors in hex.outdated 140 141### Bug fixes 142 143* Fix HTTP timeout config 144* Do not allow creating empty packages 145 146### Security fixes 147 148* Fix for directory traversal vulnerability for symlinks in tarballs 149* Update package checksum to include the entire tarball instead of specific files inside it 150 151## v0.20.1 (2019-06-10) 152 153### Bug fixes 154 155* Do not print transfer message when not transferring 156 157## v0.20.0 (2019-06-09) 158 159### Enhancements 160 161* Add per-project Hex configuration. Configure Hex under the `:hex` key inside your project configuration in `mix.exs` 162* Show location of package after running `mix hex.build` 163* List all available Hex tasks when running `mix hex` 164* List subtasks when running `mix hex` 165* Remove tarball if it is invalid to avoid it being as cache in the future 166* Show umbrella children `mix.exs` location in `mix hex.outdated` 167* Add `mix hex.owner transfer` task 168* Show improved error message on invalid configs 169* Add `mix hex.package fetch` task 170* Add `mix hex.package diff` task 171 172### Bug fixes 173 174* Fix `mirror_url` config 175* Fix `api_url` config 176* Do no try to remove docs after reverting package – docs are already automatically removed 177 178## v0.19.0 (2019-01-15) 179 180### Enhancements 181 182* Improve output of `mix hex.config` 183* Print publisher in `mix hex.info PACKAGE VERSION` 184* Add organization flag to dependency config in `mix hex.info PACKAGE` 185 186### Bug fixes 187 188* Don't follow symlinks when adding files to tarballs 189* Error with a descriptive msg when building a package with git dependencies 190* Improve listing of incompatible package versions when displaying backtrack error message 191* Improve resolver performance when it needs to do a lot of backtracking 192 193### Security fixes 194 195* Verify authenticity of registry records. This fixes a vulnerability that would allow a malicious mirror to serve modified versions of Hex packages. A new check has been introduced that requires the latest registry record version, if you are using a repository or mirror that has not been updated yet you can disable this check by setting the environment variable `HEX_NO_VERIFY_REPO_ORIGIN=1`. Further clarification of this issue will come at a later stage. 196 197## v0.18.2 (2018-11-08) 198 199### Enhancements 200 201* Add checks before publishing docs 202* Update generated protobuf files for Registry with OTP 21 compatibility 203* No longer list tasks in `mix hex` task 204* Use hexdocs organization URLs 205* Adds `--dry-run` option to publish tasks 206* Do not print "Unchanged" dependencies on mix deps.get in green 207* Validate hex config keys 208* Add `c_src/` and `Makefile` to default package files 209* Publish Mix task docs on <https://hexdocs.pm/hex> 210* Add recommendation when retiring and require `--message` flag 211 212### Bug fixes 213 214* Use rebar3, not rebar, when guessing build tool 215* Fix issue saving write key when resetting local password 216 217## v0.18.1 (2018-07-06) 218 219### Bug fixes 220 221* Fix normalization of repo paths when authenticating organization 222 223## v0.18.0 (2018-07-05) 224 225### API keys 226 227When authenticating with `mix hex.user auth` two API keys are generated instead of single one. One key is unencrypted with read access and the other is encrypted with your local password and has full read/write access to the API. Now commands that don't make any changes will not require a password. 228 229Additionally, we generate a single key that gives access to all your organization repositories, instead of one key for each repository. It also has the added benefit that you don't have to reauthenticate if you are added to a new organization. 230 231We have also added support for keys owned directly by an organization instead of a specific user, these keys can be accessed through `mix hex.organization`. This is useful when generating keys for a CI environment, previously when personal keys were used, a person leaving an organization or revoking the key could negatively affect CI workflow. 232 233### Improvements to continuous integration workflows 234 235The `HEX_API_KEY` environment variable has been introduced to be able run commands that require an authentication without having to authenticate manually with `mix hex.user auth` which has user input prompts. The key set with `HEX_API_KEY` can be generated with `mix hex.user key generate` or `mix hex.organization key ORGANIZATION generate`. It also makes it possible to run commands such as `mix hex.publish` without being prompted for a password. 236 237By passing the `--yes` flag to `mix hex.publish` you can publish your package (together with `HEX_API_KEY`) without any confirmation prompts. This allows you to publish your package as part of your CI build process. 238 239### Ignoring `:maintainers` field 240 241In previous Hex versions we required `:maintainers` key to be present when publishing package. At the same time, on hex.pm we are also showing package owners (controlled by the `mix hex.owner` task). It was confusing to show both maintainers and owners and figure out which really control the package, so we've dropped showing maintainers on hex.pm and the field will no longer be added to package's metadata. 242 243If maintainers field was used to give credit to current and/or past contributors we encourage to mention that in project's README instead. 244 245### Enhancements 246 247* Add `--yes` flag to `hex.publish` for publishing without any confirmation prompts 248* Add `HEX_API_KEY` environment variable for setting and overriding the key used when authenticating against the API 249* Generate a single key for all organization repositories when authenticating a new user 250* Return a non-zero exit code from `hex.outdated` when dependencies are outdated 251* Generate two API keys when authenticating, one encrypted with write access, and one unencrypted with only read access 252* Add ownership levels to `hex.owner` task 253* When resolving, try all possible backtrack branches and select the best solution 254* Improve formatting of multi-line validation errors 255* Do not use `:maintainers` package configuration field 256* Change `hex.organization` to generate keys owned by organization instead of the user generating them 257* Add options to `hex.organization key` for revoking and listing keys owned by organization 258* Improve interface for `hex.user key` and `hex.organization key`, the following commands have changed: 259 * `hex.user key --generate` => `hex.user key generate` 260 * `hex.user key --list` => `hex.user key list` 261 * `hex.user key --revoke KEY_NAME` => `hex.user key revoke KEY_NAME` 262 * `hex.user key --revoke-all` => `hex.user key revoke --all` 263 * `hex.organization key ORGANIZATION` => `hex.organization key ORGANIZATION generate` 264 265## v0.17.8 (2018-07-01) 266 267### Bug fixes 268 269* Fix private packages on Windows 270 271## v0.17.7 (2018-04-20) 272 273### Bug fixes 274 275* Fix crash when unpacking tarballs with broken symlinks 276* Correct the type of build tools package metadata 277 278## v0.17.6 (2018-04-18) 279 280### Bug fixes 281 282* Fix crash when printing resolver output when having lock entries from other SCMs 283 284## v0.17.5 (2018-04-18) 285 286### Bug fixes 287 288* Fix crash when printing resolver output for old lock files 289 290## v0.17.4 (2018-04-18) 291 292### Enhancements 293 294* Tarball and registry code has been extracted to the `hex_erl` package 295* Hide retired versions when showing latest release in `hex.info` task 296* Add `hex.docs offline` and `hex.docs` online tasks 297* Add `--key-name` flag to key generation tasks 298* Add `:exclude_patterns` to package config for excluding files from package 299* Resolver now backtracks children before parents to improve versions selected when backtracking 300* Change some errors to warnings when building private packages 301* Group resolved dependency output into unchanged, updated, and downgraded when running `deps.get` and `deps.update` tasks 302* Add authentication to `hex.docs` task for showing private package documentation 303* Improve error message when package fetch times out 304* General improvements to tasks when accessing organizations 305 306### Bug fixes 307 308* Fix wrong publish message when using `--organization` flag in `hex.publish` task 309* Set file times inside tarballs to 2000-01-01 to fix tars on FAT file systems 310* Fix `hex.docs open` task on Windows 311 312## v0.17.3 (2018-01-17) 313 314### Bug fixes 315 316* Handle missing package descriptions in `hex.search` task 317* Fix printing of package checksum after publishing 318 319## v0.17.2 (2018-01-16) 320 321### Enhancements 322 323* Increase `hex.publish` timeouts and make it configurable with `:http_timeout` config and `HEX_HTTP_TIMEOUT` variable 324* Test key before adding it with `hex.organization auth NAME --key KEY` 325* Remove pre-release publish restriction for private packages 326* Add package descriptions to `hex.search` task 327* Improve error message when there are no versions matching requirement 328* Add latest stable version to `hex.search` task 329* Add `metadata.config` file to checked out dependency directory 330* Warn if we detect a lock entry from a newer Hex version 331* Add `hex.build --output` and `hex.build --unpack` tasks 332* Preserve symlinks and empty directories in tar 333* Simplify Hex output on deps.get 334* General improvements to tarball creation and unpacking 335* List umbrella children's top level dependencies in `hex.outdated` 336* Include `.formatter.exs` file in default package builds 337* Prompt user when authentication is required 338* Automatically auth all organizations when authing user with `hex.user auth` 339* Highlight if a package release has been retired in `hex.info` 340* Display package website links in `mix hex.owner packages` 341 342### Bug fixes 343 344* Do not crash if failing to write tarball 345* Disable HTTP pipelining to avoid bugs in HTTP client 346* Also purge registry etags when repository source changed 347* Retry HTTP requests on `:socket_closed_remotely` errors 348* Fix package tarballs being reproducible 349* Authenticate HTTP requests for `hex.search` 350* Populate managers when initially getting dependencies 351* Check dependencies on `hex.audit` and `hex.publish` 352* Fix fetching of private packages that overrides public packages 353* Fix HTTP redirect handling 354* Don't display internal configs in `hex.config` 355 356## v0.17.1 (2017-08-29) 357 358### Enhancements 359 360* Improve error message when package does not exist 361* Improve error message when no versions exist for given requirement 362* Add `--key` flag to `hex.organization auth` to authorize by giving a key directly without supplying a password 363* Add `hex.organization key` to generate a key for accessing the organization's repository 364 365## v0.17.0 (2017-08-28) 366 367### Private packages and organizations 368 369Hex.pm is adding support for private packages with organizations. See https://hex.pm/docs/private for more details. To authorize an organization on your machine run `mix hex.organization auth acme`, this will store the organization's repository details in Hex so that you can fetch packages from the repository. As soon as you are added as a member to an organization you can administer and publish packages, if you have the appropriate role, with the `--organization` flag or by setting the `:organization` option on the package configuration. 370 371Different from the last release packages will always be pulled from the default `hexpm` repository and you have to override it with the `:organization` or `:repo` options on the dependency configuration. 372 373### Enhancements 374 375* Add `hex.organization` task 376* Rename `hex.user key` flag `--remove*` to `--revoke*` to clarify what it does 377* Add `--organization` flag to tasks working on packages 378* Add `:organization` option to package configuration 379* Add support for publishing to organizations 380* Improve error message when docs task is missing 381* Add `--confirm` flag to `hex.publish` task 382 383### Bug fixes 384 385* Fix version validation exceptions 386* Reintroduce `HEX_MIRROR` environment variable 387* Preserve file modes when building tarball 388* Disallow `:app` option for dependencies 389 390## v0.16.1 (2017-06-22) 391 392### Enhancements 393 394* Add `mix hex.repo show` task for showing repo configuration 395* Improve error message if there are no releases for given requirement in the registry 396* Add `mix hex.audit` task for checking for retired packages 397 398### Bug fixes 399 400* Do not try to publish docs if package publish failed 401* Do not update lock entry if only metadata changed 402* Do not show authentication details when printing URLs 403* Fix password reset 404* Fix race condition where some entries may not be cached if they were added just before application closed 405* Support PAX tarballs, created on OTP 20, when using older OTP versions. Additionally, make it less likely PAX tarballs are created 406 407## v0.16.0 (2017-04-18) 408 409### Multiple repository support 410 411This version adds support for using packages from multiple repositories. With the `hex.repo` task additional repositories can be added to Hex. With it you can add additional repositories or replace the default "hexpm" repository by running `mix hex.repo add hexpm ...`, check the docs for more information. To use a dependency from another repository add `repo: :my_other_repo` to the dependency definition in `mix.exs` and make sure you have added `my_other_repo` with `mix hex.repo add my_other_repo`. Dependencies of a package will be automatically pulled from the same repository as the parent package unless otherwise stated with the `:repo` option on the dependency definition. 412 413### Enhancements 414 415* Add `hex.repo` task 416* Move `hex.key` tasks to `hex.user keys` 417* Warn or error if publishing a package with pre-release dependencies 418 419### Bug fixes 420 421* Do not check for updates when running in offline mode 422* Fix an issue where dependency resolution could take a very long time 423* Do not publish docs if publishing the package failed 424* Fix an issue where HTTP timeouts could cause the application to freeze 425* Ensure managers always exist in the lock 426 427## v0.15.0 (2016-12-24) 428 429### Package retirement 430 431With this new release you can mark versions of your packages as retired when you no longer recommend its use. This can be because the release has a serious security flaw, something went wrong with the release so that it's unusable or because the package has been renamed or deprecated. A retired version is still usable and fetchable but it will show as retired on hex.pm and when resolved Hex will show a warning to the user with the retirement message. 432 433### Enhancements 434 435* Add --module flag to `hex.docs` task 436* Changed `hex.outdated` task to show if a dependency can be updated 437* Add `hex.retire` task for package retirement 438* Warn when resolving retired packages 439* Restrict number of default SSL ciphers 440 441### Bug fixes 442 443* Do not make conditional HTTP request if file is missing 444* Ensure cache file is saved when Hex exits 445 446## v0.14.1 (2016-11-24) 447 448### Enhancements 449 450* Add environment variable `HEX_HTTP_CONCURRENCY` for limiting number of concurrent HTTP requests 451 452### Bug fixes 453 454* Fix compatibilities with older Elixir version (<= 1.1) 455* Ensure build tools are unique in mix.lock and when publishing 456* Fix `hex.docs open` opening websites on Unix systems 457* Do not crash on diverged dependencies with conflicting SCMs 458* Fix some duplicate HTTP requests on slow networks 459* Limit concurrent registry HTTP requests 460 461## v0.14.0 (2016-10-28) 462 463### New registry format 464 465Hex has switched to a new registry format that is more efficient and will scale better as the registry grows. The new registry format is encoded with protocol buffers and is split into multiple files (one file per package) to avoid fetching one big file with data you will not need. The resolver will make more HTTP requests but will in total fetch much less data. The specification for the new format can be found here: https://github.com/hexpm/specifications/pull/10. The old ETS based registry format is no longer supported in the client but will continue to be available from the registry for the foreseeable future. 466 467### Enhancements 468 469* `hex.docs open` will by default open the online hexdocs for the given package 470* An `--offline` option has been added to `hex.docs open` for opening docs stored on your local filesystem and it will automatically fetch the docs if they are not available locally 471* Only support secure SSL ciphers and safe SSL versions (support for SSLv3 has been dropped) 472* Improvements to the language in the resolver error messages 473 474### Bug fixes 475 476* Fix an issue where duplicate build tool names could be added to the package metadata 477 478## v0.13.2 (2016-09-19) 479 480### Bug fixes 481 482* Only error on non-Hex dependencies when building 483 484## v0.13.1 (2016-09-19) 485 486### Enhancements 487 488* Most warnings on `hex.publish` are now errors 489 490### Bug fixes 491 492* Fix bug where the old config format was not readable 493* Convert old config format to new format on every read 494* Fix `HEX_UNSAFE_REGISTRY` negation 495 496## v0.13.0 (2016-07-30) 497 498### Enhancements 499 500* Inform about new Hex version in `hex.info` 501* Support `extra` metadata field 502* Print package checksum when building and publishing 503* Warn if using registry from cache 504* Show creation time of API keys in `hex.keys list` 505* Improve the error message if OTP has broken SNI in `:ssl` application 506* Verify dependencies from registry against lock 507* Hex will now automatically encrypt your local API key, use `hex.user passphrase` to change the encryption passphrase 508* Improve resolver error message to mention behavior of pre-releases and overrides 509* Improve error message if a dependency has configured the OTP application name incorrectly for another dependency 510* `hex.publish` now also publishes docs by default, use `hex.publish package` and `hex.publish docs` to respectively publish package and docs independently 511* `hex.docs` will now open or fetch documentation tarballs 512* `hex.key remove` will now also de-auth the user if the local API key was removed 513* Add status messages when publishing and reverting 514 515### Bug fixes 516 517* Fix bug where the client was fetching packages even when lock is OK 518* Fix resolver sometimes not producing any backtrack output 519* Verify certificate against correct hostname after redirect 520 521## v0.12.1 (2016-05-31) 522 523### Enhancements 524 525* Only show proxy settings when MIX_DEBUG=1 526* Add retries to idempotent requests 527 528### Bug fixes 529 530* Fix crash when you get multiple backtrack messages 531 532## v0.12.0 (2016-05-15) 533 534### Enhancements 535 536* Add package checksums to lock, ensuring a locked package can not change its content 537* Add managers and deps to lock, allowing Hex to run without loading the registry 538* Align deps fetching output from scm 539* Update hex.pm repo URL to https://repo.hex.pm 540* Link to policies when registering account 541* Update CoC links 542* Improve conflict messages 543* Improve error messages when ex_doc is missing when publishing docs 544* Show app name of dependency in `hex.info` 545* Warn about long package descriptions 546 547### Bug fixes 548 549* Fix `HEX_UNSAFE_HTTPS` environment variable and `unsafe_https` config 550 551## v0.11.5 (2016-04-07) 552 553### Enhancements 554 555* Add more registry metrics to `hex.info` 556 557### Bug fixes 558 559* Fix a bug where Hex was about a bit too enthusiastic when informing the user of new versions 560* Fix some missing future-proofing of lock 561 562## v0.11.4 (2016-04-06) 563 564### Enhancements 565 566* Use HTTPS to Hex.pm repository 567* Make lock backwards compatible by treating it as a list and only matching on the front 568 569### Bug fixes 570 571* Correctly show update notification 572* Remove duplicate parents from backtrack messages 573* Fix invalid message in `hex.outdated` if locked version is a pre-release 574 575## v0.11.3 (2016-03-14) 576 577### Bug fixes 578 579* Do not crash if registry fails to fetch 580* Remove force update of registry if it is more than a week old 581 582## v0.11.2 (2016-03-11) 583 584### Enhancements 585 586* Verify registry signature against public key 587* Improve missing registry error message 588* Deprecate `HEX_CDN` in favor of `HEX_REPO` and `HEX_MIRROR`. See the `hex` task for more information 589* Deprecate `:cdn_url` config in favor of `:repo_url` and `mirror_url`. See the `hex.config` task for more information 590* Improve performance of parallel package fetching 591* Use fastly instead of S3 for the Hex.pm repository 592* Add `--delete` option to `hex.config` task 593 594### Bug fixes 595 596* Show local time in hex.info 597* Correctly unlock all dependencies on `deps.update` 598* Always fetch registry if it's missing or known to be old 599 600## v0.11.1 (2016-03-03) 601 602### Bug fixes 603 604* Fix incorrect build version check 605* Fix parsing of requirements without spaces 606 607## v0.11.0 (2016-03-03) 608 609### Enhancements 610 611* Append the OTP version to the user_agent function 612* Improve output of http request timeout errors 613* Warn if `:manager` or `:compile` is set on dependencies when publishing 614* Add `--pre` flag to `hex.outdated` 615* Use erlang binary term encoding for API instead of elixir encoding 616* Pull package name from correct source when publish docs 617* Pass canonical url to ex_doc task 618* Change hexdocs links to use https 619* Add `hex.outdated APP` to list all requirements on given dependency 620* Do not allow pre-releases for dependencies unless the requirement uses a pre-release version 621* Optimize version cache memory usage 622 623### Bug fixes 624 625* Fix incorrect build version check for dev versions of Elixir 626* Fix loop when backtracking in resolver 627* Fix timeout errors on slow systems 628 629## v0.10.4 (2016-01-26) 630 631### Enhancements 632 633* Make the experimental resolver the default 634 635### Bug fixes 636 637* Ensure registry can be opened/closed multiple times 638* Ensure `hex.search` task handles empty results 639* Fix experimental resolvers only backtracking on parents that had requirements that failed 640* Fix merging of overlapping parent and package versions in backtrack messages 641 642## v0.10.3 (2016-01-23) 643 644### Bug fixes 645 646* Fix bug when umbrella child has dependency with `:only` 647 648## v0.10.2 (2016-01-22) 649 650### Enhancements 651 652* General optimizations in dependency resolver 653* Add experimental faster backtracker that does more aggressive backtracking, set environment variable `HEX_EXPERIMENTAL_RESOLVER=1` to use it 654* Merge backtrack messages that have similar parents 655* Merge multiple versions into version ranges when possible for more succinct backtrack messages 656 657### Bug fixes 658 659* Reduce memory usage when resolver produces many backtrack messages 660 661## v0.10.1 (2016-01-15) 662 663### Bug fixes 664 665* Fix a crash when a dependency is missing its version requirement 666 667## v0.10.0 (2016-01-14) 668 669### Enhancements 670 671* Add support for authentication when using HTTP proxies 672* Add more build information to `hex.info` task to ease debugging 673* Greatly improve backtracking error messages 674* Prevent packages for being published without a description 675* Improve error printing when S3 return errors 676* Improve output from `hex.outdated` task 677* Warn if a package dependency is missing its requirement 678* Improve error message from `hex.docs` task when `ex_doc` dependency is missing 679* Remove useless output when fetching dependencies 680* Improve package output in `hex.info` task 681 682### Bug fixes 683 684* Fix a rare bug that could cause the resolver to go into an infinite loop 685* UTF8 encode package metadata 686* Only list missing files if `:files` is set 687* Fix bug when umbrella child has dependency with `:only` 688 689## v0.9.0 (2015-09-25) 690 691### Enhancements 692 693* Pass build tool information to Mix (supported in Elixir 1.1.0) 694* Make Hex a proper OTP application 695* Update CA store 696* Warn if files are missing when building package 697* Improve error message when resolution fails because of a locked dependency 698* Add `hex.registry` task for loading and dumping registry 699* Add `HEX_OFFLINE` for running in offline mode which skips fetching registry and packages 700* Add `hex.build` task for building package without publishing 701* Reduce noise when users gets lots of resolution errors and generally improve their output 702* Add Server Name Indication support for HTTPS requests 703* Add `HEX_UNSAFE_HTTPS` for disabling certificate checking 704* Rename `:contributors` metadata to `:maintainers` to better reflect purpose of field 705 706### Bug fixes 707 708* `HEX_API` no longer automatically adds `api/` to URL 709* Fix crash when user doesn't explicitly override Hex package when needed 710* Fix bug where metadata in package tarball was not properly UTF8 encoded 711* Fix error message when registry file is missing 712* Support `hex.outdated` task for umbrella projects 713* Do not raise on bad data in a users old lock 714 715## v0.8.3 (2015-07-17) 716 717### Security fixes 718 719* Fix a bug that would trust any certificate in the certificate chain signed by a trusted CA, this could allow the certificate, that is not a CA, to issue and sign new certificates for any host 720 721## v0.8.2 (2015-07-13) 722 723### Enhancements 724 725* Sort dependency resolver results 726 727### Bug fixes 728 729* Fix build_tools metadata being sent incorrectly 730 731## v0.8.1 (2015-07-12) 732 733### Enhancements 734 735* Warn if registry file is missing when loading deps 736 737### Bug fixes 738 739* Consider new optional requirements for already activated dependency 740* Add multiple build tools to metadata 741 742## v0.8.0 (2015-05-19) 743 744### Enhancements 745 746* Warn if using insecure SSL because of old OTP version 747* Use yellow test for warning text 748* Include build_tools in release metadata 749* Print more metadata when publishing 750 751### Bug fixes 752 753* Fix an error when printing an http status codes 754* Always fetch new registry if it's older than 7 days 755 756## v0.7.5 (2015-04-12) 757 758### Enhancements 759 760* Add task `hex.user test` for testing user authentication. 761* Add task `hex.outdated` for listing outdated packages compared to the registry. 762* Update CA store as of April 3. 763* Inform user if authentication failed because they did not confirm email. 764* Improve error message for unsupported tarball version. 765 766### Bug fixes 767 768* Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding at least two levels deep in the dependency tree 769 770## v0.7.4 (2015-03-16) 771 772### Bug fixes 773 774* Include all conflicting requirements in backtrack message 775* Fix a bug where backtrack message failed on optional requests 776 777## v0.7.3 (2015-03-04) 778 779### Bug fixes 780 781* Fix an error when merging locked and optional dependencies 782 783## v0.7.2 (2015-03-04) 784 785### Enhancements 786 787* Print messages on backtracks if dependency resolution failed, this is intended to help users resolve conflicts 788 789### Bug fixes 790 791* Fix a bug where a dependency converged in mix did not consider all its requirements 792* Fix a bug where dependencies in the lock was considered even if they weren't requested 793 794## v0.7.1 (2015-02-15) 795 796### Bug fixes 797 798* Fix updating the registry 799 800## v0.7.0 (2015-02-15) 801 802### Enhancements 803 804* Print proxy options on startup 805* Add `mix hex.user password reset` and remove `mix hex.user update` 806* Create version 3 tarballs with erlang term encoded metadata 807 808### Bug fixes 809 810* Verify peer certificate against CA certificate public key in `partial_chain` 811* Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding happened in a sub-dependency 812* Create hex directory before writing registry 813 814## v0.6.2 (2015-01-02) 815 816### Enhancements 817 818* Add PKIX hostname verification according to RFC6125 819* Improve error messages from HTTP error codes 820* Improve HTTP performance 821* Add config options `api_url`, `cdn_url`, `http_proxy` and `https_proxy` 822* Support both doc/ and docs/ as documentation directory 823 824## v0.6.1 (2014-12-11) 825 826### Enhancements 827 828* Convert config file to erlang term file 829 830## v0.6.0 (2014-10-12) 831 832### Enhancements 833 834* Add support for packages with a different OTP application name than the package name 835* Add task `mix hex.docs` for uploading project documentation 836* Add email confirmation 837 838### Bug fixes 839 840* Allow you to change your password with `mix hex.user update` 841* Correctly display dependencies in `mix hex.info PACKAGE VERSION` 842* Verify peer certificates when fetching tarball 843 844## v0.5.0 (2014-09-19) 845 846### Enhancements 847 848* Verify peer certificate for SSL (only available in OTP 17.3) 849* Reduce archive size with compiler option `debug_info: false` 850* Add support for config as an erlang term file 851* Warn if Hex was built against a different major.minor Elixir version 852 853## v0.4.3 (2014-09-06) 854 855## v0.4.2 (2014-08-31) 856 857### Enhancements 858 859* Add task `hex.user whoami` that prints the locally authorized user 860* Add task `hex.user deauth` to deauthorize the local user 861* Rename environment variable `HEX_URL` to `HEX_API` to not confuse it with `HEX_CDN` 862 863### Bug fixes 864 865* Print newline after progress bar 866 867## v0.4.1 (2014-08-12) 868 869### Enhancements 870 871* Add progress bar for uploading the tarball when publishing 872* Compare tarball checksum against checksum in registry 873* Bump tarball support to version 3 874* Rename task for authenticating on the local machine from `hex.key new` to `hex.user auth` 875* Remove the ability to pass password as a CLI parameter 876 877### Bug fixes 878 879* Support lower-case proxy environment variables 880* Remove any timeouts when fetching package tarballs 881