build(deps): bump hackney from 4.0.3 to 4.2.0 in /copi.owasp.org

[dependabot]

Bumps hackney from 4.0.3 to 4.2.0.

Release notes

Sourced from hackney's releases.

4.2.0

Added

• IPv6 for HTTP/3. The family connect option (inet | inet6) is forwarded to QUIC, which resolves DNS and races addresses with Happy Eyeballs (RFC 8305). IPv6 literals such as https://[::1]/ work too.
• 0-RTT and session resumption for HTTP/3. Session tickets are cached per {host, port, transport} and replayed on the next connection; a bodyless one-shot request is then sent as 0-RTT, otherwise the ticket gives a resumed handshake. Controlled by the zero_rtt option, with an explicit session_ticket taking precedence. New hackney_h3 helpers: early_data_accepted/1, get_session_ticket/1, wait_session_ticket/2.

Fixed

• Recover from an expired cross-signed root instead of failing the handshake (e.g. Let's Encrypt's ISRG Root X2 cross-signed by the expired ISRG Root X1), across HTTP/1.1, HTTP/2, HTTP/3 and WebTransport. A genuinely expired leaf or intermediate still fails, and partial chains keep working.
• HTTP/3 connections from the pool now apply ssl_options (cacerts, insecure) that previously did not reach the QUIC layer.
• A pooled connection that stops between checkout and the request call no longer leaks exit:{normal, _} / exit:noproc to the caller; request, body and streaming calls return {error, closed} instead (#861).
• A proxy host given as an atom (e.g. localhost) or a binary is accepted again for the plain, connect and socks5 proxy tuples instead of being silently ignored (#858).

Dependencies

• quic 1.4.5 -> 1.6.3.
• h2 0.6.1 -> 0.8.0.
• webtransport 0.2.6 -> 0.3.1.

hackney 4.1.0

WebTransport client. Drop-in addition alongside the WebSocket API, no breaking changes.

Added

• WebTransport client API (hackney:wt_connect/1,2, wt_send/2, wt_recv/1,2, wt_setopts/2, wt_close/1,2), mirroring the WebSocket ws_* API so code switches by swapping the ws_ prefix for wt_. Runs over HTTP/3 (default) or HTTP/2. One session multiplexes many streams (wt_open_stream/2, wt_stream_send/3,4, wt_stream_recv/2,3, wt_close_stream/2, wt_reset_stream/3, wt_stop_sending/3) plus unreliable datagrams (wt_send_datagram/2) and wt_session_info/1. No custom wire framing, so it interoperates with any WebTransport server. Caller path and headers are checked for CR/LF/NUL and a buffer cap bounds unread data. See the WebTransport Guide.

Dependencies

• Add webtransport 0.2.6.

Full changelog: https://github.com/benoitc/hackney/blob/master/NEWS.md

Changelog

Sourced from hackney's changelog.

4.2.0 - 2026-06-03

Added

• IPv6 for HTTP/3. The family connect option (inet | inet6) is forwarded to QUIC, which resolves DNS and races addresses with Happy Eyeballs (RFC 8305). IPv6 literals such as https://[::1]/ work too. family may be set in connect_options or ssl_options.
• 0-RTT and session resumption for HTTP/3. The server's session ticket is cached in the pool per {host, port, transport} and replayed on the next connection; a bodyless one-shot request is then sent as 0-RTT, otherwise the ticket gives a resumed handshake. Enabled by default and controlled by the zero_rtt option, with an explicit session_ticket taking precedence over the cache. New hackney_h3 helpers: early_data_accepted/1, get_session_ticket/1, wait_session_ticket/2.

Fixed

• Recover from an expired cross-signed root instead of failing the handshake (e.g. Let's Encrypt's ISRG Root X2 cross-signed by the expired ISRG Root X1). For HTTP/1.1 and HTTP/2 the verification function rewrites cert_expired to root_cert_expired so OTP's cross-sign recovery runs; for HTTP/3 and WebTransport the same recovery is in quic 1.6.2. A genuinely expired leaf or intermediate still fails, and partial chains keep working.
• HTTP/3 connections from the pool now apply ssl_options (cacerts, insecure) that previously did not reach the QUIC layer.
• A pooled connection that stops between checkout and the request call no longer leaks exit:{normal, _} (or exit:noproc) to the caller. The request, body and streaming calls now return {error, closed} instead (issue #861).
• A proxy host given as an atom (e.g. localhost) or a binary is accepted again for {ProxyHost, Port}, {connect, ...} and {socks5, ...} proxy options, instead of being silently ignored. Regression from a too-strict is_list/1 guard (issue #858).

Dependencies

• quic 1.4.5 -> 1.6.3.
• h2 0.6.1 -> 0.8.0.
• webtransport 0.2.6 -> 0.3.1.

4.1.0 - 2026-05-29

Added

• WebTransport client API (hackney:wt_connect/1,2, wt_send/2, wt_recv/1,2, wt_setopts/2, wt_close/1,2). It mirrors the WebSocket API so code can switch by swapping the ws_ prefix for wt_. Runs over

... (truncated)

Commits

• 1d19996 Merge pull request #867 from benoitc/deps/quic-1.6.3
• 2e9b368 Record quic 1.6.3 and webtransport 0.3.1 in the 4.2.0 changelog
• a0ee237 Bump quic to 1.6.3 and webtransport to 0.3.1
• 54e78b2 Merge pull request #866 from benoitc/release/4.2.0
• bd3eb50 Accept atom and binary proxy hosts again
• 98ff310 Return {error, closed} when a pooled connection stops mid-call
• 6d21bf0 Release 4.2.0
• d830953 Merge pull request #865 from benoitc/deps/h2-0.8.0-wt-0.3.0
• ca349e3 Bump h2 to 0.8.0 and webtransport to 0.3.0
• 7358689 Merge pull request #864 from benoitc/deps/quic-1.6.2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)