chore(master): release 1.18.3

[yordis]

🤖 I have created a release beep boop

1.18.3 (2026-06-02)

Important {: .error}

Please be careful using :hackney it is recommended to actually test the
application before assuming we did not introduce any breaking changes.
Also, be aware of the security vulnerabilities we have fixed in this release.
Some of them may cause some unexpected behavior from the middleware depending
on the assumptions made by the caller.

Features

• hackney: support hackney 4.x (#880) (c91639b)

Security CVE

• CVE-2026-48598 - Multipart part smuggling via unescaped content-disposition values
• CVE-2026-48597 - Atom exhaustion via untrusted URL scheme
• CVE-2026-48596 - CRLF injection in request Content-Type header via add_content_type_param
• CVE-2026-48595 - Authorization header leaks on cross-origin redirect via case-sensitive filtering
• CVE-2026-48594 - Decompression bomb on response body

---

This PR was generated with Release Please. See documentation.

[cursor]

PR Summary

High Risk
The release bundles multiple security fixes (auth redirects, decompression limits, multipart/header validation) that can change runtime behavior for existing clients.

Overview
Release 1.18.3 bumps the package version in mix.exs and adds a CHANGELOG entry for this cut.

The changelog documents hackney 4.x support and five security CVE fixes (multipart smuggling, atom exhaustion from URL schemes, CRLF in Content-Type params, auth header leakage on cross-origin redirects, and decompression bombs). It also warns that :hackney users should regression-test and that hardened middleware may change behavior for callers that relied on old assumptions.

The diff only touches tests here: compression adapter header formatting, and multipart specs that now expect ArgumentError at add_field / add_file_content time (messages like disposition value and field name) instead of when calling Multipart.body/1.

^{Reviewed by Cursor Bugbot for commit 1f348e2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[Copilot]

Pull request overview

This PR is a release-please generated release commit that updates Tesla’s package version and CHANGELOG for a new release.

Changes:

• Bumps mix.exs project version.
• Prepends a new release section to CHANGELOG.md describing hackney-related changes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
mix.exs	Updates the library version used for packaging and docs source_ref.
CHANGELOG.md	Adds a new top-level release entry for the published version.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[yordis]

🤖 Created releases:

• v1.18.3

🌻