Bump hex_core from 0.11.0 to 0.15.0

[dependabot]

Bumps hex_core from 0.11.0 to 0.15.0.

Release notes

Sourced from hex_core's releases.

v0.15.0

• Add request_to_file callback to hex_http behaviour for streaming HTTP response body directly to a file.
• Add hex_repo:get_tarball_to_file/4 and hex_repo:get_docs_to_file/4 for downloading tarballs and docs directly to disk.
• Implement request_to_file in hex_http_httpc using httpc's {stream, Filename} option.

v0.14.1

• Add max_size extraction limit to package inner tarball and docs tarball unpacking for zip bomb protection.

v0.14.0

• Stream tar extraction to disk, writing file entries in chunks instead of loading into memory.
• Add {file, Path} support to hex_tarball:unpack_docs/2,3 to read doc tarballs from disk.
• Add none output mode to hex_tarball:unpack/2,3 to extract only metadata and checksums, skipping contents.

v0.13.0

• Add file-based unpack via hex_tarball:unpack({file, Path}, Output) to avoid loading entire tarball into memory.
• Add size validations for outer tarball entries (VERSION, CHECKSUM, metadata.config) during creation and extraction.

v0.12.1

• Fix unsafe deserialization of Erlang terms in API responses (CVE-2026-21619)

v0.12.0

• Add short URL API hex_api_short_url:create/2.
• Add OAuth API:
  • hex_api_oauth:device_authorization/3,4
  • hex_api_oauth:poll_device_token/3
  • hex_api_oauth:refresh_token/3
  • hex_api_oauth:revoke_token/3
  • hex_api_oauth:client_credentials_token/4,5
• Support 2FA authentication, any API request can now return {error, otp_required | invalid_totp} if 2FA is required. The config option api_otp can be used to provide the TOTP code.
• Differentiate between registry verification errors. {error, unverified} has been replaced with {error, bad_repo_name | bad_signature}.
• Support nested maps in extra package metadata field.

Changelog

Sourced from hex_core's changelog.

v0.15.0 (2026-03-09)

• Add request_to_file callback to hex_http behaviour for streaming HTTP response body directly to a file.
• Add hex_repo:get_tarball_to_file/4 and hex_repo:get_docs_to_file/4 for downloading tarballs and docs directly to disk.
• Implement request_to_file in hex_http_httpc using httpc's {stream, Filename} option.

v0.14.1 (2026-03-09)

• Add max_size extraction limit to package inner tarball and docs tarball unpacking for zip bomb protection.

v0.14.0 (2026-03-09)

• Stream tar extraction to disk, writing file entries in chunks instead of loading into memory.
• Add {file, Path} support to hex_tarball:unpack_docs/2,3 to read doc tarballs from disk.
• Add none output mode to hex_tarball:unpack/2,3 to extract only metadata and checksums, skipping contents.

v0.13.0 (2026-03-08)

• Add file-based unpack via hex_tarball:unpack({file, Path}, Output) to avoid loading entire tarball into memory.
• Add size validations for outer tarball entries (VERSION, CHECKSUM, metadata.config) during creation and extraction.

v0.12.2 (2026-02-27)

• Exclude src/safe_erl_term.erl from package.

v0.12.1 (2026-02-27)

• Fix unsafe deserialization of Erlang terms in API responses (CVE-2026-21619).

v0.12.0 (2025-10-26)

• Add short URL API hex_api_short_url:create/2.
• Add OAuth API:
  • hex_api_oauth:device_authorization/3,4
  • hex_api_oauth:poll_device_token/3
  • hex_api_oauth:refresh_token/3
  • hex_api_oauth:revoke_token/3
  • hex_api_oauth:client_credentials_token/4,5
• Support 2FA authentication, any API request can now return {error, otp_required | invalid_totp} if 2FA is required. The config option api_otp can be used to provide the TOTP code.
• Differentiate between registry verification errors. {error, unverified} has been replaced with {error, bad_repo_name | bad_signature}.
• Support nested maps in extra package metadata field.

Commits

• 90f9f59 Release v0.15.0
• c6a3995 Add request_to_file to HTTP contract for streaming downloads to disk (#169)
• 34a2952 Release v0.14.1
• 4383e1b Add max_size extraction limit for zip bomb protection (#168)
• a71bea5 Release v0.14.0
• 3585078 Fix ex_doc warnings
• 13bb9fb Stream tar extraction to disk and add file-based unpack (#167)
• 3b76158 Release v0.13.0
• 28cfc17 Add file-based unpack and size validations for tarball files (#166)
• 961730b Replace hex_erl_tar fork with OTP master's erl_tar (#165)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)