chore(deps): update tool versions (mise)

[NexPB]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change	Age	Confidence
elixir (source)	minor	1.19.5-otp-28 → 1.20.1
erlang	minor	28.4 → 28.5
node (source)	minor	24.14.0 → 24.17.0
pnpm (source)	minor	10.32.0 → 10.34.4

---

Release Notes

elixir-lang/elixir (elixir)

v1.20.1

Compare Source

1. Security

Elixir

• [Version] Limit integer components in Version to 14 decimal bytes, to avoid parsing too large integers from untrusted user input. We strongly advise developers parsing versions from user input to limit the data size given to the Version module (CVE-2026-49762, GHSA-w2h8-8x3g-278p)

2. Bug fixes

Elixir

• [Calendar] Cap width in Calendar.strftime/2 to 1024 characters
• [Code] Ensure Code.require_file releases the file if compilation fails
• [Kernel] Fix documentation generation to use the correct version in search

Mix

• [mix archive.install] Validate paths and files when extracting archives
• [mix format] Honor --no-compile option when loading plugins

v1.20.0

Compare Source

Announcement: https://elixir-lang.org/blog/2026/06/03/elixir-v1-20-0-released/

This release requires Erlang/OTP 27+ and is compatible with Erlang/OTP 29.

Type system improvements

Elixir's type system now understands all language constructs and can infer types for your function definitions, using typing information from Elixir's standard library and your dependencies, to find verified bugs and dead code.

This has been achieved through a series of improvements, such as type refinement across clauses, occurrence typing, typing of map keys and domains, and more.

Type inference of guards

This release also performs inference of guards! Let's see some examples:

def example(x, y) when is_list(x) and is_integer(y)

The code above correctly infers x is a list and y is an integer.

def example({:ok, x} = y) when is_binary(x) or is_integer(x)

The one above infers x is a binary or an integer, and y is a two element tuple with :ok as first element and a binary or integer as second.

def example(x) when is_map_key(x, :foo)

The code above infers x is a map which has the :foo key, represented as %{..., foo: dynamic()}. Remember the leading ... indicates the map may have other keys.

def example(x) when not is_map_key(x, :foo)

And the code above infers x does not have the :foo key (hence x.foo will raise a typing violation), which has the type: %{..., foo: not_set()}.

You can also have expressions that assert on the size of data structures:

def example(x) when tuple_size(x) < 3

Elixir will correctly track the tuple has at most two elements, and therefore accessing elem(x, 3) will emit a typing violation. In other words, Elixir can look at complex guards, infer types, and use this information to find bugs in our code, without a need to introduce type signatures (yet).

Whole-body type inference

Elixir also performs inference based on the function body itself. Take the following code:

def add_foo_and_bar(data) do
  data.foo + data.bar
end

Elixir now infers that the function expects a map as first argument, and the map must have the keys .foo and .bar whose values are either integer() or float(). The return type will be either integer() or float().

Here is another example:

def sum_to_string(a, b) do
  Integer.to_string(a + b)
end

Even though the + operator works with both integers and floats, Elixir infers that a and b must be both integers, as the result of + is given to a function that expects an integer. The inferred type information is then used during type checking to find possible typing errors. The typing inferred from your dependencies are also used to help infer more precise types for your own applications.

Typing across clauses

Elixir now infers the type of a given clause based on previous clauses. Let's see an example:

case System.get_env("SOME_VAR") do
  nil -> :not_found
  value -> {:ok, String.upcase(value)}
end

System.get_env("SOME_VAR") returns either nil or a binary(). Because the first clause matches on nil, the type system knows value can no longer be nil, and therefore it must only be a binary(), which allows the second clause to also type check without violations.

This type inference across clauses also helps the type system find redundant clauses and dead code in existing codebases. Elixir v1.20 also implements occurrence typing for cond, case, and with, providing more precise types within each clause.

Typing of atom and domain keys in maps

Maps were one of the first data-structures we implemented within the Elixir type system however, up to this point, they only supported atom keys. If they had additional keys, those keys were simply marked as dynamic().

As of Elixir v1.20, we can track all possible domains as map keys. For example, the map:

%{123 => "hello", 456.0 => :ok}

will have the type:

%{integer() => binary(), float() => :ok}

It is also possible to mix domain keys, as above, with atom keys, yielding the following:

%{integer() => integer(), root: integer()}

This system is an implementation of Typing Records, Maps, and Structs, by Giuseppe Castagna (2023).

Typing of map operations

We have typed the majority of the functions in the Map module, allowing the type system to track how keys are added, updated, and removed across all possible key types.

For example, imagine we are calling the following Map functions with a variable map, which we don't know the exact shape of, and an atom key:

Map.put(map, :key, 123)

#=> returns type %{..., key: integer()}

Map.delete(map, :key)

#=> returns type %{..., key: not_set()}

As you can see, we track when keys are set and also when they are removed.

Some operations, like Map.replace/3, only replace the key if it exists, and that is also propagated by the type system:

Map.replace(map, :key, 123)

#=> returns type %{..., key: if_set(integer())}

In other words, if the key exists, it would have been replaced by an integer value. Furthermore, whenever calling a function in the Map module and the given key is statically proven to never exist in the map, an error is emitted.

By combining full type inference with bang operations like Map.fetch!/2, Map.pop!/2, Map.replace!/3, and Map.update!/3, Elixir is able to propagate information about the desired keys. Take this module:

defmodule User do
  def name(map), do: Map.fetch!(map, :name)
end

defmodule CallsUser do
  def calls_name do
    User.name(%{})
  end
end

The code above has a type violation, which is now caught by the type system:

    warning: incompatible types given to User.name/1:

        User.name(%{})

    given types:

        %{name: not_set()}

    but expected one of:

        dynamic(%{..., name: term()})

    type warning found at:
    │
 16 │     User.name(%{})
    │         ~
    │
    └─ lib/calls_user.ex:7:5: CallsUser.calls_name/0

Acknowledgements

The type system was made possible thanks to a partnership between CNRS and Remote. The development work is currently sponsored by Fresha and Tidewave.

Compile-time improvements

Elixir's v1.20 improves compilation times once more, especially on applications with many cores.

It also introduces a new compiler option called :module_definition, which if the module definition should be :compiled (the default) or :interpreted. Note this does not affect the .beam file written to disk, only how the contents inside defmodule are executed. Using the :interpreted mode may offer better compilation times for large projects, especially on machines with high core count, however, it comes with some downsides:

• Errors during compilation may have less precise stacktraces

• Anonymous functions within defmodule can have only up to 20 arguments.
  If this is an issue, you can use maps or tuples to group the data.
  Note the functions themselves inside defmodule, such as the ones defined
  inside def and friends, can still have up to 255 arguments

You can enable it by setting elixirc_options: [module_definition: :interpreted] in your mix.exs.

v1.20.0 (2026-06-03)

This release requires Erlang/OTP 27+ and is compatible with Erlang/OTP 29.

1. Enhancements

EEx

• [EEx] Optimize compiler by flattening expr list only once

Elixir

• [Base] Optimize Base validation functions by using SWAR techniques
• [Calendar] Optimize date_from_iso_days by using the Neri-Schneider algorithm
• [Code] Add :dbg_callback option to eval functions
• [Code] Add module_definition: :interpreted option to Code which allows module definitions to be evaluated instead of compiled. In some applications/architectures, this can lead to drastic improvements to compilation times. Note this does not affect the generated .beam file, which will have the same performance/behaviour as before
• [Code] Make module purging opt-in and move temporary module deletion to the background to speed up compilation times
• [Code.Fragment] Allow preserving sigil metadata in container_cursor_to_quoted
• [Enum] Add Enum.min_max sorter
• [File] Add support for [:raw] opts in File.read/2
• [File] Skip device, named pipes, etc in File.cp_r/3 instead of erroring with reason :eio
• [Float] Optimize Float.round/2 by avoiding big integers
• [Inspect] Increase inspect limit to help print deeply nested data structures
• [Inspect] Support printing Erlang records (using Erlang notation)
• [Integer] Add Integer.ceil_div/2
• [Integer] Add Integer.popcount/1
• [IO] Add IO.iodata_empty?/1
• [Kernel] Add type inference across clauses. For example, if one clause says x when is_integer(x), then the next clause may no longer be an integer
• [Kernel] Add occurrence typing on case, cond, and with
• [Kernel] Detect and warn on redundant clauses
• [Kernel] Perform type inference across applications
• [Kernel] Print intermediate results of dbg for pipes
• [Kernel] Show undefined function errors even when missing variables (this helps debug errors caused when the developer forgets to require a macro)
• [Kernel] Warn on unused requires
• [List] Add List.first!/1 and List.last!/1
• [Module] Purge and delete modules if after_compile/2 callback fails
• [PartitionSupervisor] Support via tuples in count_children/1 and stop/3
• [Process] Add Process.get_label/1
• [Registry] Switch keys: {:duplicate, :key} to ordered_set with composite keys
• [Regex] Add Regex.import/1 to import regexes defined with /E
• [String] SWAR-optimize ASCII fast paths in String.length/1 and String.slice/3
• Add Software Bill of Materials guide to the Documentation

ExUnit

• [ExUnit] Show remaining runs when using --repeat-until-failure
• [ExUnit.CaptureLog] Add :formatter option for custom log formatting

IEx

• [IEx] Optimize autocompleting modules
• [IEx.Helpers] Add source/1

Mix

• [mix app.tree] Support --output option
• [mix compile] Add module_definition: :interpreted option to Code which allows module definitions to be evaluated instead of compiled. In some applications/architectures, this can lead to drastic improvements to compilation times. Note this does not affect the generated .beam file, which will have the same performance/behaviour as before
• [mix compile] Enforce :elixirc_paths to be a list of strings to avoid paths from being discarded (the only documented type was lists of strings)
• [mix deps] Parallelize dep lock status checks during deps.loadpaths, improving boot times in projects with many git dependencies
• [mix deps] Support filtering mix deps output
• [mix deps.tree] Support --output option
• [mix format] Support --no-compile option
• [mix help] Support printing docs for types and callbacks
• [mix source] Add mix source MODULE to print or open a given module/function location
• [mix test] Add mix test --dry-run

2. Potential breaking changes

Elixir

• [Kernel] Disallow raw CR line ending in strings, comments, and after ? for security reasons
• [Kernel] require SomeModule no longer expands to the given module at compile-time, but it still returns the module at runtime. Note Elixir does not guarantee macros will expand to certain constructs, only what its execution result, but since this can break code relying on the previous behaviour, such as require(SomeMod).some_macro(), we are adding this note to the CHANGELOG

3. Bug fixes

Elixir

• [Enum] Fix Enum.slice/2 for ranges with step > 1 sliced by step > 1
• [File] Allowing preserving directory permissions in File.cp_r/3
• [File] Fix File.cp_r/3 infinite loop with symlink cycles
• [File] Fix File.cp_r/3 infinite loop when copying into subdirectory of source
• [File] Fix File.Stream's Enumerable.count for files without trailing newline
• [File] Warn when defining @type record() for Erlang/OTP 29
• [Float] Fix Float.parse/1 inconsistent error handling for non-scientific notation overflow
• [Integer] Fix Integer.extended_gcd/2 returning negative GCD for zero base cases
• [Integer] Raise when negative out-of-range digits are given to Integer.undigits/2
• [Kernel] Fix a compiler crash when importing a module with only: :sigils option when the imported module exports non-sigil symbols with sigil_ prefix
• [Kernel] Protocols should not add compile-time dependencies on Any implementation
• [Kernel] Preserve evaluation order when rewriting function calls from Elixir modules into Erlang ones
• [Kernel] Reject negative Duration in to_timeout/1
• [Keyword] Raise ArgumentError in Keyword.from_keys/2 for non-atom keys
• [Macro] Fix generation of heredocs in Macro.to_string/1 with escaped trailing newline
• [Path] Consistently return path as binary in Path.relative_to_cwd/2
• [Stream] Raise in Stream.cycle/1 when enumerable reduce call yields no elements
• [String] Support empty pattern list in String.count/2
• [URI] Fix URI.merge leaking :+ marker when base path is empty string

ExUnit

• [ExUnit.Diff] Avoid false positives when diffing bitstrings

IEx

• [IEx] Ensure pry works across remote nodes
• [IEx] Ensure warnings emitted during IEx parsing are properly displayed/printed

Logger

• [Logger] Persist log level to app env in Logger.configure/1

Mix

• [Mix] Use non_executable_binary_to_term on loopback pubsub
• [mix compile] Add a build lock around protocol consolidation in umbrellas
• [mix compile] Ensure compilation of sibling deps do not mark path deps as changed
• [mix compile] Fix compile env change triggering full recompilation of path dependencies
• [mix compile.elixir] Fix scenario where Elixir would tag mtimes in the future
• [mix compile.erlang] Topsort Erlang modules before compilation for proper dependency resolution
• [mix deps] Use config files to pass project state to avoid argv limits on Windows when using MIX_OS_DEPS_COMPILE_PARTITION_COUNT
• [mix test] Fix --warnings-as-errors not catching misnamed test file warnings
• [mix test] Respect --raise when mix test --warnings-as-errors passes with warnings

4. Hard deprecations

Elixir

• [File] File.stream!(path, modes, lines_or_bytes) is deprecated in favor of File.stream!(path, lines_or_bytes, modes)
• [Kernel] Matching on the size inside a bit pattern now requires the pin operator for consistency, such as <<x::size(^existing_var)>>
• [Kernel.ParallelCompiler] Kernel.ParallelCompiler.async/1 is deprecated in favor of Kernel.ParallelCompiler.pmap/2, which is more performant and addresses known limitations

Logger

• [Logger] Logger.*_backend functions are deprecated in favor of handlers. If you really want to keep on using backends, see the :logger_backends package
• [Logger] Logger.enable/1 and Logger.disable/1 have been deprecated in favor of Logger.put_process_level/2 and Logger.delete_process_level/1

Mix

• [mix compile.elixir] xref: [exclude: ...] in your mix.exs is deprecated in favor of elixirc_options: [no_warn_undefined: ...]

v1.19.5

Compare Source

1. Enhancements

Elixir

• [Protocol] Optimize protocol consolidation to no longer load structs

2. Bug fixes

Elixir

• [Kernel] Fix unnecessary recompilation when dbg_callback is modified at runtime
• [Kernel] Fix parser crash on missing parentheses on expression following operator not in
• [Kernel] Support fetching abstract code for modules compiled with Elixir v1.14 and earlier
• [Protocol] Ensure protocol consolidation no longer stores outdated struct types. As a consequence, protocols types only track struct names at the moment
• [Stream] Revert optimization which caused nested streams in Stream.flat_map/2 to crash

IEx

• [IEx] Fix usage of #iex:break as part of multi-line prompts

Logger

• [Logger.Backends] Do not crash on invalid metadata

erlang/otp (erlang)

v28.5: OTP 28.5

Compare Source

Patch Package:           OTP 28.5
Git Tag:                 OTP-28.5
Date:                    2026-04-23
Trouble Report Id:       OTP-16607, OTP-19162, OTP-19967, OTP-20038,
                         OTP-20043, OTP-20082, OTP-20094, OTP-20098,
                         OTP-20101, OTP-20106
Seq num:                 GH-10667, GH-10812, GH-10915, GH-10967,
                         OTP-16608, PR-10431, PR-10881, PR-10908,
                         PR-10924, PR-10957, PR-10976, PR-11002,
                         PR-11045
System:                  OTP
Release:                 28
Application:             erl_interface-5.7, erts-16.4, mnesia-4.25.3,
                         ssl-11.6
Predecessor:             OTP 28.4.3

Check out the git tag OTP-28.5, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

HIGHLIGHTS

• There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.

  Own Id: OTP-20043
  Application(s): otp
  Related Id(s): PR-10431

OTP-28.5

Improvements and New Features

• There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.

  Own Id: OTP-20043
  Related Id(s): PR-10431

  *** HIGHLIGHT ***

erl_interface-5.7

The erl_interface-5.7 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• A new configure option --{enable,disable}-use-embedded-3pp-alternatives has been added. When enabled, configure is forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled, configure will use all internal embedded 3pps. Currently this option affects zstd, zlib, ryu (with STL), openssl and tcl. The default is to use all built-in embedded 3pps except for zlib which by default will use zlib on the OS if available.

  Requirements for alternatives:

  • zstd - Static library and include files of at least version 1.5.6 needs to be available.
  • zlib - Library and include files of at least version 1.2.5 needs to be available.
  • ryu (with STL) - A usable C++ compiler with C++17 support.
  • openssl - No requirements. Our own MD5 implementation will be used.
  • tcl - The strerrorname_np() function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.

  The argument embedded_3pps has been added to erlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.

  Own Id: OTP-20106
  Related Id(s): PR-11045

Known Bugs and Problems

• The ei API for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled.

  Own Id: OTP-16607
  Related Id(s): OTP-16608

erts-16.4

The erts-16.4 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed bug in enif_make_map_from_arrays for arrays with at least 33 keys. If duplicate keys existed, instead of failing, it would skip the duplicates. If less than 33 unique keys existed, an internally inconsistent and broken map was returned.

  Own Id: OTP-20098
  Related Id(s): PR-10976

• Fixed an issue when supplying the args_file option to erl.exe on windows that did not handle unicode characters correctly.

  Own Id: OTP-20101
  Related Id(s): GH-10667

Improvements and New Features

• A new configure option --{enable,disable}-use-embedded-3pp-alternatives has been added. When enabled, configure is forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled, configure will use all internal embedded 3pps. Currently this option affects zstd, zlib, ryu (with STL), openssl and tcl. The default is to use all built-in embedded 3pps except for zlib which by default will use zlib on the OS if available.

  Requirements for alternatives:

  • zstd - Static library and include files of at least version 1.5.6 needs to be available.
  • zlib - Library and include files of at least version 1.2.5 needs to be available.
  • ryu (with STL) - A usable C++ compiler with C++17 support.
  • openssl - No requirements. Our own MD5 implementation will be used.
  • tcl - The strerrorname_np() function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.

  The argument embedded_3pps has been added to erlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.

  Own Id: OTP-20106
  Related Id(s): PR-11045

Full runtime dependencies of erts-16.4

kernel-9.0, sasl-3.3, stdlib-4.1

mnesia-4.25.3

The mnesia-4.25.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Added documentation for user_properties and functions read_table_property/2, write_table_property/2, delete_table_property. Enhanced documentation for frag_properties.

  Own Id: OTP-20038
  Related Id(s): GH-10812, PR-10881

• Fixed a bug where stacktrace was not returned from mnesia:transaction/1 when transaction aborts with an error exception.

  Own Id: OTP-20094
  Related Id(s): GH-10967, PR-11002

Full runtime dependencies of mnesia-4.25.3

erts-9.0, kernel-5.3, stdlib-5.0

ssl-11.6

Note! The ssl-11.6 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.20.3 (first satisfied in OTP 28.4.2)

Fixed Bugs and Malfunctions

• Preserve inet option order, as inet_backend option must be first option. Will make inet_backend option work for ssl independently of number of inet supplied options.

  Own Id: OTP-19162
  Related Id(s): PR-10908

• Missing conformance check for signature algorithms in TLS-1.3 could cause selection of incompatible certificate when a server is configured with more than one possible certificate.

  Own Id: OTP-20082
  Related Id(s): GH-10915, PR-10924

Improvements and New Features

• Avoid unnecessary memory consumption for temporary processes in a supervision tree.

  Own Id: OTP-19967
  Related Id(s): PR-10957

Full runtime dependencies of ssl-11.6

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

felipe stival, Hewwho, Hugo Baraúna, Nick Vatamaniuc, Viktor Söderqvist, William Yang

v28.4.3: OTP 28.4.3

Compare Source

Patch Package:           OTP 28.4.3
Git Tag:                 OTP-28.4.3
Date:                    2026-04-21
Trouble Report Id:       OTP-20081, OTP-20086, OTP-20104
Seq num:                 #​10968, CVE-2026-32147, PR-10985, PR-11027
System:                  OTP
Release:                 28
Application:             kernel-10.6.3, ssh-5.5.2
Predecessor:             OTP 28.4.2

Check out the git tag OTP-28.4.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-28.4.3

Fixed Bugs and Malfunctions

• Fix the otp_patch_apply script to properly handle installation of documentation for OTP versions with more than one digit in version parts less significant than the major version.

  Own Id: OTP-20086
  Related Id(s): PR-10985

kernel-10.6.3

The kernel-10.6.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• On Windows, sockets has to be bound when using 'socket'. Therefor when using gen_tcp with inet_backend = socket, gen_tcp_socket bind even if the caller has not provided an explicit bind address. In that case it attempts to locate a "proper" address on its own. But if the connect address is the loopback address, this could lead to an attempt to bind to an external interface. So, this has now been changed so that if the connect address is the loopback address, the loopback address will also be used when binding.

  Own Id: OTP-20104
  Related Id(s): #​10968

Full runtime dependencies of kernel-10.6.3

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

ssh-5.5.2

Note! The ssh-5.5.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• Fixed a vulnerability in the SFTP server where file attributes could be modified outside the configured root directory. When using FSETSTAT on an open file handle, the operation used the path stored in the handle without verifying it was within the root directory, allowing attribute changes to files outside the chroot boundary.

  Thanks to John Downey.

  Own Id: OTP-20081
  Related Id(s): PR-11027, CVE-2026-32147

Full runtime dependencies of ssh-5.5.2

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

v28.4.2: OTP 28.4.2

Compare Source

Patch Package:           OTP 28.4.2
Git Tag:                 OTP-28.4.2
Date:                    2026-04-07
Trouble Report Id:       OTP-19506, OTP-19889, OTP-19931, OTP-20027,
                         OTP-20037, OTP-20042, OTP-20044, OTP-20046,
                         OTP-20047, OTP-20049, OTP-20050, OTP-20052,
                         OTP-20053, OTP-20056, OTP-20060, OTP-20064,
                         OTP-20065, OTP-20068
Seq num:                 CVE-2026-28810, CVE-2026-32144, ERIERL-1310,
                         ERIERL-1311, ERIERL-1312, GH-10454, GH-10562,
                         GH-10606, GH-10785, GH-10876, GH-10901,
                         GH-7156, GH-9476, PR-10456, PR-10569,
                         PR-10620, PR-10788, PR-10864, PR-10866,
                         PR-10867, PR-10873, PR-10874, PR-10889,
                         PR-10893, PR-10899, PR-10904, PR-10906,
                         PR-10911, PR-10941, PR-9481
System:                  OTP
Release:                 28
Application:             compiler-9.0.6, erts-16.3.1, eunit-2.10.3,
                         inets-9.6.2, kernel-10.6.2,
                         public_key-1.20.3, sasl-4.3.2, snmp-5.20.2,
                         ssl-11.5.4
Predecessor:             OTP 28.4.1

Check out the git tag OTP-28.4.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

POTENTIAL INCOMPATIBILITIES

• When OCSP stapling is enabled via the {stapling, staple} or {stapling, #{...}} options, the handshake now fails if the server does not provide an OCSP stapled response.

  Previously, a missing OCSP staple was silently accepted (soft-fail). Since Erlang/OTP only supports OCSP via stapling with no fallback to direct OCSP queries or CRL checking, soft-fail meant no revocation check at all.

  Applications that need the previous soft-fail behavior can use a custom verify_fun that accepts {bad_cert, missing_ocsp_staple}.

  Own Id: OTP-20064
  Application(s): ssl
  Related Id(s): PR-10941, CVE-2026-32144

compiler-9.0.6

The compiler-9.0.6 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The type inference for maps:from_list/1 was incorrect: when the provided list was statically known to be bogus when non-empty (e.g. a list of atoms), the compiler assumed it would also fail when the list was empty.

  Own Id: OTP-19506
  Related Id(s): GH-9476, PR-9481

• Fixed a bug in the type analysis pass that could erroneously eliminate code blocks.

  Own Id: OTP-19931
  Related Id(s): GH-10562, PR-10569

• A binary as the value of a -moduledoc() attribute would be silently ignored.

  Own Id: OTP-20065
  Related Id(s): GH-10901, PR-10904

Full runtime dependencies of compiler-9.0.6

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

erts-16.3.1

The erts-16.3.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a JIT bug that miscompiled expressions like X * X + X * X.

  Own Id: OTP-19889
  Related Id(s): GH-10454, PR-10456

• Fixed bug on windows that made tools dialyzer, erlc and typer unusable in powershell or cmd.exe, when there are spaces in the installation path.

  Own Id: OTP-20027
  Related Id(s): PR-10620

• Fixed a bug with prim_tty that could occur on windows if we cannot get the console mode, mark the TTY as unavailable. This can happen when the input handle is a pipe, but the output handle is a console.

  Own Id: OTP-20060
  Related Id(s): PR-10899

Full runtime dependencies of erts-16.3.1

kernel-9.0, sasl-3.3, stdlib-4.1

eunit-2.10.3

The eunit-2.10.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed EUnit {node, ...} instantiation by passing node name (instead of pid) and restored net_kernel auto-start for non-distributed nodes.

  Own Id: OTP-20047
  Related Id(s): PR-10788

Full runtime dependencies of eunit-2.10.3

erts-9.0, kernel-8.3, stdlib-6.0

inets-9.6.2

The inets-9.6.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed authentication bypass in httpd when script_alias maps a URL to a directory outside document_root with mod_auth directory-based access controls. The mod_alias:which_alias/1 function now includes script_alias entries so authorization is evaluated against the correct path before CGI execution. CVE-2026-28808.

  Own Id: OTP-20068

Improvements and New Features

• Fixed typo in http_server.md guide

  Own Id: OTP-20044
  Related Id(s): GH-10785, PR-10867

• Expected error accept_socket_timeout in httpd_request_handler now exits gracefully, without generating a crash and supervisor reports.

  Own Id: OTP-20052
  Related Id(s): ERIERL-1310, PR-10893

Full runtime dependencies of inets-9.6.2

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6.2

The kernel-10.6.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Before this patch, the Erlang/OTP built-in DNS resolver (inet_res) used a sequential, process-global 16-bit transaction ID for UDP queries and did not implement source port randomization. Response validation relied almost entirely on this ID. Together, this made DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. The design conflicted with RFC 5452 recommendations for mitigating forged DNS answers.

  inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where faked DNS responses are possible.

  Therefore, the documentation is been updated to clarify that inet_res should only be used in trusted networks and with trusted recursive resolvers.

  The implementation is also improved to use strong random DNS transaction IDs and source ports for every DNS transaction. This should give ample protection against brute forcing fake DNS replies, known as DNS cache poisoning, but it still does not protect against, for example, an adversary in the path of the DNS transaction that can observe the random values before faking malicious replies, an attack known as DNS spoofing.

  For randomization to happen, the Crypto application has to be loaded, which most probably already should be the case for an Erlang node in an exposed network.

  If performance should become an issue, for applications within safe network environments, the previous light weight behaviour can be configured by setting the resolver option random to false.

  Own Id: OTP-20037
  Related Id(s): PR-10864, CVE-2026-28810

Full runtime dependencies of kernel-10.6.2

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

public_key-1.20.3

Note! The public_key-1.20.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)

Fixed Bugs and Malfunctions

• OCSP designated responder certificate verification now checks the CA's cryptographic signature on the responder certificate. Previously, only the issuer DN match and id-kp-OCSPSigning EKU were verified, which meant a forged self-signed certificate with the CA's subject DN would be accepted as a valid designated responder (Case 2 in RFC 6960 §4.2.2.2).

  Own Id: OTP-20042
  Related Id(s): PR-10873, CVE-2026-32144

• Update handling of encoding 'OTPSubjectPublicKeyInfo' in public_key:pkix_encode/3, so that it works for update spec added in OTP-28.

  Own Id: OTP-20050
  Related Id(s): GH-10876, PR-10889

Improvements and New Features

• Relax upper bound of common names in certificates for pragmatic interoperability reasons.

  Own Id: OTP-20049
  Related Id(s): GH-10606, PR-10866

Full runtime dependencies of public_key-1.20.3

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

sasl-4.3.2

The sasl-4.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed the typespec of release_handler:eval_appup_script/4.

  Own Id: OTP-20053
  Related Id(s): PR-10906

Full runtime dependencies of sasl-4.3.2

erts-15.0, kernel-6.0, stdlib-4.0, tools-2.6.14

snmp-5.20.2

The snmp-5.20.2 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• The SNMP manager now propagates msgAuthoritativeEngineID and msgUserName from USM security parameters through to the snmpm_user:handle_error/3 callback when an incoming message is discarded due to an unknown EngineID (usmStatsUnknownEngineIDs).

  This enables users to programmatically discover the correct authoritative EngineID from the error callback and re-register USM credentials, supporting SNMPv3 USM EngineID discovery as described in RFC 3414, Section 4. The failed_processing_message variant has been added to the snmpm:user:handle_error/3 callback type specification.

  Own Id: OTP-20056
  Related Id(s): ERIERL-1312, GH-7156, PR-10911

Full runtime dependencies of snmp-5.20.2

asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-5.0

ssl-11.5.4

Note! The ssl-11.5.4 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.20.3 (first satisfied in OTP 28.4.2)

Fixed Bugs and Malfunctions

• Server supporting TLS-1.3 and TLS-1.2, with SLH-DSA algorithms for TLS-1.3, now correctly filter out those algorithms if client is TLS-1.2 only, instead of failing with internal error.

  Own Id: OTP-20046
  Related Id(s): ERIERL-1311, PR-10874

• When OCSP stapling is enabled via the {stapling, staple} or {stapling, #{...}} options, the handshake now fails if the server does not provide an OCSP stapled response.

  Previously, a missing OCSP staple was silently accepted (soft-fail). Since Erlang/OTP only supports OCSP via stapling with no fallback to direct OCSP queries or CRL checking, soft-fail meant no revocation check at all.

  Applications that need the previous soft-fail behavior can use a custom verify_fun that accepts {bad_cert, missing_ocsp_staple}.

  Own Id: OTP-20064
  Related Id(s): PR-10941, CVE-2026-32144

  *** POTENTIAL INCOMPATIBILITY ***

Full runtime dependencies of ssl-11.5.4

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

Linus Marton, williamthome

v28.4.1: OTP 28.4.1

Compare Source

Patch Package:           OTP 28.4.1
Git Tag:                 OTP-28.4.1
Date:                    2026-03-12
Trouble Report Id:       OTP-20007, OTP-20009, OTP-20011, OTP-20012,
                         OTP-20014, OTP-20018, OTP-20022
Seq num:                 CVE-2026-23941, CVE-2026-23942,
                         CVE-2026-23943, ERIERL-1303, ERIERL-1305,
                         GH-10694, PR-10707, PR-10798, PR-10809,
                         PR-10811, PR-10813, PR-10825, PR-10833
System:                  OTP
Release:                 28
Application:             crypto-5.8.3, inets-9.6.1, kernel-10.6.1,
                         ssh-5.5.1, ssl-11.5.3
Predecessor:             OTP 28.4

Check out the git tag OTP-28.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

crypto-5.8.3

The crypto-5.8.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix memory leak in crypo:engine_load if called with incorrect commands.

  Own Id: OTP-20014
  Related Id(s): PR-10798

Full runtime dependencies of crypto-5.8.3

erts-9.0, kernel-6.0, stdlib-3.9

inets-9.6.1

The inets-9.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The httpd server now rejects HTTP requests containing multiple Content-Length headers with different values, returning a 400 Bad Request response. This prevents potential HTTP request smuggling attacks. Thanks Luigino Camastra at Aisle Research for responsibly disclosing this vulnerability

  Own Id: OTP-20007
  Related Id(s): PR-10833, CVE-2026-23941

Full runtime dependencies of inets-9.6.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6.1

The kernel-10.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• A vulnerability has been resolved in the (undocumented, unsupported and unused in OTP) inet_dns_tsig module that leads to a validation bypass.

  If a request contained an error code (forbidden by spec), it was treated as a response and skipped the verification of the MAC. The user of the module would then receive an "all ok" response, depending on the use case, this could lead to such things as AXFR or UPDATE being allowed.

  The code has also been tightening up of the client side to make sure too large (bad) MAC sizes cannot be selected and the limit is the output size of the algorithm chosen.

  Own Id: OTP-20012
  Related Id(s): PR-10825

Full runtime dependencies of kernel-10.6.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

ssh-5.5.1

Note! The ssh-5.5.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• Fixed path traversal vulnerability in SFTP server's root option allowing authenticated users to access sibling directories with matching name prefixes. The root option used string prefix matching instead of path component validation. With {root, "/home/user1"}, attackers could access /home/user10/ or /home/user123/. Thanks to Luigino Camastra, Aisle Research.

  Own Id: OTP-20009
  Related Id(s): PR-10811, CVE-2026-23942

• Fixed excessive memory usage vulnerability in SSH compression allowing attackers to consume system resources through decompression bombs. The 'zlib' and 'zlib@openssh.com' algorithms lacked decompression size limits, allowing 256 KB packets to expand to 255 MB (1029:1 ratio). This could lead to crashes on systems with limited memory.

  The fix removes zlib from default compression algorithms and implements decompression size limits for both algorithms. Thanks to Igor Morgenstern at Aisle Research

  Own Id: OTP-20011
  Related Id(s): PR-10813, CVE-2026-23943

Full runtime dependencies of ssh-5.5.1

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.5.3

Note! The ssl-11.5.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.18.3 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• TLS-1.3 certificate request now preserves the order of signature algorithms in certificate request extension to be in the servers preferred order, which might affect the choice made by some TLS clients.

  Own Id: OTP-20022
  Related Id(s): ERIERL-1305, GH-10694, PR-10707

Improvements and New Features

• Document that setting transport protocol specific socket options is not generally expected to work for TLS and if it happens to work it comes with consequences that should be understood an accepted by the user. Also retain some backwards compatibility with such an option that happened to work to buy time for people to come up with better solutions.

  Own Id: OTP-20018
  Related Id(s): ERIERL-1303, PR-10809

Full runtime dependencies of ssl-11.5.3

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.18.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

Alexander Clouter, Hewwho

nodejs/node (node)

v24.17.0: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits

• [9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #​62891
• [66e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #​62891
• [dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #​63820
• [684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #​63820
• [3a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #​62656
• [cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #​63703
• [138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [9224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [31beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [8e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95

Compare Source

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • "before 9am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.