- Fix overriding Hex packages from non Hex dependencies
- Improve solver error message when collecting conflicting requirements from multiple places. Fixes the "empty" versions error. This is done by including path and git parents of hex packages in the solver.
- Add "(CI)" to
user-agentHTTP header if environment variableCIis set - Improve message for authentication errors
- Set exit code 1 on
mix hex.organization autherrors - Add
--sortflagmix hex.outdated - Improve error message when trying to publish existing package with permissions
- Consider ex_doc
:outputoption when publishing documentation - Warn on unknown dependency options
- Do not close registry server in post_converge. Fixes the "the table identifier does not refer to an existing ETS table" error.
- Revert Mix changes on Hex application stop
- Fix passing requests from umbrella apps to solver
- Handle empty package name in
mix hex.info
- Fix application startup when there are configured organizations
- Fix HTTP authentication for repositories added before v2.0.3
- Fix trust lookup for organizations
- Remove dependency on
sshapplication - Add
trusted_mirror_urlconfig andHEX_TRUSTED_MIRROR_URLenvironment variable. When setting either of these the repository authentication key will be included in requests.mirror_urlconfig andHEX_MIRROR_URLhave changed to no longer include the authentication key in requests. This is to ensure secrets are not sent to repository mirrors that are not trusted.
- Remove
hex.installtask
- Fixes for upcoming Elixir 1.15.0 release
- Raise when parsing intersected ranges
- Skip unselected optionals during solving
- Fix converging of requirements from different sources
- Fix organization owner prompt during publish
- Do not override locked deps
- New version solver with higher performance and better error messages
- Switch to IPv6 if requests fail due to connection errors
- Fix browser opening on Windows
- Fix compatibility with some Elixir and OTP combinations
- Set exit code to 1 when
mix hex.publishfails - Validate OSS licenses
- Read authorization credentials from
~/.netrc - Error if building package with an
app: falsedependency
- Do not error if the organization authorization key could not be verified, this improves handling of API server issues
- Improvements to version solver to prevent scenarios where it takes a long time to find a solution
- Improve error when update checker times out
- Add config
no_short_urlsand env varHEX_NO_SHORT_URLSto disable short URL generation - Mention
mix hex.sponsorwhen fetching packages that accept sponsorship - Add
--keyoption tomix hex.repo show NAMEto print repository key - Improve output when update check fails
- Print hint if version resolution is slow
- Improve version backtracking to fix slow version resolutions and downgrading of dependencies
- Add support for
mix hex.package fetch PACKAGE(without version)
- Gracefully handle missing hex metadata in sponsor task
- Fix building hex registry
- Update ssl opts for host validation on redirect
- Store correct password after confirmation failure
- Warn when using ssl-10.2
- Disable API write operations when using ssl-10.2
- Add
--epuboption tomix hex.docs offline - Add
--replaceoption tomix hex.publish - Add locked version to
mix hex.info <package> - Clarify publish message around ownership
- Remove reliance on colors for hex.outdated
- Follow XDG Base Directory Specification
- Add link to diffs page in footer of
mix hex.outdated - Introduce
latestbranch to install Hex usingmix archive.install git ... - Add
--repoflag tomix hex.packagetask - Make
mix hex.package diffmore CLI-friendly - Customize hostname check to allow also wildcard certificates
- Use API for dependency config in mix hex.info
- Do not pass --canonical to docs task
- Always add
*.DS_Storeto:exclude_patterns - Add note about updatable packages to
mix hex.outdatedtask - Use tarball outer checksum to check cache freshness
- Add
--within-requirementsflag tomix hex.outdated - Add
--fetch-public-key FINGERPRINTtomix hex.repo add - Return non-zero exit when package or release are not found in
mix hex.info - Add
no_proxyconfiguration - Add
mix hex.package diff APP VERSION - Add
mix hex.sponsorfor listing all dependencies ask for sponsors or support - Add
mix hex.registry buildfor building registries locally
- Fix order of organizations displayed on
mix hex.publish - Fix stacktrace warning
- Hide
mix hex.installprivate task - Fix
mix hex.repo removecommand doc - Fix backtracking on single parent
- Do not unpack the tarball on
mix hex.package fetchunless--unpackis passed - Re-fetch stale cached package if registry checksum changed
- Fix compatibility with OTP 24
- Fix compatibility with OTP 24
- Add timestamps to entries in registry cache for easier debugging
- Bump registry cache version to invalidate old caches
- Warn if fetching registry without outer checksum
- Do not require that the registry supports outer checksums
- Missing outer checksum is not a mismatch, this will fix "out of date" errors when the manifest is newer than the lockfile
- Fix tarball file extraction through symlinks
- Fetch the latest non-prerelease version of a package in
mix hex.docs
- Correctly handle old manifest files without crashing
- Add
--outputoption tomix hex.package fetchtask - Add
cacerts_pathconfiguration for custom CA certificate files - Improve output in
mix hex.publishto make it more clear to what repository you are publishing - Explain red colors in hex.outdated
- Fix HTTP timeout config
- Do not allow creating empty packages
- Fix for directory traversal vulnerability for symlinks in tarballs
- Update package checksum to include the entire tarball instead of specific files inside it
- Do not print transfer message when not transferring
- Add per-project Hex configuration. Configure Hex under the
:hexkey inside your project configuration inmix.exs - Show location of package after running
mix hex.build - List all available Hex tasks when running
mix hex - List subtasks when running
mix hex - Remove tarball if it is invalid to avoid it being as cache in the future
- Show umbrella children
mix.exslocation inmix hex.outdated - Add
mix hex.owner transfertask - Show improved error message on invalid configs
- Add
mix hex.package fetchtask - Add
mix hex.package difftask
- Fix
mirror_urlconfig - Fix
api_urlconfig - Do no try to remove docs after reverting package – docs are already automatically removed
- Improve output of
mix hex.config - Print publisher in
mix hex.info PACKAGE VERSION - Add organization flag to dependency config in
mix hex.info PACKAGE
- Don't follow symlinks when adding files to tarballs
- Error with a descriptive msg when building a package with git dependencies
- Improve listing of incompatible package versions when displaying backtrack error message
- Improve resolver performance when it needs to do a lot of backtracking
- Verify authenticity of registry records. This fixes a vulnerability that would allow a malicious mirror to serve modified versions of Hex packages. A new check has been introduced that requires the latest registry record version, if you are using a repository or mirror that has not been updated yet you can disable this check by setting the environment variable
HEX_NO_VERIFY_REPO_ORIGIN=1. Further clarification of this issue will come at a later stage.
- Add checks before publishing docs
- Update generated protobuf files for Registry with OTP 21 compatibility
- No longer list tasks in
mix hextask - Use hexdocs organization URLs
- Adds
--dry-runoption to publish tasks - Do not print "Unchanged" dependencies on mix deps.get in green
- Validate hex config keys
- Add
c_src/andMakefileto default package files - Publish Mix task docs on https://hexdocs.pm/hex
- Add recommendation when retiring and require
--messageflag
- Use rebar3, not rebar, when guessing build tool
- Fix issue saving write key when resetting local password
- Fix normalization of repo paths when authenticating organization
When authenticating with mix hex.user auth two API keys are generated instead of single one. One key is unencrypted with read access and the other is encrypted with your local password and has full read/write access to the API. Now commands that don't make any changes will not require a password.
Additionally, we generate a single key that gives access to all your organization repositories, instead of one key for each repository. It also has the added benefit that you don't have to reauthenticate if you are added to a new organization.
We have also added support for keys owned directly by an organization instead of a specific user, these keys can be accessed through mix hex.organization. This is useful when generating keys for a CI environment, previously when personal keys were used, a person leaving an organization or revoking the key could negatively affect CI workflow.
The HEX_API_KEY environment variable has been introduced to be able run commands that require an authentication without having to authenticate manually with mix hex.user auth which has user input prompts. The key set with HEX_API_KEY can be generated with mix hex.user key generate or mix hex.organization key ORGANIZATION generate. It also makes it possible to run commands such as mix hex.publish without being prompted for a password.
By passing the --yes flag to mix hex.publish you can publish your package (together with HEX_API_KEY) without any confirmation prompts. This allows you to publish your package as part of your CI build process.
In previous Hex versions we required :maintainers key to be present when publishing package. At the same time, on hex.pm we are also showing package owners (controlled by the mix hex.owner task). It was confusing to show both maintainers and owners and figure out which really control the package, so we've dropped showing maintainers on hex.pm and the field will no longer be added to package's metadata.
If maintainers field was used to give credit to current and/or past contributors we encourage to mention that in project's README instead.
- Add
--yesflag tohex.publishfor publishing without any confirmation prompts - Add
HEX_API_KEYenvironment variable for setting and overriding the key used when authenticating against the API - Generate a single key for all organization repositories when authenticating a new user
- Return a non-zero exit code from
hex.outdatedwhen dependencies are outdated - Generate two API keys when authenticating, one encrypted with write access, and one unencrypted with only read access
- Add ownership levels to
hex.ownertask - When resolving, try all possible backtrack branches and select the best solution
- Improve formatting of multi-line validation errors
- Do not use
:maintainerspackage configuration field - Change
hex.organizationto generate keys owned by organization instead of the user generating them - Add options to
hex.organization keyfor revoking and listing keys owned by organization - Improve interface for
hex.user keyandhex.organization key, the following commands have changed:hex.user key --generate=>hex.user key generatehex.user key --list=>hex.user key listhex.user key --revoke KEY_NAME=>hex.user key revoke KEY_NAMEhex.user key --revoke-all=>hex.user key revoke --allhex.organization key ORGANIZATION=>hex.organization key ORGANIZATION generate
- Fix private packages on Windows
- Fix crash when unpacking tarballs with broken symlinks
- Correct the type of build tools package metadata
- Fix crash when printing resolver output when having lock entries from other SCMs
- Fix crash when printing resolver output for old lock files
- Tarball and registry code has been extracted to the
hex_erlpackage - Hide retired versions when showing latest release in
hex.infotask - Add
hex.docs offlineandhex.docsonline tasks - Add
--key-nameflag to key generation tasks - Add
:exclude_patternsto package config for excluding files from package - Resolver now backtracks children before parents to improve versions selected when backtracking
- Change some errors to warnings when building private packages
- Group resolved dependency output into unchanged, updated, and downgraded when running
deps.getanddeps.updatetasks - Add authentication to
hex.docstask for showing private package documentation - Improve error message when package fetch times out
- General improvements to tasks when accessing organizations
- Fix wrong publish message when using
--organizationflag inhex.publishtask - Set file times inside tarballs to 2000-01-01 to fix tars on FAT file systems
- Fix
hex.docs opentask on Windows
- Handle missing package descriptions in
hex.searchtask - Fix printing of package checksum after publishing
- Increase
hex.publishtimeouts and make it configurable with:http_timeoutconfig andHEX_HTTP_TIMEOUTvariable - Test key before adding it with
hex.organization auth NAME --key KEY - Remove pre-release publish restriction for private packages
- Add package descriptions to
hex.searchtask - Improve error message when there are no versions matching requirement
- Add latest stable version to
hex.searchtask - Add
metadata.configfile to checked out dependency directory - Warn if we detect a lock entry from a newer Hex version
- Add
hex.build --outputandhex.build --unpacktasks - Preserve symlinks and empty directories in tar
- Simplify Hex output on deps.get
- General improvements to tarball creation and unpacking
- List umbrella children's top level dependencies in
hex.outdated - Include
.formatter.exsfile in default package builds - Prompt user when authentication is required
- Automatically auth all organizations when authing user with
hex.user auth - Highlight if a package release has been retired in
hex.info - Display package website links in
mix hex.owner packages
- Do not crash if failing to write tarball
- Disable HTTP pipelining to avoid bugs in HTTP client
- Also purge registry etags when repository source changed
- Retry HTTP requests on
:socket_closed_remotelyerrors - Fix package tarballs being reproducible
- Authenticate HTTP requests for
hex.search - Populate managers when initially getting dependencies
- Check dependencies on
hex.auditandhex.publish - Fix fetching of private packages that overrides public packages
- Fix HTTP redirect handling
- Don't display internal configs in
hex.config
- Improve error message when package does not exist
- Improve error message when no versions exist for given requirement
- Add
--keyflag tohex.organization authto authorize by giving a key directly without supplying a password - Add
hex.organization keyto generate a key for accessing the organization's repository
Hex.pm is adding support for private packages with organizations. See https://hex.pm/docs/private for more details. To authorize an organization on your machine run mix hex.organization auth acme, this will store the organization's repository details in Hex so that you can fetch packages from the repository. As soon as you are added as a member to an organization you can administer and publish packages, if you have the appropriate role, with the --organization flag or by setting the :organization option on the package configuration.
Different from the last release packages will always be pulled from the default hexpm repository and you have to override it with the :organization or :repo options on the dependency configuration.
- Add
hex.organizationtask - Rename
hex.user keyflag--remove*to--revoke*to clarify what it does - Add
--organizationflag to tasks working on packages - Add
:organizationoption to package configuration - Add support for publishing to organizations
- Improve error message when docs task is missing
- Add
--confirmflag tohex.publishtask
- Fix version validation exceptions
- Reintroduce
HEX_MIRRORenvironment variable - Preserve file modes when building tarball
- Disallow
:appoption for dependencies
- Add
mix hex.repo showtask for showing repo configuration - Improve error message if there are no releases for given requirement in the registry
- Add
mix hex.audittask for checking for retired packages
- Do not try to publish docs if package publish failed
- Do not update lock entry if only metadata changed
- Do not show authentication details when printing URLs
- Fix password reset
- Fix race condition where some entries may not be cached if they were added just before application closed
- Support PAX tarballs, created on OTP 20, when using older OTP versions. Additionally, make it less likely PAX tarballs are created
This version adds support for using packages from multiple repositories. With the hex.repo task additional repositories can be added to Hex. With it you can add additional repositories or replace the default "hexpm" repository by running mix hex.repo add hexpm ..., check the docs for more information. To use a dependency from another repository add repo: :my_other_repo to the dependency definition in mix.exs and make sure you have added my_other_repo with mix hex.repo add my_other_repo. Dependencies of a package will be automatically pulled from the same repository as the parent package unless otherwise stated with the :repo option on the dependency definition.
- Add
hex.repotask - Move
hex.keytasks tohex.user keys - Warn or error if publishing a package with pre-release dependencies
- Do not check for updates when running in offline mode
- Fix an issue where dependency resolution could take a very long time
- Do not publish docs if publishing the package failed
- Fix an issue where HTTP timeouts could cause the application to freeze
- Ensure managers always exist in the lock
With this new release you can mark versions of your packages as retired when you no longer recommend its use. This can be because the release has a serious security flaw, something went wrong with the release so that it's unusable or because the package has been renamed or deprecated. A retired version is still usable and fetchable but it will show as retired on hex.pm and when resolved Hex will show a warning to the user with the retirement message.
- Add --module flag to
hex.docstask - Changed
hex.outdatedtask to show if a dependency can be updated - Add
hex.retiretask for package retirement - Warn when resolving retired packages
- Restrict number of default SSL ciphers
- Do not make conditional HTTP request if file is missing
- Ensure cache file is saved when Hex exits
- Add environment variable
HEX_HTTP_CONCURRENCYfor limiting number of concurrent HTTP requests
- Fix compatibilities with older Elixir version (<= 1.1)
- Ensure build tools are unique in mix.lock and when publishing
- Fix
hex.docs openopening websites on Unix systems - Do not crash on diverged dependencies with conflicting SCMs
- Fix some duplicate HTTP requests on slow networks
- Limit concurrent registry HTTP requests
Hex has switched to a new registry format that is more efficient and will scale better as the registry grows. The new registry format is encoded with protocol buffers and is split into multiple files (one file per package) to avoid fetching one big file with data you will not need. The resolver will make more HTTP requests but will in total fetch much less data. The specification for the new format can be found here: hexpm/specifications#10. The old ETS based registry format is no longer supported in the client but will continue to be available from the registry for the foreseeable future.
hex.docs openwill by default open the online hexdocs for the given package- An
--offlineoption has been added tohex.docs openfor opening docs stored on your local filesystem and it will automatically fetch the docs if they are not available locally - Only support secure SSL ciphers and safe SSL versions (support for SSLv3 has been dropped)
- Improvements to the language in the resolver error messages
- Fix an issue where duplicate build tool names could be added to the package metadata
- Only error on non-Hex dependencies when building
- Most warnings on
hex.publishare now errors
- Fix bug where the old config format was not readable
- Convert old config format to new format on every read
- Fix
HEX_UNSAFE_REGISTRYnegation
- Inform about new Hex version in
hex.info - Support
extrametadata field - Print package checksum when building and publishing
- Warn if using registry from cache
- Show creation time of API keys in
hex.keys list - Improve the error message if OTP has broken SNI in
:sslapplication - Verify dependencies from registry against lock
- Hex will now automatically encrypt your local API key, use
hex.user passphraseto change the encryption passphrase - Improve resolver error message to mention behavior of pre-releases and overrides
- Improve error message if a dependency has configured the OTP application name incorrectly for another dependency
hex.publishnow also publishes docs by default, usehex.publish packageandhex.publish docsto respectively publish package and docs independentlyhex.docswill now open or fetch documentation tarballshex.key removewill now also de-auth the user if the local API key was removed- Add status messages when publishing and reverting
- Fix bug where the client was fetching packages even when lock is OK
- Fix resolver sometimes not producing any backtrack output
- Verify certificate against correct hostname after redirect
- Only show proxy settings when MIX_DEBUG=1
- Add retries to idempotent requests
- Fix crash when you get multiple backtrack messages
- Add package checksums to lock, ensuring a locked package can not change its content
- Add managers and deps to lock, allowing Hex to run without loading the registry
- Align deps fetching output from scm
- Update hex.pm repo URL to https://repo.hex.pm
- Link to policies when registering account
- Update CoC links
- Improve conflict messages
- Improve error messages when ex_doc is missing when publishing docs
- Show app name of dependency in
hex.info - Warn about long package descriptions
- Fix
HEX_UNSAFE_HTTPSenvironment variable andunsafe_httpsconfig
- Add more registry metrics to
hex.info
- Fix a bug where Hex was about a bit too enthusiastic when informing the user of new versions
- Fix some missing future-proofing of lock
- Use HTTPS to Hex.pm repository
- Make lock backwards compatible by treating it as a list and only matching on the front
- Correctly show update notification
- Remove duplicate parents from backtrack messages
- Fix invalid message in
hex.outdatedif locked version is a pre-release
- Do not crash if registry fails to fetch
- Remove force update of registry if it is more than a week old
- Verify registry signature against public key
- Improve missing registry error message
- Deprecate
HEX_CDNin favor ofHEX_REPOandHEX_MIRROR. See thehextask for more information - Deprecate
:cdn_urlconfig in favor of:repo_urlandmirror_url. See thehex.configtask for more information - Improve performance of parallel package fetching
- Use fastly instead of S3 for the Hex.pm repository
- Add
--deleteoption tohex.configtask
- Show local time in hex.info
- Correctly unlock all dependencies on
deps.update - Always fetch registry if it's missing or known to be old
- Fix incorrect build version check
- Fix parsing of requirements without spaces
- Append the OTP version to the user_agent function
- Improve output of http request timeout errors
- Warn if
:manageror:compileis set on dependencies when publishing - Add
--preflag tohex.outdated - Use erlang binary term encoding for API instead of elixir encoding
- Pull package name from correct source when publish docs
- Pass canonical url to ex_doc task
- Change hexdocs links to use https
- Add
hex.outdated APPto list all requirements on given dependency - Do not allow pre-releases for dependencies unless the requirement uses a pre-release version
- Optimize version cache memory usage
- Fix incorrect build version check for dev versions of Elixir
- Fix loop when backtracking in resolver
- Fix timeout errors on slow systems
- Make the experimental resolver the default
- Ensure registry can be opened/closed multiple times
- Ensure
hex.searchtask handles empty results - Fix experimental resolvers only backtracking on parents that had requirements that failed
- Fix merging of overlapping parent and package versions in backtrack messages
- Fix bug when umbrella child has dependency with
:only
- General optimizations in dependency resolver
- Add experimental faster backtracker that does more aggressive backtracking, set environment variable
HEX_EXPERIMENTAL_RESOLVER=1to use it - Merge backtrack messages that have similar parents
- Merge multiple versions into version ranges when possible for more succinct backtrack messages
- Reduce memory usage when resolver produces many backtrack messages
- Fix a crash when a dependency is missing its version requirement
- Add support for authentication when using HTTP proxies
- Add more build information to
hex.infotask to ease debugging - Greatly improve backtracking error messages
- Prevent packages for being published without a description
- Improve error printing when S3 return errors
- Improve output from
hex.outdatedtask - Warn if a package dependency is missing its requirement
- Improve error message from
hex.docstask whenex_docdependency is missing - Remove useless output when fetching dependencies
- Improve package output in
hex.infotask
- Fix a rare bug that could cause the resolver to go into an infinite loop
- UTF8 encode package metadata
- Only list missing files if
:filesis set - Fix bug when umbrella child has dependency with
:only
- Pass build tool information to Mix (supported in Elixir 1.1.0)
- Make Hex a proper OTP application
- Update CA store
- Warn if files are missing when building package
- Improve error message when resolution fails because of a locked dependency
- Add
hex.registrytask for loading and dumping registry - Add
HEX_OFFLINEfor running in offline mode which skips fetching registry and packages - Add
hex.buildtask for building package without publishing - Reduce noise when users gets lots of resolution errors and generally improve their output
- Add Server Name Indication support for HTTPS requests
- Add
HEX_UNSAFE_HTTPSfor disabling certificate checking - Rename
:contributorsmetadata to:maintainersto better reflect purpose of field
HEX_APIno longer automatically addsapi/to URL- Fix crash when user doesn't explicitly override Hex package when needed
- Fix bug where metadata in package tarball was not properly UTF8 encoded
- Fix error message when registry file is missing
- Support
hex.outdatedtask for umbrella projects - Do not raise on bad data in a users old lock
- Fix a bug that would trust any certificate in the certificate chain signed by a trusted CA, this could allow the certificate, that is not a CA, to issue and sign new certificates for any host
- Sort dependency resolver results
- Fix build_tools metadata being sent incorrectly
- Warn if registry file is missing when loading deps
- Consider new optional requirements for already activated dependency
- Add multiple build tools to metadata
- Warn if using insecure SSL because of old OTP version
- Use yellow test for warning text
- Include build_tools in release metadata
- Print more metadata when publishing
- Fix an error when printing an http status codes
- Always fetch new registry if it's older than 7 days
- Add task
hex.user testfor testing user authentication. - Add task
hex.outdatedfor listing outdated packages compared to the registry. - Update CA store as of April 3.
- Inform user if authentication failed because they did not confirm email.
- Improve error message for unsupported tarball version.
- Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding at least two levels deep in the dependency tree
- Include all conflicting requirements in backtrack message
- Fix a bug where backtrack message failed on optional requests
- Fix an error when merging locked and optional dependencies
- Print messages on backtracks if dependency resolution failed, this is intended to help users resolve conflicts
- Fix a bug where a dependency converged in mix did not consider all its requirements
- Fix a bug where dependencies in the lock was considered even if they weren't requested
- Fix updating the registry
- Print proxy options on startup
- Add
mix hex.user password resetand removemix hex.user update - Create version 3 tarballs with erlang term encoded metadata
- Verify peer certificate against CA certificate public key in
partial_chain - Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding happened in a sub-dependency
- Create hex directory before writing registry
- Add PKIX hostname verification according to RFC6125
- Improve error messages from HTTP error codes
- Improve HTTP performance
- Add config options
api_url,cdn_url,http_proxyandhttps_proxy - Support both doc/ and docs/ as documentation directory
- Convert config file to erlang term file
- Add support for packages with a different OTP application name than the package name
- Add task
mix hex.docsfor uploading project documentation - Add email confirmation
- Allow you to change your password with
mix hex.user update - Correctly display dependencies in
mix hex.info PACKAGE VERSION - Verify peer certificates when fetching tarball
- Verify peer certificate for SSL (only available in OTP 17.3)
- Reduce archive size with compiler option
debug_info: false - Add support for config as an erlang term file
- Warn if Hex was built against a different major.minor Elixir version
- Add task
hex.user whoamithat prints the locally authorized user - Add task
hex.user deauthto deauthorize the local user - Rename environment variable
HEX_URLtoHEX_APIto not confuse it withHEX_CDN
- Print newline after progress bar
- Add progress bar for uploading the tarball when publishing
- Compare tarball checksum against checksum in registry
- Bump tarball support to version 3
- Rename task for authenticating on the local machine from
hex.key newtohex.user auth - Remove the ability to pass password as a CLI parameter
- Support lower-case proxy environment variables
- Remove any timeouts when fetching package tarballs