- Improve error message when package does not exist
- Improve error message when no versions exist for given requirement
- Add
--key
flag tohex.organization auth
to authorize by giving a key directly without supplying a password - Add
hex.organization key
to generate a key for accessing the organization's repository
Hex.pm is adding support for private packages with organizations. See
https://hex.pm/docs/private for more details. To authorize an organization on
your machine run mix hex.organization auth acme
, this will store the
organization's repository details in Hex so that you can fetch packages from the
repository. As soon as you are added as a member to an organization you can
administer and publish packages, if you have the appropriate role, with the
--organization
flag or by setting the :organization
option on the package
configuration.
Different from the last release packages will always be pulled from the default
hexpm
repository and you have to override it with the :organization
or
:repo
options on the dependency configuration.
- Add
hex.organization
task - Rename
hex.user key
flag--remove*
to--revoke*
to clarify what it does - Add
--organization
flag to tasks working on packages - Add
:organization
option to package configuration - Add support for publishing to organizations
- Improve error message when docs task is missing
- Add
--confirm
flag tohex.publish
task
- Fix version validation exceptions
- Reintroduce
HEX_MIRROR
environment variable - Preserve file modes when building tarball
- Disallow
:app
option for dependencies
- Add
mix hex.repo show
task for showing repo configuration - Improve error message if there are no releases for given requirement in the registry
- Add
mix hex.audit
task for checking for retired packages
- Do not try to publish docs if package publish failed
- Do not update lock entry if only metadata changed
- Do not show authentication details when printing URLs
- Fix password reset
- Fix race condition where some entries may not be cached if they were added just before application closed
- Support PAX tarballs, created on OTP 20, when using older OTP versions. Additionally, make it less likely PAX tarballs are created
This version adds support for using packages from multiple repositories. With
the hex.repo
task additional repositories can be added to Hex. With it you
can add additional repositories or replace the default "hexpm" repository
by running mix hex.repo add hexpm ...
, check the docs for more information.
To use a dependency from another repository add repo: :my_other_repo
to the
dependency definition in mix.exs
and make sure you have added my_other_repo
with mix hex.repo add my_other_repo
. Dependencies of a package will be
automatically pulled from the same repository as the parent package unless
otherwise stated with the :repo
option on the dependency definition.
- Add
hex.repo
task - Move
hex.key
tasks tohex.user keys
- Warn or error if publishing a package with pre-release dependencies
- Do not check for updates when running in offline mode
- Fix an issue where dependency resolution could take a very long time
- Do not publish docs if publishing the package failed
- Fix an issue where HTTP timeouts could cause the application to freeze
- Ensure managers always exist in the lock
With this new release you can mark versions of your packages as retired when you no longer recommend its use. This can be because the release has a serious security flaw, something went wrong with the release so that it's unusable or because the package has been renamed or deprecated. A retired version is still usable and fetchable but it will show as retired on hex.pm and when resolved Hex will show a warning to the user with the retirement message.
- Add --module flag to
hex.docs
task - Changed
hex.outdated
task to show if a dependency can be updated - Add
hex.retire
task for package retirement - Warn when resolving retired packages
- Restrict number of default SSL ciphers
- Do not make conditional HTTP request if file is missing
- Ensure cache file is saved when Hex exits
- Add environment variable
HEX_HTTP_CONCURRENCY
for limiting number of concurrent HTTP requests
- Fix compatibilities with older Elixir version (<= 1.1)
- Ensure build tools are unique in mix.lock and when publishing
- Fix
hex.docs open
opening websites on Unix systems - Do not crash on diverged dependencies with conflicting SCMs
- Fix some duplicate HTTP requests on slow networks
- Limit concurrent registry HTTP requests
Hex has switched to a new registry format that is more efficient and will scale better as the registry grows. The new registry format is encoded with protocol buffers and is split into multiple files (one file per package) to avoid fetching one big file with data you will not need. The resolver will make more HTTP requests but will in total fetch much less data. The specification for the new format can be found here: hexpm/specifications#10. The old ETS based registry format is no longer supported in the client but will continue to be available from the registry for the foreseeable future.
hex.docs open
will by default open the online hexdocs for the given package- An
--offline
option has been added tohex.docs open
for opening docs stored on your local filesystem and it will automatically fetch the docs if they are not available locally - Only support secure SSL ciphers and safe SSL versions (support for SSLv3 has been dropped)
- Improvements to the language in the resolver error messages
- Fix an issue where duplicate build tool names could be added to the package metadata
- Only error on non-Hex dependencies when building
- Most warnings on
hex.publish
are now errors
- Fix bug where the old config format was not readable
- Convert old config format to new format on every read
- Fix
HEX_UNSAFE_REGISTRY
negation
- Inform about new Hex version in
hex.info
- Support
extra
metadata field - Print package checksum when building and publishing
- Warn if using registry from cache
- Show creation time of API keys in
hex.keys list
- Improve the error message if OTP has broken SNI in
:ssl
application - Verify dependencies from registry against lock
- Hex will now automatically encrypt your local API key, use
hex.user passphrase
to change the encryption passphrase - Improve resolver error message to mention behavior of pre-releases and overrides
- Improve error message if a dependency has configured the OTP application name incorrectly for another dependency
hex.publish
now also publishes docs by default, usehex.publish package
andhex.publish docs
to respectively publish package and docs independentlyhex.docs
will now open or fetch documentation tarballshex.key remove
will now also de-auth the user if the local API key was removed- Add status messages when publishing and reverting
- Fix bug where the client was fetching packages even when lock is OK
- Fix resolver sometimes not producing any backtrack output
- Verify certificate against correct hostname after redirect
- Only show proxy settings when MIX_DEBUG=1
- Add retries to idempotent requests
- Fix crash when you get multiple backtrack messages
- Add package checksums to lock, ensuring a locked package can not change its content
- Add managers and deps to lock, allowing Hex to run without loading the registry
- Align deps fetching output from scm
- Update hex.pm repo URL to https://repo.hex.pm
- Link to policies when registering account
- Update CoC links
- Improve conflict messages
- Improve error messages when ex_doc is missing when publishing docs
- Show app name of dependency in
hex.info
- Warn about long package descriptions
- Fix
HEX_UNSAFE_HTTPS
environment variable andunsafe_https
config
- Add more registry metrics to
hex.info
- Fix a bug where Hex was about a bit too enthusiastic when informing the user of new versions
- Fix some missing future-proofing of lock
- Use HTTPS to Hex.pm repository
- Make lock backwards compatible by treating it as a list and only matching on the front
- Correctly show update notification
- Remove duplicate parents from backtrack messages
- Fix invalid message in
hex.outdated
if locked version is a pre-release
- Do not crash if registry fails to fetch
- Remove force update of registry if it is more than a week old
- Verify registry signature against public key
- Improve missing registry error message
- Deprecate
HEX_CDN
in favor ofHEX_REPO
andHEX_MIRROR
. See thehex
task for more information - Deprecate
:cdn_url
config in favor of:repo_url
andmirror_url
. See thehex.config
task for more information - Improve performance of parallel package fetching
- Use fastly instead of S3 for the Hex.pm repository
- Add
--delete
option tohex.config
task
- Show local time in hex.info
- Correctly unlock all dependencies on
deps.update
- Always fetch registry if it's missing or known to be old
- Fix incorrect build version check
- Fix parsing of requirements without spaces
- Append the OTP version to the user_agent function
- Improve output of http request timeout errors
- Warn if
:manager
or:compile
is set on dependencies when publishing - Add
--pre
flag tohex.outdated
- Use erlang binary term encoding for API instead of elixir encoding
- Pull package name from correct source when publish docs
- Pass canonical url to ex_doc task
- Change hexdocs links to use https
- Add
hex.outdated APP
to list all requirements on given dependency - Do not allow pre-releases for dependencies unless the requirement uses a pre-release version
- Optimize version cache memory usage
- Fix incorrect build version check for dev versions of Elixir
- Fix loop when backtracking in resolver
- Fix timeout errors on slow systems
- Make the experimental resolver the default
- Ensure registry can be opened/closed multiple times
- Ensure
hex.search
task handles empty results - Fix experimental resolvers only backtracking on parents that had requirements that failed
- Fix merging of overlapping parent and package versions in backtrack messages
- Fix bug when umbrella child has dependency with
:only
- General optimizations in dependency resolver
- Add experimental faster backtracker that does more aggressive backtracking,
set environment variable
HEX_EXPERIMENTAL_RESOLVER=1
to use it - Merge backtrack messages that have similar parents
- Merge multiple versions into version ranges when possible for more succinct backtrack messages
- Reduce memory usage when resolver produces many backtrack messages
- Fix a crash when a dependency is missing its version requirement
- Add support for authentication when using HTTP proxies
- Add more build information to
hex.info
task to ease debugging - Greatly improve backtracking error messages
- Prevent packages for being published without a description
- Improve error printing when S3 return errors
- Improve output from
hex.outdated
task - Warn if a package dependency is missing its requirement
- Improve error message from
hex.docs
task whenex_doc
dependency is missing - Remove useless output when fetching dependencies
- Improve package output in
hex.info
task
- Fix a rare bug that could cause the resolver to go into an infinite loop
- UTF8 encode package metadata
- Only list missing files if
:files
is set - Fix bug when umbrella child has dependency with
:only
- Pass build tool information to Mix (supported in Elixir 1.1.0)
- Make Hex a proper OTP application
- Update CA store
- Warn if files are missing when building package
- Improve error message when resolution fails because of a locked dependency
- Add
hex.registry
task for loading and dumping registry - Add
HEX_OFFLINE
for running in offline mode which skips fetching registry and packages - Add
hex.build
task for building package without publishing - Reduce noise when users gets lots of resolution errors and generally improve their output
- Add Server Name Indication support for HTTPS requests
- Add
HEX_UNSAFE_HTTPS
for disabling certificate checking - Rename
:contributors
metadata to:maintainers
to better reflect purpose of field
HEX_API
no longer automatically addsapi/
to URL- Fix crash when user doesn't explicitly override Hex package when needed
- Fix bug where metadata in package tarball was not properly UTF8 encoded
- Fix error message when registry file is missing
- Support
hex.outdated
task for umbrella projects - Do not raise on bad data in a users old lock
- Security fixes
- Fix a bug that would trust any certificate in the certificate chain signed by a trusted CA, this could allow the certificate, that is not a CA, to issue and sign new certificates for any host
- Sort dependency resolver results
- Fix build_tools metadata being sent incorrectly
- Warn if registry file is missing when loading deps
- Consider new optional requirements for already activated dependency
- Add multiple build tools to metadata
- Warn if using insecure SSL because of old OTP version
- Use yellow test for warning text
- Include build_tools in release metadata
- Print more metadata when publishing
- Fix an error when printing an http status codes
- Always fetch new registry if it's older than 7 days
- Add task
hex.user test
for testing user authentication. - Add task
hex.outdated
for listing outdated packages compared to the registry. - Update CA store as of April 3.
- Inform user if authentication failed because they did not confirm email.
- Improve error message for unsupported tarball version.
- Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding at least two levels deep in the dependency tree
- Include all conflicting requirements in backtrack message
- Fix a bug where backtrack message failed on optional requests
- Fix an error when merging locked and optional dependencies
- Print messages on backtracks if dependency resolution failed, this is intended to help users resolve conflicts
- Fix a bug where a dependency converged in mix did not consider all its requirements
- Fix a bug where dependencies in the lock was considered even if they weren't requested
- Fix updating the registry
- Print proxy options on startup
- Add
mix hex.user password reset
and removemix hex.user update
- Create version 3 tarballs with erlang term encoded metadata
- Verify peer certificate against CA certificate public key in
partial_chain
- Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding happened in a sub-dependency
- Create hex directory before writing registry
- Add PKIX hostname verification according to RFC6125
- Improve error messages from HTTP error codes
- Improve HTTP performance
- Add config options
api_url
,cdn_url
,http_proxy
andhttps_proxy
- Support both doc/ and docs/ as documentation directory
- Convert config file to erlang term file
- Add support for packages with a different OTP application name than the package name
- Add task
mix hex.docs
for uploading project documentation - Add email confirmation
- Allow you to change your password with
mix hex.user update
- Correctly display dependencies in
mix hex.info PACKAGE VERSION
- Verify peer certificates when fetching tarball
- Verify peer certificate for SSL (only available in OTP 17.3)
- Reduce archive size with compiler option
debug_info: false
- Add support for config as an erlang term file
- Warn if Hex was built against a different major.minor Elixir version
- Add task
hex.user whoami
that prints the locally authorized user - Add task
hex.user deauth
to deauthorize the local user - Rename environment variable
HEX_URL
toHEX_API
to not confuse it withHEX_CDN
- Print newline after progress bar
- Add progress bar for uploading the tarball when publishing
- Compare tarball checksum against checksum in registry
- Bump tarball support to version 3
- Rename task for authenticating on the local machine from
hex.key new
tohex.user auth
- Remove the ability to pass password as a CLI parameter
- Support lower-case proxy environment variables
- Remove any timeouts when fetching package tarballs