- Fix crash when unpacking tarballs with broken symlinks
- Correct the type of build tools package metadata
- Fix crash when printing resolver output when having lock entries from other SCMs
- Fix crash when printing resolver output for old lock files
- Tarball and registry code has been extracted to the
hex_erlpackage - Hide retired versions when showing latest release in
hex.infotask - Add
hex.docs offlineandhex.docsonline tasks - Add
--key-nameflag to key generation tasks - Add
:exclude_patternsto package config for excluding files from package - Resolver now backtracks children before parents to improve versions selected when backtracking
- Change some errors to warnings when building private packages
- Group resolved dependency output into unchanged, updated, and downgraded when running
deps.getanddeps.updatetasks - Add authentication to
hex.docstask for showing private package documentation - Improve error message when package fetch times out
- General improvements to tasks when accessing organizations
- Fix wrong publish message when using
--organizationflag inhex.publishtask - Set file times inside tarballs to 2000-01-01 to fix tars on FAT file systems
- Fix
hex.docs opentask on Windows
- Handle missing package descriptions in
hex.searchtask - Fix printing of package checksum after publishing
- Increase
hex.publishtimeouts and make it configurable with:http_timeoutconfig andHEX_HTTP_TIMEOUTvariable - Test key before adding it with
hex.organization auth NAME --key KEY - Remove pre-release publish restriction for private packages
- Add package descriptions to
hex.searchtask - Improve error message when there are no versions matching requirement
- Add latest stable version to
hex.searchtask - Add
metadata.configfile to checked out dependency directory - Warn if we detect a lock entry from a newer Hex version
- Add
hex.build --outputandhex.build --unpacktasks - Preserve symlinks and empty directories in tar
- Simplify Hex output on deps.get
- General improvements to tarball creation and unpacking
- List umbrella children's top level dependencies in
hex.outdated - Include
.formatter.exsfile in default package builds - Prompt user when authentication is required
- Automatically auth all organizations when authing user with
hex.user auth - Highlight if a package release has been retired in
hex.info - Display package website links in
mix hex.owner packages
- Do not crash if failing to write tarball
- Disable HTTP pipelining to avoid bugs in HTTP client
- Also purge registry etags when repository source changed
- Retry HTTP requests on
:socket_closed_remotelyerrors - Fix package tarballs being reproducible
- Authenticate HTTP requests for
hex.search - Populate managers when initially getting dependencies
- Check dependencies on
hex.auditandhex.publish - Fix fetching of private packages that overrides public packages
- Fix HTTP redirect handling
- Don't display internal configs in
hex.config
- Improve error message when package does not exist
- Improve error message when no versions exist for given requirement
- Add
--keyflag tohex.organization authto authorize by giving a key directly without supplying a password - Add
hex.organization keyto generate a key for accessing the organization's repository
Hex.pm is adding support for private packages with organizations. See https://hex.pm/docs/private for more details. To authorize an organization on your machine run mix hex.organization auth acme, this will store the organization's repository details in Hex so that you can fetch packages from the repository. As soon as you are added as a member to an organization you can administer and publish packages, if you have the appropriate role, with the --organization flag or by setting the :organization option on the package configuration.
Different from the last release packages will always be pulled from the default hexpm repository and you have to override it with the :organization or :repo options on the dependency configuration.
- Add
hex.organizationtask - Rename
hex.user keyflag--remove*to--revoke*to clarify what it does - Add
--organizationflag to tasks working on packages - Add
:organizationoption to package configuration - Add support for publishing to organizations
- Improve error message when docs task is missing
- Add
--confirmflag tohex.publishtask
- Fix version validation exceptions
- Reintroduce
HEX_MIRRORenvironment variable - Preserve file modes when building tarball
- Disallow
:appoption for dependencies
- Add
mix hex.repo showtask for showing repo configuration - Improve error message if there are no releases for given requirement in the registry
- Add
mix hex.audittask for checking for retired packages
- Do not try to publish docs if package publish failed
- Do not update lock entry if only metadata changed
- Do not show authentication details when printing URLs
- Fix password reset
- Fix race condition where some entries may not be cached if they were added just before application closed
- Support PAX tarballs, created on OTP 20, when using older OTP versions. Additionally, make it less likely PAX tarballs are created
This version adds support for using packages from multiple repositories. With the hex.repo task additional repositories can be added to Hex. With it you can add additional repositories or replace the default "hexpm" repository by running mix hex.repo add hexpm ..., check the docs for more information. To use a dependency from another repository add repo: :my_other_repo to the dependency definition in mix.exs and make sure you have added my_other_repo with mix hex.repo add my_other_repo. Dependencies of a package will be automatically pulled from the same repository as the parent package unless otherwise stated with the :repo option on the dependency definition.
- Add
hex.repotask - Move
hex.keytasks tohex.user keys - Warn or error if publishing a package with pre-release dependencies
- Do not check for updates when running in offline mode
- Fix an issue where dependency resolution could take a very long time
- Do not publish docs if publishing the package failed
- Fix an issue where HTTP timeouts could cause the application to freeze
- Ensure managers always exist in the lock
With this new release you can mark versions of your packages as retired when you no longer recommend its use. This can be because the release has a serious security flaw, something went wrong with the release so that it's unusable or because the package has been renamed or deprecated. A retired version is still usable and fetchable but it will show as retired on hex.pm and when resolved Hex will show a warning to the user with the retirement message.
- Add --module flag to
hex.docstask - Changed
hex.outdatedtask to show if a dependency can be updated - Add
hex.retiretask for package retirement - Warn when resolving retired packages
- Restrict number of default SSL ciphers
- Do not make conditional HTTP request if file is missing
- Ensure cache file is saved when Hex exits
- Add environment variable
HEX_HTTP_CONCURRENCYfor limiting number of concurrent HTTP requests
- Fix compatibilities with older Elixir version (<= 1.1)
- Ensure build tools are unique in mix.lock and when publishing
- Fix
hex.docs openopening websites on Unix systems - Do not crash on diverged dependencies with conflicting SCMs
- Fix some duplicate HTTP requests on slow networks
- Limit concurrent registry HTTP requests
Hex has switched to a new registry format that is more efficient and will scale better as the registry grows. The new registry format is encoded with protocol buffers and is split into multiple files (one file per package) to avoid fetching one big file with data you will not need. The resolver will make more HTTP requests but will in total fetch much less data. The specification for the new format can be found here: hexpm/specifications#10. The old ETS based registry format is no longer supported in the client but will continue to be available from the registry for the foreseeable future.
hex.docs openwill by default open the online hexdocs for the given package- An
--offlineoption has been added tohex.docs openfor opening docs stored on your local filesystem and it will automatically fetch the docs if they are not available locally - Only support secure SSL ciphers and safe SSL versions (support for SSLv3 has been dropped)
- Improvements to the language in the resolver error messages
- Fix an issue where duplicate build tool names could be added to the package metadata
- Only error on non-Hex dependencies when building
- Most warnings on
hex.publishare now errors
- Fix bug where the old config format was not readable
- Convert old config format to new format on every read
- Fix
HEX_UNSAFE_REGISTRYnegation
- Inform about new Hex version in
hex.info - Support
extrametadata field - Print package checksum when building and publishing
- Warn if using registry from cache
- Show creation time of API keys in
hex.keys list - Improve the error message if OTP has broken SNI in
:sslapplication - Verify dependencies from registry against lock
- Hex will now automatically encrypt your local API key, use
hex.user passphraseto change the encryption passphrase - Improve resolver error message to mention behavior of pre-releases and overrides
- Improve error message if a dependency has configured the OTP application name incorrectly for another dependency
hex.publishnow also publishes docs by default, usehex.publish packageandhex.publish docsto respectively publish package and docs independentlyhex.docswill now open or fetch documentation tarballshex.key removewill now also de-auth the user if the local API key was removed- Add status messages when publishing and reverting
- Fix bug where the client was fetching packages even when lock is OK
- Fix resolver sometimes not producing any backtrack output
- Verify certificate against correct hostname after redirect
- Only show proxy settings when MIX_DEBUG=1
- Add retries to idempotent requests
- Fix crash when you get multiple backtrack messages
- Add package checksums to lock, ensuring a locked package can not change its content
- Add managers and deps to lock, allowing Hex to run without loading the registry
- Align deps fetching output from scm
- Update hex.pm repo URL to https://repo.hex.pm
- Link to policies when registering account
- Update CoC links
- Improve conflict messages
- Improve error messages when ex_doc is missing when publishing docs
- Show app name of dependency in
hex.info - Warn about long package descriptions
- Fix
HEX_UNSAFE_HTTPSenvironment variable andunsafe_httpsconfig
- Add more registry metrics to
hex.info
- Fix a bug where Hex was about a bit too enthusiastic when informing the user of new versions
- Fix some missing future-proofing of lock
- Use HTTPS to Hex.pm repository
- Make lock backwards compatible by treating it as a list and only matching on the front
- Correctly show update notification
- Remove duplicate parents from backtrack messages
- Fix invalid message in
hex.outdatedif locked version is a pre-release
- Do not crash if registry fails to fetch
- Remove force update of registry if it is more than a week old
- Verify registry signature against public key
- Improve missing registry error message
- Deprecate
HEX_CDNin favor ofHEX_REPOandHEX_MIRROR. See thehextask for more information - Deprecate
:cdn_urlconfig in favor of:repo_urlandmirror_url. See thehex.configtask for more information - Improve performance of parallel package fetching
- Use fastly instead of S3 for the Hex.pm repository
- Add
--deleteoption tohex.configtask
- Show local time in hex.info
- Correctly unlock all dependencies on
deps.update - Always fetch registry if it's missing or known to be old
- Fix incorrect build version check
- Fix parsing of requirements without spaces
- Append the OTP version to the user_agent function
- Improve output of http request timeout errors
- Warn if
:manageror:compileis set on dependencies when publishing - Add
--preflag tohex.outdated - Use erlang binary term encoding for API instead of elixir encoding
- Pull package name from correct source when publish docs
- Pass canonical url to ex_doc task
- Change hexdocs links to use https
- Add
hex.outdated APPto list all requirements on given dependency - Do not allow pre-releases for dependencies unless the requirement uses a pre-release version
- Optimize version cache memory usage
- Fix incorrect build version check for dev versions of Elixir
- Fix loop when backtracking in resolver
- Fix timeout errors on slow systems
- Make the experimental resolver the default
- Ensure registry can be opened/closed multiple times
- Ensure
hex.searchtask handles empty results - Fix experimental resolvers only backtracking on parents that had requirements that failed
- Fix merging of overlapping parent and package versions in backtrack messages
- Fix bug when umbrella child has dependency with
:only
- General optimizations in dependency resolver
- Add experimental faster backtracker that does more aggressive backtracking, set environment variable
HEX_EXPERIMENTAL_RESOLVER=1to use it - Merge backtrack messages that have similar parents
- Merge multiple versions into version ranges when possible for more succinct backtrack messages
- Reduce memory usage when resolver produces many backtrack messages
- Fix a crash when a dependency is missing its version requirement
- Add support for authentication when using HTTP proxies
- Add more build information to
hex.infotask to ease debugging - Greatly improve backtracking error messages
- Prevent packages for being published without a description
- Improve error printing when S3 return errors
- Improve output from
hex.outdatedtask - Warn if a package dependency is missing its requirement
- Improve error message from
hex.docstask whenex_docdependency is missing - Remove useless output when fetching dependencies
- Improve package output in
hex.infotask
- Fix a rare bug that could cause the resolver to go into an infinite loop
- UTF8 encode package metadata
- Only list missing files if
:filesis set - Fix bug when umbrella child has dependency with
:only
- Pass build tool information to Mix (supported in Elixir 1.1.0)
- Make Hex a proper OTP application
- Update CA store
- Warn if files are missing when building package
- Improve error message when resolution fails because of a locked dependency
- Add
hex.registrytask for loading and dumping registry - Add
HEX_OFFLINEfor running in offline mode which skips fetching registry and packages - Add
hex.buildtask for building package without publishing - Reduce noise when users gets lots of resolution errors and generally improve their output
- Add Server Name Indication support for HTTPS requests
- Add
HEX_UNSAFE_HTTPSfor disabling certificate checking - Rename
:contributorsmetadata to:maintainersto better reflect purpose of field
HEX_APIno longer automatically addsapi/to URL- Fix crash when user doesn't explicitly override Hex package when needed
- Fix bug where metadata in package tarball was not properly UTF8 encoded
- Fix error message when registry file is missing
- Support
hex.outdatedtask for umbrella projects - Do not raise on bad data in a users old lock
- Fix a bug that would trust any certificate in the certificate chain signed by a trusted CA, this could allow the certificate, that is not a CA, to issue and sign new certificates for any host
- Sort dependency resolver results
- Fix build_tools metadata being sent incorrectly
- Warn if registry file is missing when loading deps
- Consider new optional requirements for already activated dependency
- Add multiple build tools to metadata
- Warn if using insecure SSL because of old OTP version
- Use yellow test for warning text
- Include build_tools in release metadata
- Print more metadata when publishing
- Fix an error when printing an http status codes
- Always fetch new registry if it's older than 7 days
- Add task
hex.user testfor testing user authentication. - Add task
hex.outdatedfor listing outdated packages compared to the registry. - Update CA store as of April 3.
- Inform user if authentication failed because they did not confirm email.
- Improve error message for unsupported tarball version.
- Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding at least two levels deep in the dependency tree
- Include all conflicting requirements in backtrack message
- Fix a bug where backtrack message failed on optional requests
- Fix an error when merging locked and optional dependencies
- Print messages on backtracks if dependency resolution failed, this is intended to help users resolve conflicts
- Fix a bug where a dependency converged in mix did not consider all its requirements
- Fix a bug where dependencies in the lock was considered even if they weren't requested
- Fix updating the registry
- Print proxy options on startup
- Add
mix hex.user password resetand removemix hex.user update - Create version 3 tarballs with erlang term encoded metadata
- Verify peer certificate against CA certificate public key in
partial_chain - Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding happened in a sub-dependency
- Create hex directory before writing registry
- Add PKIX hostname verification according to RFC6125
- Improve error messages from HTTP error codes
- Improve HTTP performance
- Add config options
api_url,cdn_url,http_proxyandhttps_proxy - Support both doc/ and docs/ as documentation directory
- Convert config file to erlang term file
- Add support for packages with a different OTP application name than the package name
- Add task
mix hex.docsfor uploading project documentation - Add email confirmation
- Allow you to change your password with
mix hex.user update - Correctly display dependencies in
mix hex.info PACKAGE VERSION - Verify peer certificates when fetching tarball
- Verify peer certificate for SSL (only available in OTP 17.3)
- Reduce archive size with compiler option
debug_info: false - Add support for config as an erlang term file
- Warn if Hex was built against a different major.minor Elixir version
- Add task
hex.user whoamithat prints the locally authorized user - Add task
hex.user deauthto deauthorize the local user - Rename environment variable
HEX_URLtoHEX_APIto not confuse it withHEX_CDN
- Print newline after progress bar
- Add progress bar for uploading the tarball when publishing
- Compare tarball checksum against checksum in registry
- Bump tarball support to version 3
- Rename task for authenticating on the local machine from
hex.key newtohex.user auth - Remove the ability to pass password as a CLI parameter
- Support lower-case proxy environment variables
- Remove any timeouts when fetching package tarballs