deps(elixir): bump the elixir-query-service group in /apps/query-service with 9 updates

[dependabot]

Bumps the elixir-query-service group in /apps/query-service with 9 updates:

Package	From	To
bandit	1.11.1	1.12.0
broadway	1.2.1	1.3.0
castore	1.0.18	1.0.19
credo	1.7.18	1.7.19
ex_doc	0.40.1	0.40.3
mint	1.7.1	1.9.0
open_api_spex	3.22.2	3.22.3
req	0.5.17	0.6.1
tesla	1.16.0	1.20.0

Updates bandit from 1.11.1 to 1.12.0

Changelog

Sourced from bandit's changelog.

1.12.0 (5 June 2026)

Changes

• Incorporate changes from Thousand Island 1.5, improving the separation of local GenServer timeouts and network facing timeouts (#597 & https://thousand-island.hexdocs.pm/changelog.html#1-5-0-1-jun-2026)

Fixes

• Properly handle mixed-case Transfer-Encoding headers (#590, thanks @​mize85!)

Enhancements

• Internal improvements to HTTP/1 body read functions (#588)

Commits

• 33e100b Version bump to 1.12.0
• b5f0971 Remove now counter-productive network timeout propogation (#597)
• dedeb28 Temporarily pin finch test dep until upstream issue fixed
• 3b840f2 Repoint hexdocs links
• ab0d933 Bump ex_doc from 0.40.2 to 0.40.3 (#594)
• e3ca313 Bump req from 0.5.17 to 0.5.18 (#593)
• 2f6cd3a Bump plug from 1.19.1 to 1.19.2 (#592)
• 7e70c88 fix transfer-encoding (#590)
• 32de5e9 Update security policy
• a792f97 Improve content length reading (#588)
• Additional commits viewable in compare view

Updates broadway from 1.2.1 to 1.3.0

Changelog

Sourced from broadway's changelog.

v1.3.0 (2026-04-17)

• Add telemetry events around handle_failed
• Include producer metadata in telemetry events
• Add labels to Broadway stages
• Fix race condition during graceful shutdown

Commits

• d3a668c Release v1.3.0
• dd2f405 Include producer metadata in per-message events (#370)
• 966c59a Add :telemetry.span for handle_failed/2 callback (#369)
• 370f180 Clarify some docs related to GenStage demand (#368)
• 69d9052 Bump Elixir/Erlang CI matrix and GitHub actions (#365)
• 8c66164 Add Process.set_label/1 to Broadway stages (#363)
• d32d30d Catch exits if already down when trapping exits
• f52f2f7 Fix graceful shutdown race condition (#362)
• 136bea6 Add batch_size/0 and batch_size_fun/0 types (#361)
• 7977502 Add new unofficial producer off_broadway_emqtt (#360)
• Additional commits viewable in compare view

Updates castore from 1.0.18 to 1.0.19

Commits

• a777909 Update certificates (#85)
• See full diff in compare view

Updates credo from 1.7.18 to 1.7.19

Release notes

Sourced from credo's releases.

v1.17.19

Check it out on Hex: https://hex.pm/packages/credo/1.7.19

• Fix compatibility & compiler warnings with Elixir 1.20.0

Changelog

Sourced from credo's changelog.

1.7.19

• Fix compatibility & compiler warnings with Elixir 1.20.0

Commits

• d4a88d4 Bump version to 1.7.19
• b87f0b6 Update CHANGELOG
• c4ed6df Use mix format
• 9172f39 Fix token error
• a6de9b5 Add reproducing test for #1275
• b726ad4 Run mix format
• ccd27fb Add test for sigil_p position
• 8a03b78 Clean stale deps
• a902c97 Set "old credo" to 1.7.18
• cc2ce91 Update GitHub actions
• Additional commits viewable in compare view

Updates ex_doc from 0.40.1 to 0.40.3

Changelog

Sourced from ex_doc's changelog.

v0.40.3 (2026-05-21)

• Enhancements
  • Add autolinking for Erlang/OTP 29 native records

v0.40.2 (2026-05-08)

• Bug fixes
  • Add rel="nofollow" to external links in HTML output
  • Use blockquote in llms.txt description
  • Void elements in epub, such wbr, must be terminated by the matching end-tag
  • Fix content container scrolling in older versions of Safari
  • Skip HTML comments when computing synopsis
  • Fix markdown backend code fence language and opaque type display
  • Fix false positive warning when linking to asset files
  • Prevent #search selector from impacting user content
  • Raise on extras that conflict with reserved filenames
  • Fix styling of admonition blocks

Commits

• 07a6abc Release v0.40.3
• 02904bb Fix record autolink - and bump CI (#2240)
• c868c6a Release v0.40.2
• b9cc372 Update makeup_erlang version (#2236)
• b389d17 Fix dead code and overriden clauses found by the type system
• 25523c9 Update assets
• dbed340 Raise on extras that conflict with reserved filenames
• 2808e45 Prevent #search selector from impacting user content
• bc90968 Update assets
• 9333979 Fix inline code font size in headings (#2220)
• Additional commits viewable in compare view

Updates mint from 1.7.1 to 1.9.0

Changelog

Sourced from mint's changelog.

v1.9.0

Security

• Validate the HTTP/1.1 request method as an RFC 9110 token, rejecting CRLF and other control characters. Forwarding attacker-controlled input as the request method was exposed to CRLF injection (request header injection and request smuggling). Fixes GHSA-2pg6-44cx-c49v.
• Reject HTTP/1.1 content-length header values that are not strictly 1*DIGIT, so signed values (such as +0) and embedded whitespace no longer parse as valid lengths. This parser disagreement with a strict fronting proxy was a response-smuggling primitive. Fixes GHSA-mjqx-c6f6-7rc2.
• Bound the HTTP/2 accumulated header block by the locally advertised SETTINGS_MAX_HEADER_LIST_SIZE (now defaulting to 256 KB instead of :infinity), so a malicious server can no longer exhaust client memory with an unbounded chain of CONTINUATION frames. Fixes GHSA-2p26-p43x-fhp8.
• Count reserved HTTP/2 streams against max_concurrent_streams at PUSH_PROMISE time and refuse promises past the limit with RST_STREAM, so a malicious server can no longer exhaust client memory by flooding PUSH_PROMISE frames. Fixes GHSA-g586-ccqf-7x4r.

Bug Fixes and Improvements

• Mint.HTTP.stream/2 now returns :unknown (not :unknown_message) when given a message it does not recognize.

v1.8.0

New features

• Raise the default HTTP/2 receive windows to 16 MB (connection) and 4 MB (stream), and batch HTTP/2 receive-window refills. The larger windows lift the per-stream throughput cap (window / RTT), giving substantially higher throughput on higher-latency connections, in exchange for higher peak memory use per connection. The connection-level window is now configurable via the new :connection_window_size option to Mint.HTTP.connect/4, and refill batching is configurable via the new :receive_window_update_threshold option.
• Add Mint.HTTP2.set_window_size/3 for advertising a larger receive window to the server after a connection has been established.
• Add Mint.HTTP.request_body_window/2 for querying the available send-window when streaming a request body.
• Introduce the :optional_responses option for Mint.HTTP1.connect/4, with a :status_reason value that surfaces the HTTP/1.1 status reason-phrase as a new {:status_reason, request_ref, reason_phrase} response.
• Change t:Mint.HTTP.t/0 from an opaque to an open type.
• Add t:Mint.HTTPError.reason/0 and t:Mint.TransportError.reason/0.

Bug Fixes and Improvements

• Fix HTTP/1 handling of 1xx informational responses.
• Forbid or replace empty targets in HTTP/1.1 requests.

Commits

• d1c8c5c Release v1.9.0
• 1ed6748 Fix stale Dialyzer ignore after method validation change
• 70b97b6 Merge commit from fork
• b662d12 Merge commit from fork
• fad0914 Merge commit from fork
• 47e4802 Merge commit from fork
• b8d2393 Mint.HTTP.stream/2 returns :unknown, not :unknown_message, on error (#487)
• ef8f3a1 Release v1.8.0
• ddf2e1d Document since-version for new HTTP/2 receive-window options
• 4c4bf91 feat: polymorphic helper for request body streaming (#485)
• Additional commits viewable in compare view

Updates open_api_spex from 3.22.2 to 3.22.3

Release notes

Sourced from open_api_spex's releases.

v3.22.3

What's Changed

• chore: removed unused require(s) by @​David-Klemenc in open-api-spex/open_api_spex#700
• Relax decimal requirement by @​josevalim in open-api-spex/open_api_spex#702

New Contributors

• @​josevalim made their first contribution in open-api-spex/open_api_spex#702

Full Changelog: open-api-spex/open_api_spex@v3.22.2...v3.22.3

Changelog

Sourced from open_api_spex's changelog.

v3.22.3 - 2026-05-05

• chore: removed unused require(s) by @​David-Klemenc in open-api-spex/open_api_spex#700
• Relax decimal requirement by @​josevalim in open-api-spex/open_api_spex#702

Commits

• 8850f32 Release version 3.22.3
• 1377df0 Relax decimal requirement (#702)
• 224d1e1 chore: removed unused require(s) (#700)
• See full diff in compare view

Updates req from 0.5.17 to 0.6.1

Release notes

Sourced from req's releases.

v0.6.1

• compressed, decompress_body: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0

• encode_body: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Changelog

Sourced from req's changelog.

v0.6.1 (2026-06-08)

• [compressed], [decompress_body]: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0 (2026-06-08)

• [encode_body]: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

  Custom decoders are supported via {format, codec} tuples, where codec is a module exporting decode/1 or a 1-arity function returning an :ok/:error tuple, for example:

... (truncated)

Commits

• 36a8252 Release v0.6.1
• ea5506f compressed, decompress_body: Disable automatic decompression
• 8e7425f Release v0.6.0
• 584a490 decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding
• 2d77dbe encode_body: Security fix for :form_multipart header injection
• 53c3b99 Release v0.5.18
• dc1f3be Update ex_doc
• dbd145c Update CHANGELOG.md
• 75f077e retry: Automatically retry on :pool_not_available
• 4cfbf54 run_finch: Normalize Finch.TransportError,HTTPError (Finch 0.22+) (#544)
• Additional commits viewable in compare view

Updates tesla from 1.16.0 to 1.20.0

Release notes

Sourced from tesla's releases.

v1.20.0

1.20.0 (2026-06-05)

Features

• support {:form,data} tagged body tuples (#886) (b1b3b80)

v1.19.0

1.19.0 (2026-06-04)

Features

• finch-adapter: Finch adapter will pass through all supported options (#879) (7609328)
• form-urlencoded: support nested bodies via :brackets option (#878) (f7142e8)

v1.18.3

1.18.3 (2026-06-02)

Important {: .error}

Please be careful using :hackney it is recommended to actually test the application before assuming we did not introduce any breaking changes. Also, be aware of the security vulnerabilities we have fixed in this release. Some of them may cause some unexpected behavior from the middleware depending on the assumptions made by the caller.

Features

• hackney: support hackney 4.x (#880) (c91639b)

Security CVE

• CVE-2026-48598 - Multipart part smuggling via unescaped content-disposition values
• CVE-2026-48597 - Atom exhaustion via untrusted URL scheme
• CVE-2026-48596 - CRLF injection in request Content-Type header via add_content_type_param
• CVE-2026-48595 - Authorization header leaks on cross-origin redirect via case-sensitive filtering
• CVE-2026-48594 - Decompression bomb on response body

v1.18.2

1.18.2 (2026-05-15)

Bug Fixes

• builder: include :assigns and :private in request option type (#876) (f5834c1)

v1.18.1

1.18.1 (2026-05-14)

... (truncated)

Changelog

Sourced from tesla's changelog.

1.20.0 (2026-06-05)

Features

• support {:form,data} tagged body tuples (#886) (b1b3b80)

1.19.0 (2026-06-04)

Features

• finch-adapter: Finch adapter will pass through all supported options (#879) (7609328)
• form-urlencoded: support nested bodies via :brackets option (#878) (f7142e8)

1.18.3 (2026-06-02)

Important {: .error}

Please be careful using :hackney it is recommended to actually test the application before assuming we did not introduce any breaking changes. Also, be aware of the security vulnerabilities we have fixed in this release. Some of them may cause some unexpected behavior from the middleware depending on the assumptions made by the caller.

Features

• hackney: support hackney 4.x (#880) (c91639b)

Security CVE

• CVE-2026-48598 - Multipart part smuggling via unescaped content-disposition values
• CVE-2026-48597 - Atom exhaustion via untrusted URL scheme
• CVE-2026-48596 - CRLF injection in request Content-Type header via add_content_type_param
• CVE-2026-48595 - Authorization header leaks on cross-origin redirect via case-sensitive filtering
• CVE-2026-48594 - Decompression bomb on response body

1.18.2 (2026-05-15)

Bug Fixes

• builder: include :assigns and :private in request option type (#876) (f5834c1)

1.18.1 (2026-05-14)

Bug Fixes

• path-params: raise on missing required path parameter values (#874) (a1dd44b)

... (truncated)

Commits

• 901ce60 chore(master): release 1.20.0 (#887)
• b1b3b80 feat: support {:form,data} tagged body tuples (#886)
• 603ea34 chore(master): release 1.19.0 (#885)
• 7609328 feat(finch-adapter): Finch adapter will pass through all supported options (#...
• f7142e8 feat(form-urlencoded): support nested bodies via :brackets option (#878)
• 2d3c800 chore(ci): bump release workflow to Elixir 1.19 / OTP 28 (#884)
• 2eb7a78 chore(master): release 1.18.3 (#883)
• 3a369b8 chore: release 1.18.3
• 340f75b Merge commit from fork
• db963db Merge commit from fork
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, elixir. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
all-source-admin	Ready	Preview, Comment	Jun 8, 2026 6:58pm
all-source-web	Ready	Preview, Comment	Jun 8, 2026 6:58pm