v0.20.6

Bug fixes

• Fix compatibility with OTP 24

v0.20.5

Enhancements

• Add timestamps to entries in registry cache for easier debugging
• Bump registry cache version to invalidate old caches
• Warn if fetching registry without outer checksum

Bug fixes

• Do not require that the registry supports outer checksums
• Missing outer checksum is not a mismatch, this will fix "out of date" errors when the manifest is newer than the lockfile

v0.20.4

Bug fixes

• Fix tarball file extraction through symlinks

v0.20.3

Enhancements

• Fetch the latest non-prerelease version of a package in mix hex.docs

Bug fixes

• Correctly handle old manifest files without crashing

v0.20.2

Enhancements

• Add --output option to mix hex.package fetch task
• Add cacerts_path configuration for custom CA certificate files
• Improve output in mix hex.publish to make it more clear to what repository you are publishing
• Explain red colors in hex.outdated

Bug fixes

• Fix HTTP timeout config
• Do not allow creating empty packages

Security fixes

• Fix for directory traversal vulnerability for symlinks in tarballs
• Update package checksum to include the entire tarball instead of specific files inside it

v0.20.1

Bug fixes

• Do not print transfer message when not transferring ownership

v0.20.0

Enhancements

• Add per-project Hex configuration. Configure Hex under the :hex key inside your project configuration in mix.exs
• Show location of package after running mix hex.build
• List all available Hex tasks when running mix hex
• List subtasks when running mix hex
• Remove tarball if it is invalid to avoid it being as cache in the future
• Show umbrella children mix.exs location in mix hex.outdated
• Add mix hex.owner transfer task
• Show improved error message on invalid configs
• Add mix hex.package fetch task
• Add mix hex.package diff task

Bug fixes

• Fix mirror_url config
• Fix api_url config
• Do no try to remove docs after reverting package – docs are already automatically removed

v0.19.0

Enhancements

• Improve output of mix hex.config
• Print publisher in mix hex.info PACKAGE VERSION
• Add organization flag to dependency config in mix hex.info PACKAGE

Bug fixes

• Don't follow symlinks when adding files to tarballs
• Error with a descriptive msg when building a package with git dependencies
• Improve listing of incompatible package versions when displaying backtrack error message
• Improve resolver performance when it needs to do a lot of backtracking

Security fixes

• Verify authenticity of registry records. This fixes a vulnerability that would allow a malicious mirror to serve modified versions of Hex packages. A new check has been introduced that requires the latest registry record version, if you are using a repository or mirror that has not been updated yet you can disable this check by setting the environment variable HEX_NO_VERIFY_REPO_ORIGIN=1. Further clarification of this issue will come at a later stage.

v0.18.2

Enhancements

• Add checks before publishing docs
• Update generated protobuf files for Registry with OTP 21 compatibility
• No longer list tasks in mix hex task
• Use hexdocs organization URLs
• Adds --dry-run option to publish tasks
• Do not print "Unchanged" dependencies on mix deps.get in green
• Validate hex config keys
• Add c_src/ and Makefile to default package files
• Publish Mix task docs on https://hexdocs.pm/hex
• Add recommendation when retiring and require --message flag

Bug fixes

• Use rebar3, not rebar, when guessing build tool
• Fix issue saving write key when reseting local password

v0.18.1

Bug fixes

• Fix normalization of repo paths when authenticating organization