build(deps): bump the mix-production-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the mix-production-dependencies group with 7 updates in the /src/flagd-ui directory:

Package	From	To
bandit	1.10.3	1.12.0
jason	1.4.4	1.4.5
phoenix	1.8.5	1.8.8
phoenix_live_view	1.1.26	1.2.0
req	0.5.17	0.6.1
swoosh	1.23.0	1.26.1
tailwind	0.4.1	0.5.0

Updates bandit from 1.10.3 to 1.12.0

Changelog

Sourced from bandit's changelog.

1.12.0 (5 June 2026)

Changes

• Incorporate changes from Thousand Island 1.5, improving the separation of local GenServer timeouts and network facing timeouts (#597 & https://thousand-island.hexdocs.pm/changelog.html#1-5-0-1-jun-2026)

Fixes

• Properly handle mixed-case Transfer-Encoding headers (#590, thanks @​mize85!)

Enhancements

• Internal improvements to HTTP/1 body read functions (#588)

1.11.1 (13 May 2026)

Fixes

• Improve handling of large chunked request bodies (CVE-2026-39803, #585, thanks @​PJUllrich & @​maennchen!)
• Improve handling of request trailers (CVE-2026-39806, #585, thanks @​PJUllrich & @​maennchen!)

Changes

• We no longer disallow . and .. path components in HTTP/2 absolute paths (#581)

1.11.0 (1 May 2026)

Fixes

• Fix WebSocket inflate vulnerability (CVE-2026-39804, commit 8156921, thanks @​PJUllrich & @​maennchen!)
• Fix WebSocket continuation frame handling vulnerability (CVE-2026-42786, commit 21612c7, thanks @​PJUllrich & @​maennchen!)
• Fix HTTP/2 frame size parsing vulnerability (CVE-2026-42788, commit 1e8e559, thanks @​PJUllrich & @​maennchen!)
• Improve handling of zero/negative length & offset parameters to send_file (#580, thanks @​PJUllrich & @​maennchen!)

Enhancements

• Define a new max_inflate_ratio WebSocket configuration option that defines a maximum allowable decompression ratio to help mitigate inflate bombing. Defaults to 25:1
• Define a new max_fragmented_message_size WebSocket configuration option which defines the maximum allowed WebSocket frame size (inclusive of continuation frames). Defaults to 8MB

Changes

• The default value of the max_frame_size WebSocket option has changed from :infinity to 8MB
• Zero length non-fin continuation frames are now disallowed (we now skip Autobahn 6.1.2 as a result)
• Multiple content-length fields in an HTTP/1 request are now disallowed (CVE-2026-39805, commit f2ca636, thanks @​PJUllrich & @​maennchen!)
• We now only use the underlying transport when determining scheme (CVE-2026-39807, commit 45feea2, thanks @​PJUllrich & @​maennchen!)

... (truncated)

Commits

• 33e100b Version bump to 1.12.0
• b5f0971 Remove now counter-productive network timeout propogation (#597)
• dedeb28 Temporarily pin finch test dep until upstream issue fixed
• 3b840f2 Repoint hexdocs links
• ab0d933 Bump ex_doc from 0.40.2 to 0.40.3 (#594)
• e3ca313 Bump req from 0.5.17 to 0.5.18 (#593)
• 2f6cd3a Bump plug from 1.19.1 to 1.19.2 (#592)
• 7e70c88 fix transfer-encoding (#590)
• 32de5e9 Update security policy
• a792f97 Improve content length reading (#588)
• Additional commits viewable in compare view

Updates jason from 1.4.4 to 1.4.5

Changelog

Sourced from jason's changelog.

1.4.5 (05.05.2026)

• Add support for Decimal 3.0

Commits

• 4ede428 Bump v1.4.5
• b8c2185 Fix dialyzer job
• a363975 Modernise CI to currently supported versions
• 243c8a8 Allow decimal 3.0
• c8e8d05 Revert the experimental 1.5 branch and jason_native experiment
• 0e7a3e2 Add example/doctest for Jason.OrderedObject.new/1
• 984bc07 fix broken link
• f775592 Raise if trying to decode decimals without decimal
• 79d59df Remove unneeded workarounds for xref warnings
• baac78e Fix warnings by conditionally compiling Decimal support
• Additional commits viewable in compare view

Updates phoenix from 1.8.5 to 1.8.8

Changelog

Sourced from phoenix's changelog.

1.8.8 (2026-06-10)

Enhancements

• [phx.new] Use LiveView 1.2.0

1.8.7 (2026-05-06)

Bug fixes

• Fix invalid status when longpoll request times out

Enhancements

• Mask token parameter in logs by default (in addition to "password")

JavaScript Client Bug Fixes

• Fix encoding of non-ASCII metadata in binary channel messages

1.8.6 (2026-05-05)

Security fixes

• CVE-2026-32689: Fix Phoenix.Socket Longpoll transport memory exhaustion in nd-JSON body splitting

Enhancements

• [phoenix] Raise if use Phoenix.VerifiedRoutes is called multiple times in the same module
• [phoenix] Fix more deprecation and type checker warnings on Elixir 1.20
• [phoenix] Raise when interpolating a list in Phoenix.VerifiedRoutes (#6632)
• [phoenix] Gracefully handle non-binary vsn socket parameter (#6662)
• [phx.gen.*] Use .eex filename suffix in generator files
• [phx.new] Add interactive mode: mix phx.new --interactive (#6630)
• [phx.new] Add phx-no-format to generated <.live_title> tag (#6667)

Bug fixes

• [phx.gen.*] Fix generated migrations for myxql when using scopes (#6635)
• [phx.new] Fix crash when parent directory contains a colon (#6633)

Commits

• 99df0a9 Release v1.8.8
• 729f781 Generator changes for LiveView 1.2 (#6696)
• d453e37 Use Elixir's builtin consolidation from v1.19, closes #4951
• f30fa36 Clarify channel payloads can be any serializable value (#6695)
• e1e7912 Replace all hexdocs URLs with the subdomain format (#6693)
• cf9dd26 Add README template for Phoenix umbrella (#6691)
• 39eb5dd Refactor template override backward compatibility test (#6684)
• e1c3816 chore: small typo fix in controllers.md (#6689)
• b6a4e31 Make websocket disconnect codes explicit (#6678)
• eea4895 Add eex suffix to phx.gen.auth template override test (#6680)
• Additional commits viewable in compare view

Updates phoenix_live_view from 1.1.26 to 1.2.0

Release notes

Sourced from phoenix_live_view's releases.

v1.2.0

Enhancements

• Support events pushed when connected mount redirects (#4269)

Bug fixes

• Ensure for comprehensions in HEEx use deterministic variables
• Ensure connect_params are kept when following redirects in LiveViewTest (#4005)
• Ensure exceptions during LiveComponent renders are emitted as :telemetry event (#4258)
• Fix whitespace handling of EEx nodes in HEEx compiler (#4277)

v1.2.0-rc.3

Enhancements

• Add official documentation for the JavaScript client
• Validate URL scheme in push_patch / push_navigate, JS.patch / JS.navigate, and clientside js().patch / js().navigate (#4250)

Bug fixes

• Fix nested assign change tracking (#4225)
• Ensure Phoenix.LiveViewTest.live_redirect/2 properly passes the URI as a string in handle_params (#4247)

v1.2.0-rc.2

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214)

v1.2.0-rc.1

Enhancements

• Align Phoenix.Component global attributes list with reference list from MDN (#4207). If you relied on one of the removed attributes, use the include option instead. For example:

  attr :rest, :global, include: ~w(width height)

• Allow setting id attributes clientside for accessibility with this.js().setAttribute() (#4146)
• Export getFileURLForUpload helper (#4206)
• Use moveBefore if available when reordering stream items (#4212)

Bug fixes

• Handle locks on skipped nodes (#4209)

v1.2.0-rc.0

Enhancements

... (truncated)

Changelog

Sourced from phoenix_live_view's changelog.

v1.2.0 (2026-06-10) 🚀

Enhancements

• Support events pushed when connected mount redirects (#4269)

Bug fixes

• Ensure for comprehensions in HEEx use deterministic variables
• Ensure connect_params are kept when following redirects in LiveViewTest (#4005)
• Ensure exceptions during LiveComponent renders are emitted as :telemetry event (#4258)
• Fix whitespace handling of EEx nodes in HEEx compiler (#4277)

v1.2.0-rc.3 (2026-05-29)

Enhancements

• Add official documentation for the JavaScript client
• Validate URL scheme in push_patch / push_navigate, JS.patch / JS.navigate, and clientside js().patch / js().navigate (#4250)

Bug fixes

• Fix nested assign change tracking (#4225)
• Ensure Phoenix.LiveViewTest.live_redirect/2 properly passes the URI as a string in handle_params (#4247)

v1.2.0-rc.2 (2026-05-05)

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214)

v1.2.0-rc.1 (2026-05-04)

Enhancements

• Align Phoenix.Component global attributes list with reference list from MDN (#4207). If you relied on one of the removed attributes, use the include option instead. For example:

  attr :rest, :global, include: ~w(width height)

• Allow setting id attributes clientside for accessibility with this.js().setAttribute() (#4146)
• Export getFileURLForUpload helper (#4206)
• Use moveBefore if available when reordering stream items (#4212)

Bug fixes

• Handle locks on skipped nodes (#4209)

v1.2.0-rc.0 (2026-04-23)

Enhancements

... (truncated)

Commits

• 923e859 Release v1.2.0
• 0f57334 ensure connect_params are kept when following redirects (#4249)
• 1c6723f Run CI on Elixir 1.20 + OTP 29
• 2d0d81a Update assets
• d2981e5 Support events pushed when connected mount redirects (#4279)
• 3c0d113 Wrap renders caused by component updates in a telemetry span (#4278)
• 75dd8d1 Fix whitespace handling in HEEx compiler EEx nodes (#4277)
• e514f02 fix tag compiler regressions
• 97e4d5e fix comma in README
• f17f149 Document handle_event takes payload, not unsigned_params (#4268)
• Additional commits viewable in compare view

Updates req from 0.5.17 to 0.6.1

Release notes

Sourced from req's releases.

v0.6.1

• compressed, decompress_body: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0

• encode_body: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Changelog

Sourced from req's changelog.

v0.6.1 (2026-06-08)

• [compressed], [decompress_body]: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0 (2026-06-08)

• [encode_body]: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

  Custom decoders are supported via {format, codec} tuples, where codec is a module exporting decode/1 or a 1-arity function returning an :ok/:error tuple, for example:

... (truncated)

Commits

• 36a8252 Release v0.6.1
• ea5506f compressed, decompress_body: Disable automatic decompression
• 8e7425f Release v0.6.0
• 584a490 decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding
• 2d77dbe encode_body: Security fix for :form_multipart header injection
• 53c3b99 Release v0.5.18
• dc1f3be Update ex_doc
• dbd145c Update CHANGELOG.md
• 75f077e retry: Automatically retry on :pool_not_available
• 4cfbf54 run_finch: Normalize Finch.TransportError,HTTPError (Finch 0.22+) (#544)
• Additional commits viewable in compare view

Updates swoosh from 1.23.0 to 1.26.1

Release notes

Sourced from swoosh's releases.

v1.26.1 🚀

🐛 Bug Fixes

• fix fat-fingering content_id instead of cid, added tests, fixed outdated expected response in mua_test.exs @​waseigo (#1155)

🧰 Maintenance

• Prepare 1.26.1 patch release metadata @​copilot-swe-agent (#1156)

v1.26.0 🚀

✨ Features

• Added adapter for self-hosted Mailpit @​waseigo (#1152)

⛓️ Dependency

• Bump req from 0.5.17 to 0.5.18 @​dependabot (#1147)

New Contributors

• @​waseigo made their first contribution in swoosh/swoosh#1152

Full Changelog: swoosh/swoosh@1.25.3...v1.26.0

v1.25.3 🚀

• Prepare 1.25.3 patch release notes @​copilot-swe-agent (#1151)

📝 Documentation

• Document runtime Postmark server keys @​dl-alexandre (#1135)

🧰 Maintenance

• Fix Elixir 1.20 compilation warnings @​gilbertwong96 (#1150)
• Allow usage of idna 7.x @​sax (#1142)
• update to support hackney less than 5.0 @​allenwyma (#1132)

New Contributors

• @​dl-alexandre made their first contribution in swoosh/swoosh#1135
• @​allenwyma made their first contribution in swoosh/swoosh#1132
• @​sax made their first contribution in swoosh/swoosh#1142
• @​gilbertwong96 made their first contribution in swoosh/swoosh#1150

Full Changelog: swoosh/swoosh@v1.25.2...1.25.3

v1.25.2 🚀

• chore: prepare 1.25.2 patch release @​copilot-swe-agent (#1136)
• Fix release comment workflow repository checkout @​copilot-swe-agent (#1128)

🐛 Bug Fixes

... (truncated)

Changelog

Sourced from swoosh's changelog.

1.26.1

🐛 Bug Fixes

• Fix inline attachment cid handling for Mailpit adapter @​waseigo (#1155)

1.26.0

✨ Features

• Add self-hosted Mailpit adapter @​waseigo (#1152)

📝 Documentation

• Document the new Mailpit adapter in the README

1.25.3

📝 Documentation

• Document runtime Postmark server keys @​dl-alexandre (#1135)

🧰 Maintenance

• update to support hackney less than 5.0 @​allenwyma (#1132)
• Allow usage of idna 7.x @​sax (#1142)
• Fix Elixir 1.20 compilation warnings @​gilbertwong96 (#1150)

1.25.2

🐛 Bug Fixes

• fix(config): prioritize runtime config for Mailer @​ukashazia (#1134)

1.25.1

🐛 Bug Fixes

• Escape email content in mailbox preview UI @​mogest (#1124)
• fix: assert_no_email_sent and refute_email_sent now catch deliver_many @​donleandro (#1123)

1.25.0

✨ Features

• Add Swoosh.Adapters.Sandbox @​aidalgol (#1120)

📝 Documentation

• Improve discoverability and HexDocs coverage for Swoosh.Adapters.Sandbox @​copilot-swe-agent (#1121)

... (truncated)

Commits

• 317f847 Prepare 1.26.1 patch release files (#1156)
• 38057ba fix fat-fingering content_id instead of cid, added tests, fixed outdated ...
• f0c7eaf Prepare 1.26.0 release files (#1153)
• 60532a2 Added adapter for self-hosted Mailpit (#1152)
• 1d6dec8 Bump req from 0.5.17 to 0.5.18 (#1147)
• 3580fe8 Prepare 1.25.3 patch release notes (#1151)
• 6f6f643 Fix Elixir 1.20 compilation warnings (#1150)
• 6f0d01c Bump ex_doc from 0.40.2 to 0.40.3 (#1148)
• 7b67e3e Bump bandit from 1.11.0 to 1.11.1 (#1146)
• 936c06c Bump cowboy from 2.14.2 to 2.15.0 (#1140)
• Additional commits viewable in compare view

Updates tailwind from 0.4.1 to 0.5.0

Changelog

Sourced from tailwind's changelog.

v0.5.0 (Unreleased)

• Allow configuring :version per profile
• Allow env values to be lists, joined by the OS path separator

Commits

• a4569fb Release v0.5.0
• a6e2d51 Merge pull request #139 from phoenixframework/sd-node-path
• bbc9d45 allow lists in env
• 27388df bump latest version
• c0cefa1 prepare 0.5.0
• ed088d9 Merge pull request #123 from RobinBoers/main
• 7a4b934 Apply suggestion from @​SteffenDE
• 170bb6c Update lib/tailwind.ex
• 28d1de0 Raise on boot when :path is set and one or more profiles configure :version
• 1dd71d8 Refactor configured_target/1 to be consistent with configured_version/1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions