Bump the mix-production-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the mix-production-dependencies group with 6 updates in the /src/flagd-ui directory:

Package	From	To
bandit	1.8.0	1.9.0
gettext	1.0.0	1.0.2
phoenix	1.8.1	1.8.3
phoenix_live_view	1.1.16	1.1.19
req	0.5.15	0.5.16
swoosh	1.19.8	1.19.9

Updates bandit from 1.8.0 to 1.9.0

Changelog

Sourced from bandit's changelog.

1.9.0 (12 Dec 2025)

Enhancements

• Skip body draining when Connection: close is set (#546, thanks @​pepicrft!)
• Make deflate options for WebSockets configurable (#540, thanks @​proxima!)
• Mitigate HTTP/2 rapid reset attacks (#533, thanks @​NelsonVides!)
• Implement improved respect for SETTINGS_MAX_CONCURRENT_STREAMS (#524, thanks @​NelsonVides!)
• Support zstd HTTP compression (#514, thanks @​mattmatters!)

Commits

• 858317a Don't kill the process_label entry on each request
• 35b5cc6 Version bump to 1.9.0
• 05eb476 Update Thousand Island dep
• f11fc7b Skip body draining when Connection: close is set (#546)
• 4a24bda Configurable deflate options for websockets (#540)
• cc2a3f1 Streams/rapid resets (#533)
• cd6a995 Bump ex_doc from 0.39.1 to 0.39.2 (#547)
• c5d9491 Bump plug from 1.18.1 to 1.19.0 (#548)
• 6852b64 Bump credo from 1.7.13 to 1.7.14 (#544)
• 614aa95 Bump actions/checkout from 5 to 6 (#543)
• Additional commits viewable in compare view

Updates gettext from 1.0.0 to 1.0.2

Changelog

Sourced from gettext's changelog.

v1.0.2

• Only skip manifest removal on Elixir v1.19.3+

v1.0.1 (retired)

• Remove unnecessary cleaning of Elixir manifests

Commits

• e3180f1 Release v1.0.2
• ec2f9c1 Erase manifest unless on upcoming Elixir (#425)
• 4960e49 Revert "Removed unnecessary cleaning of Elixir manifests (#423)"
• 8844a32 Trim CHANGELOG
• 7fe2dc7 Release v1.0.1
• 30bf87d Removed unnecessary cleaning of Elixir manifests (#423)
• d33d745 Bump actions/checkout from 4.2.2 to 5.0.0 (#422)
• 7443953 Use ubuntu-latest in the publish-to-hex.yml workflow
• See full diff in compare view

Updates phoenix from 1.8.1 to 1.8.3

Changelog

Sourced from phoenix's changelog.

1.8.3 (2025-12-8)

Enhancements

• Add top-level phoenix config: sort_verified_routes_query_params to enable sorting query params in verified routes during tests

Bug fixes

• Fix endpoint port config in an umbrella application. (#6549)
• Drop incoming channel messages with stale join refs

1.8.2 (2025-11-26)

Bug fixes

• [phoenix.js] fix issue where LongPoll can cause "unmatched topic" errors (observed on iOS only) (#6538)
• [phx.gen.live] fix tests when schema and table names are equal (#6477)
• [Verified Routes] do not add path prefixes for static routes
• [Phoenix.Endpoint] fix LongPoll being active by default since 1.8.0 (#6487)

Enhancements

• [phoenix.js] socket now stops reconnection attempts while the page is hidden (#6534)
• [phx.new] (re-)add <.input field={@form[:foo]} type="hidden" /> support in core components
• [phx.new] set force_ssl in prod.exs by default (#6435)
• [phx.new] change --docker base image to debian trixie (#6521)
• [Phoenix.Socket.assign/2] allow passing a function as second argument assign(socket, fn _existing_assigns -> %{this_gets: "merged"} end) (#6530)
• [Phoenix.Controller.assign/2] allow passing a function as second argument (#6542)
• [Phoenix.Controller.assign/2] support keyword lists and maps as second argument similar to LiveView (#6513)
• [Presence] support custom dispatcher for presence_diff broadcast (#6500)
• [AGENTS.md] add short test guidelines to usage rules

Commits

• 07fc5ac Release 1.8.3
• c73bbfc Drop incoming messages with stale join refs
• f16aa8f Remove Ecto.Multi usage in data modelling guides (#6529)
• 8b80f26 Add documentation to exclude paths (#6556)
• 6f6a7d4 Fix missing closing bold tag in html.md (#6546)
• 9c3e921 Fix endpoint port config in an umbrella application. (#6549)
• fe915d3 Fix URL pointing to Phoenix.Component (#6554)
• f2a6f31 sort query params in verified routes during tests (#6536)
• 593d499 Bump actions/checkout from 5.0.0 to 6.0.0 (#6551)
• 18863d7 Bump the minor-and-patch group with 5 updates (#6552)
• Additional commits viewable in compare view

Updates phoenix_live_view from 1.1.16 to 1.1.19

Changelog

Sourced from phoenix_live_view's changelog.

v1.1.19 (2025-12-12)

Bug fixes

• Ensure stale token redirect uses the correct URL (#4068)
• Ignore events from elements that are not connected to the DOM (#4066)
• Skip phx-click-away if clicked element is hidden (#4070)

Enhancements

• Allow disabling symlink warning for colocated js (#4057)

v1.1.18 (2025-11-25)

Bug fixes

• Fix boolean attributes not being properly ignored when using JS.ignore_attributes (#4049)

Enhancements

• [Phoenix.Component.assign/2] allow passing a function as second argument assign(socket, fn _existing_assigns -> %{this_gets: "merged"} end) (#4051)
• Annotate phx-drop-target elements with the phx-drop-target-active class when items are being dropped (#4012)
• Add onDocumentPatch dom callback and allow specifying the event dispatch phase (#4043) This allows users to use view transitions, see the linked gist in the PR.
• Warn in createHook if passed element has no ID (#4010)
• Allow Phoenix.Component.portal/1 to be nested (#4048)
• Add phx-viewport-overrun-target to make infinitely scrolled tables easier to implement (#4053) (Example)
• Allow to disable the symlink warning for colocated js (#4057)

v1.1.17 (2025-11-04)

Bug fixes

• noop in empty live reloader config

Commits

• d37acf1 release v1.1.19
• f8922e3 Update assets
• 85d74d8 Skip phx-click-away if clicked target is hidden (#4077)
• 29c2af8 ignore events for elements that are not connected (#4074)
• b9307d2 use main view for stale redirect (#4069)
• b3a145e Raise if JS.dispatch detail is not a map (#4062)
• 5bf52e6 Add phx-no-format and phx-no-curly-interpolation to cheatsheet (#4065)
• 7ab8e7d allow disabling symlink warning for colocated js (#4057)
• a8541d7 format for 1.19
• f821d9c release v1.1.18
• Additional commits viewable in compare view

Updates req from 0.5.15 to 0.5.16

Release notes

Sourced from req's releases.

v0.5.16

• Req.Test: Fix verify_on_exit! accidentally using Mox name
• auth: Support MFArgs
• auth: Support digest auth
• put_aws_sigv4: Support MFArgs
• put_path_params: Encode :path_params even with reserved characters
• put_path_params: Set :path_params_template on empty params
• run_plug: Handle compressed request body

Changelog

Sourced from req's changelog.

v0.5.16 (2025-11-10)

• [Req.Test]: Fix verify_on_exit! accidentally using Mox name
• [auth]: Support MFArgs
• [auth]: Support digest auth
• [put_aws_sigv4]: Support MFArgs
• [put_path_params]: Encode :path_params even with reserved characters
• [put_path_params]: Set :path_params_template on empty params
• [run_plug]: Handle compressed request body

Commits

• de1992a Release v0.5.16
• f0225a7 run_plug: Handle compressed request body (#496)
• 2a365ac Fix tests
• 3cb0a53 Update ex_doc
• 4c850fa auth: Support MFArgs (#519)
• 536880a fix: tiny typo (#514)
• 158165c auth: Support digest auth (#511)
• 3edef76 put_aws_sigv4: Allow providing an mfa tuple (#510)
• 8517f1d Fix warnings
• 5797455 Fix test
• Additional commits viewable in compare view

Updates swoosh from 1.19.8 to 1.19.9

Release notes

Sourced from swoosh's releases.

v1.19.9 🚀

✨ Features

• add support for additional_headers provider option in Scaleway @​jaimeiniesta (#1077)
• Support specifying ip_pool_name data for Sendgrid #1081 @​lardcanoe (#1082)

📝 Documentation

• Add Resend adapter to README @​jtormey (#1080)

⛓️ Dependency

• Bump plug from 1.18.1 to 1.19.1 @​dependabot (#1085)
• Bump mua from 0.2.5 to 0.2.6 @​dependabot (#1084)
• Bump ex_doc from 0.39.1 to 0.39.2 @​dependabot (#1083)
• Bump req from 0.5.15 to 0.5.16 @​dependabot (#1078)
• Bump plug_cowboy from 2.7.4 to 2.7.5 @​dependabot (#1079)
• Bump ex_doc from 0.38.4 to 0.39.1 @​dependabot (#1075)
• Bump tailwind from 0.4.0 to 0.4.1 @​dependabot (#1074)
• Bump cowboy from 2.14.1 to 2.14.2 @​dependabot (#1073)
• Bump ex_aws from 2.5.11 to 2.6.0 @​dependabot (#1072)
• Bump cowboy from 2.14.0 to 2.14.1 @​dependabot (#1071)

New Contributors

• @​jtormey made their first contribution in swoosh/swoosh#1080
• @​lardcanoe made their first contribution in swoosh/swoosh#1082
• @​jaimeiniesta made their first contribution in swoosh/swoosh#1077

Full Changelog: swoosh/swoosh@v1.19.8...v1.19.9

Changelog

Sourced from swoosh's changelog.

1.19.9

✨ Features

• add support for additional_headers provider option in Scaleway @​jaimeiniesta (#1077)
• Support specifying ip_pool_name data for Sendgrid #1081 @​lardcanoe (#1082)

📝 Documentation

• Add Resend adapter to README @​jtormey (#1080)

Commits

• 1f41d74 v1.19.9
• 8a2c5fc add support for additional_headers in Scaleway (#1077)
• ef04b56 Bump plug from 1.18.1 to 1.19.1 (#1085)
• 8972fd5 Bump mua from 0.2.5 to 0.2.6 (#1084)
• 15e3015 Bump ex_doc from 0.39.1 to 0.39.2 (#1083)
• 5c12ca0 Support ip_pool_name (#1082)
• b109033 Add resend adapter to readme (#1080)
• 2382d17 Bump req from 0.5.15 to 0.5.16 (#1078)
• ea7bc38 Bump plug_cowboy from 2.7.4 to 2.7.5 (#1079)
• ebbe504 Bump ex_doc from 0.38.4 to 0.39.1 (#1075)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Dec 17 2025 to showcase some of the refinements we've made.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.