- Add config
no_short_urls
and env varHEX_NO_SHORT_URLS
to disable short URL generation - Mention
mix hex.sponsor
when fetching packages that accept sponsorship - Add
--key
option tomix hex.repo show NAME
to print repository key - Improve output when update check fails
- Print hint if version resolution is slow
- Improve version backtracking to fix slow version resolutions and downgrading of dependencies
- Add support for
mix hex.package fetch PACKAGE
(without version)
- Gracefully handle missing hex metadata in sponsor task
- Fix building hex registry
- Update ssl opts for host validation on redirect
- Store correct password after confirmation failure
- Warn when using ssl-10.2
- Disable API write operations when using ssl-10.2
- Add
--epub
option tomix hex.docs offline
- Add
--replace
option tomix hex.publish
- Add locked version to
mix hex.info <package>
- Clarify publish message around ownership
- Remove reliance on colors for hex.outdated
- Follow XDG Base Directory Specification
- Add link to diffs page in footer of
mix hex.outdated
- Introduce
latest
branch to install Hex usingmix archive.install git ...
- Add
--repo
flag tomix hex.package
task - Make
mix hex.package diff
more CLI-friendly - Customize hostname check to allow also wildcard certificates
- Use API for dependency config in mix hex.info
- Do not pass --canonical to docs task
- Always add
*.DS_Store
to:exclude_patterns
- Add note about updatable packages to
mix hex.outdated
task - Use tarball outer checksum to check cache freshness
- Add
--within-requirements
flag tomix hex.outdated
- Add
--fetch-public-key FINGERPRINT
tomix hex.repo add
- Return non-zero exit when package or release are not found in
mix hex.info
- Add
no_proxy
configuration - Add
mix hex.package diff APP VERSION
- Add
mix hex.sponsor
for listing all dependencies ask for sponsors or support - Add
mix hex.registry build
for building registries locally
- Fix order of organizations displayed on
mix hex.publish
- Fix stacktrace warning
- Hide
mix hex.install
private task - Fix
mix hex.repo remove
command doc - Fix backtracking on single parent
- Do not unpack the tarball on
mix hex.package fetch
unless--unpack
is passed - Re-fetch stale cached package if registry checksum changed
- Fix compatibility with OTP 24
- Fix compatibility with OTP 24
- Add timestamps to entries in registry cache for easier debugging
- Bump registry cache version to invalidate old caches
- Warn if fetching registry without outer checksum
- Do not require that the registry supports outer checksums
- Missing outer checksum is not a mismatch, this will fix "out of date" errors when the manifest is newer than the lockfile
- Fix tarball file extraction through symlinks
- Fetch the latest non-prerelease version of a package in
mix hex.docs
- Correctly handle old manifest files without crashing
- Add
--output
option tomix hex.package fetch
task - Add
cacerts_path
configuration for custom CA certificate files - Improve output in
mix hex.publish
to make it more clear to what repository you are publishing - Explain red colors in hex.outdated
- Fix HTTP timeout config
- Do not allow creating empty packages
- Fix for directory traversal vulnerability for symlinks in tarballs
- Update package checksum to include the entire tarball instead of specific files inside it
- Do not print transfer message when not transferring
- Add per-project Hex configuration. Configure Hex under the
:hex
key inside your project configuration inmix.exs
- Show location of package after running
mix hex.build
- List all available Hex tasks when running
mix hex
- List subtasks when running
mix hex
- Remove tarball if it is invalid to avoid it being as cache in the future
- Show umbrella children
mix.exs
location inmix hex.outdated
- Add
mix hex.owner transfer
task - Show improved error message on invalid configs
- Add
mix hex.package fetch
task - Add
mix hex.package diff
task
- Fix
mirror_url
config - Fix
api_url
config - Do no try to remove docs after reverting package – docs are already automatically removed
- Improve output of
mix hex.config
- Print publisher in
mix hex.info PACKAGE VERSION
- Add organization flag to dependency config in
mix hex.info PACKAGE
- Don't follow symlinks when adding files to tarballs
- Error with a descriptive msg when building a package with git dependencies
- Improve listing of incompatible package versions when displaying backtrack error message
- Improve resolver performance when it needs to do a lot of backtracking
- Verify authenticity of registry records. This fixes a vulnerability that would allow a malicious mirror to serve modified versions of Hex packages. A new check has been introduced that requires the latest registry record version, if you are using a repository or mirror that has not been updated yet you can disable this check by setting the environment variable
HEX_NO_VERIFY_REPO_ORIGIN=1
. Further clarification of this issue will come at a later stage.
- Add checks before publishing docs
- Update generated protobuf files for Registry with OTP 21 compatibility
- No longer list tasks in
mix hex
task - Use hexdocs organization URLs
- Adds
--dry-run
option to publish tasks - Do not print "Unchanged" dependencies on mix deps.get in green
- Validate hex config keys
- Add
c_src/
andMakefile
to default package files - Publish Mix task docs on https://hexdocs.pm/hex
- Add recommendation when retiring and require
--message
flag
- Use rebar3, not rebar, when guessing build tool
- Fix issue saving write key when resetting local password
- Fix normalization of repo paths when authenticating organization
When authenticating with mix hex.user auth
two API keys are generated instead of single one. One key is unencrypted with read access and the other is encrypted with your local password and has full read/write access to the API. Now commands that don't make any changes will not require a password.
Additionally, we generate a single key that gives access to all your organization repositories, instead of one key for each repository. It also has the added benefit that you don't have to reauthenticate if you are added to a new organization.
We have also added support for keys owned directly by an organization instead of a specific user, these keys can be accessed through mix hex.organization
. This is useful when generating keys for a CI environment, previously when personal keys were used, a person leaving an organization or revoking the key could negatively affect CI workflow.
The HEX_API_KEY
environment variable has been introduced to be able run commands that require an authentication without having to authenticate manually with mix hex.user auth
which has user input prompts. The key set with HEX_API_KEY
can be generated with mix hex.user key generate
or mix hex.organization key ORGANIZATION generate
. It also makes it possible to run commands such as mix hex.publish
without being prompted for a password.
By passing the --yes
flag to mix hex.publish
you can publish your package (together with HEX_API_KEY
) without any confirmation prompts. This allows you to publish your package as part of your CI build process.
In previous Hex versions we required :maintainers
key to be present when publishing package. At the same time, on hex.pm we are also showing package owners (controlled by the mix hex.owner
task). It was confusing to show both maintainers and owners and figure out which really control the package, so we've dropped showing maintainers on hex.pm and the field will no longer be added to package's metadata.
If maintainers field was used to give credit to current and/or past contributors we encourage to mention that in project's README instead.
- Add
--yes
flag tohex.publish
for publishing without any confirmation prompts - Add
HEX_API_KEY
environment variable for setting and overriding the key used when authenticating against the API - Generate a single key for all organization repositories when authenticating a new user
- Return a non-zero exit code from
hex.outdated
when dependencies are outdated - Generate two API keys when authenticating, one encrypted with write access, and one unencrypted with only read access
- Add ownership levels to
hex.owner
task - When resolving, try all possible backtrack branches and select the best solution
- Improve formatting of multi-line validation errors
- Do not use
:maintainers
package configuration field - Change
hex.organization
to generate keys owned by organization instead of the user generating them - Add options to
hex.organization key
for revoking and listing keys owned by organization - Improve interface for
hex.user key
andhex.organization key
, the following commands have changed:hex.user key --generate
=>hex.user key generate
hex.user key --list
=>hex.user key list
hex.user key --revoke KEY_NAME
=>hex.user key revoke KEY_NAME
hex.user key --revoke-all
=>hex.user key revoke --all
hex.organization key ORGANIZATION
=>hex.organization key ORGANIZATION generate
- Fix private packages on Windows
- Fix crash when unpacking tarballs with broken symlinks
- Correct the type of build tools package metadata
- Fix crash when printing resolver output when having lock entries from other SCMs
- Fix crash when printing resolver output for old lock files
- Tarball and registry code has been extracted to the
hex_erl
package - Hide retired versions when showing latest release in
hex.info
task - Add
hex.docs offline
andhex.docs
online tasks - Add
--key-name
flag to key generation tasks - Add
:exclude_patterns
to package config for excluding files from package - Resolver now backtracks children before parents to improve versions selected when backtracking
- Change some errors to warnings when building private packages
- Group resolved dependency output into unchanged, updated, and downgraded when running
deps.get
anddeps.update
tasks - Add authentication to
hex.docs
task for showing private package documentation - Improve error message when package fetch times out
- General improvements to tasks when accessing organizations
- Fix wrong publish message when using
--organization
flag inhex.publish
task - Set file times inside tarballs to 2000-01-01 to fix tars on FAT file systems
- Fix
hex.docs open
task on Windows
- Handle missing package descriptions in
hex.search
task - Fix printing of package checksum after publishing
- Increase
hex.publish
timeouts and make it configurable with:http_timeout
config andHEX_HTTP_TIMEOUT
variable - Test key before adding it with
hex.organization auth NAME --key KEY
- Remove pre-release publish restriction for private packages
- Add package descriptions to
hex.search
task - Improve error message when there are no versions matching requirement
- Add latest stable version to
hex.search
task - Add
metadata.config
file to checked out dependency directory - Warn if we detect a lock entry from a newer Hex version
- Add
hex.build --output
andhex.build --unpack
tasks - Preserve symlinks and empty directories in tar
- Simplify Hex output on deps.get
- General improvements to tarball creation and unpacking
- List umbrella children's top level dependencies in
hex.outdated
- Include
.formatter.exs
file in default package builds - Prompt user when authentication is required
- Automatically auth all organizations when authing user with
hex.user auth
- Highlight if a package release has been retired in
hex.info
- Display package website links in
mix hex.owner packages
- Do not crash if failing to write tarball
- Disable HTTP pipelining to avoid bugs in HTTP client
- Also purge registry etags when repository source changed
- Retry HTTP requests on
:socket_closed_remotely
errors - Fix package tarballs being reproducible
- Authenticate HTTP requests for
hex.search
- Populate managers when initially getting dependencies
- Check dependencies on
hex.audit
andhex.publish
- Fix fetching of private packages that overrides public packages
- Fix HTTP redirect handling
- Don't display internal configs in
hex.config
- Improve error message when package does not exist
- Improve error message when no versions exist for given requirement
- Add
--key
flag tohex.organization auth
to authorize by giving a key directly without supplying a password - Add
hex.organization key
to generate a key for accessing the organization's repository
Hex.pm is adding support for private packages with organizations. See https://hex.pm/docs/private for more details. To authorize an organization on your machine run mix hex.organization auth acme
, this will store the organization's repository details in Hex so that you can fetch packages from the repository. As soon as you are added as a member to an organization you can administer and publish packages, if you have the appropriate role, with the --organization
flag or by setting the :organization
option on the package configuration.
Different from the last release packages will always be pulled from the default hexpm
repository and you have to override it with the :organization
or :repo
options on the dependency configuration.
- Add
hex.organization
task - Rename
hex.user key
flag--remove*
to--revoke*
to clarify what it does - Add
--organization
flag to tasks working on packages - Add
:organization
option to package configuration - Add support for publishing to organizations
- Improve error message when docs task is missing
- Add
--confirm
flag tohex.publish
task
- Fix version validation exceptions
- Reintroduce
HEX_MIRROR
environment variable - Preserve file modes when building tarball
- Disallow
:app
option for dependencies
- Add
mix hex.repo show
task for showing repo configuration - Improve error message if there are no releases for given requirement in the registry
- Add
mix hex.audit
task for checking for retired packages
- Do not try to publish docs if package publish failed
- Do not update lock entry if only metadata changed
- Do not show authentication details when printing URLs
- Fix password reset
- Fix race condition where some entries may not be cached if they were added just before application closed
- Support PAX tarballs, created on OTP 20, when using older OTP versions. Additionally, make it less likely PAX tarballs are created
This version adds support for using packages from multiple repositories. With the hex.repo
task additional repositories can be added to Hex. With it you can add additional repositories or replace the default "hexpm" repository by running mix hex.repo add hexpm ...
, check the docs for more information. To use a dependency from another repository add repo: :my_other_repo
to the dependency definition in mix.exs
and make sure you have added my_other_repo
with mix hex.repo add my_other_repo
. Dependencies of a package will be automatically pulled from the same repository as the parent package unless otherwise stated with the :repo
option on the dependency definition.
- Add
hex.repo
task - Move
hex.key
tasks tohex.user keys
- Warn or error if publishing a package with pre-release dependencies
- Do not check for updates when running in offline mode
- Fix an issue where dependency resolution could take a very long time
- Do not publish docs if publishing the package failed
- Fix an issue where HTTP timeouts could cause the application to freeze
- Ensure managers always exist in the lock
With this new release you can mark versions of your packages as retired when you no longer recommend its use. This can be because the release has a serious security flaw, something went wrong with the release so that it's unusable or because the package has been renamed or deprecated. A retired version is still usable and fetchable but it will show as retired on hex.pm and when resolved Hex will show a warning to the user with the retirement message.
- Add --module flag to
hex.docs
task - Changed
hex.outdated
task to show if a dependency can be updated - Add
hex.retire
task for package retirement - Warn when resolving retired packages
- Restrict number of default SSL ciphers
- Do not make conditional HTTP request if file is missing
- Ensure cache file is saved when Hex exits
- Add environment variable
HEX_HTTP_CONCURRENCY
for limiting number of concurrent HTTP requests
- Fix compatibilities with older Elixir version (<= 1.1)
- Ensure build tools are unique in mix.lock and when publishing
- Fix
hex.docs open
opening websites on Unix systems - Do not crash on diverged dependencies with conflicting SCMs
- Fix some duplicate HTTP requests on slow networks
- Limit concurrent registry HTTP requests
Hex has switched to a new registry format that is more efficient and will scale better as the registry grows. The new registry format is encoded with protocol buffers and is split into multiple files (one file per package) to avoid fetching one big file with data you will not need. The resolver will make more HTTP requests but will in total fetch much less data. The specification for the new format can be found here: hexpm/specifications#10. The old ETS based registry format is no longer supported in the client but will continue to be available from the registry for the foreseeable future.
hex.docs open
will by default open the online hexdocs for the given package- An
--offline
option has been added tohex.docs open
for opening docs stored on your local filesystem and it will automatically fetch the docs if they are not available locally - Only support secure SSL ciphers and safe SSL versions (support for SSLv3 has been dropped)
- Improvements to the language in the resolver error messages
- Fix an issue where duplicate build tool names could be added to the package metadata
- Only error on non-Hex dependencies when building
- Most warnings on
hex.publish
are now errors
- Fix bug where the old config format was not readable
- Convert old config format to new format on every read
- Fix
HEX_UNSAFE_REGISTRY
negation
- Inform about new Hex version in
hex.info
- Support
extra
metadata field - Print package checksum when building and publishing
- Warn if using registry from cache
- Show creation time of API keys in
hex.keys list
- Improve the error message if OTP has broken SNI in
:ssl
application - Verify dependencies from registry against lock
- Hex will now automatically encrypt your local API key, use
hex.user passphrase
to change the encryption passphrase - Improve resolver error message to mention behavior of pre-releases and overrides
- Improve error message if a dependency has configured the OTP application name incorrectly for another dependency
hex.publish
now also publishes docs by default, usehex.publish package
andhex.publish docs
to respectively publish package and docs independentlyhex.docs
will now open or fetch documentation tarballshex.key remove
will now also de-auth the user if the local API key was removed- Add status messages when publishing and reverting
- Fix bug where the client was fetching packages even when lock is OK
- Fix resolver sometimes not producing any backtrack output
- Verify certificate against correct hostname after redirect
- Only show proxy settings when MIX_DEBUG=1
- Add retries to idempotent requests
- Fix crash when you get multiple backtrack messages
- Add package checksums to lock, ensuring a locked package can not change its content
- Add managers and deps to lock, allowing Hex to run without loading the registry
- Align deps fetching output from scm
- Update hex.pm repo URL to https://repo.hex.pm
- Link to policies when registering account
- Update CoC links
- Improve conflict messages
- Improve error messages when ex_doc is missing when publishing docs
- Show app name of dependency in
hex.info
- Warn about long package descriptions
- Fix
HEX_UNSAFE_HTTPS
environment variable andunsafe_https
config
- Add more registry metrics to
hex.info
- Fix a bug where Hex was about a bit too enthusiastic when informing the user of new versions
- Fix some missing future-proofing of lock
- Use HTTPS to Hex.pm repository
- Make lock backwards compatible by treating it as a list and only matching on the front
- Correctly show update notification
- Remove duplicate parents from backtrack messages
- Fix invalid message in
hex.outdated
if locked version is a pre-release
- Do not crash if registry fails to fetch
- Remove force update of registry if it is more than a week old
- Verify registry signature against public key
- Improve missing registry error message
- Deprecate
HEX_CDN
in favor ofHEX_REPO
andHEX_MIRROR
. See thehex
task for more information - Deprecate
:cdn_url
config in favor of:repo_url
andmirror_url
. See thehex.config
task for more information - Improve performance of parallel package fetching
- Use fastly instead of S3 for the Hex.pm repository
- Add
--delete
option tohex.config
task
- Show local time in hex.info
- Correctly unlock all dependencies on
deps.update
- Always fetch registry if it's missing or known to be old
- Fix incorrect build version check
- Fix parsing of requirements without spaces
- Append the OTP version to the user_agent function
- Improve output of http request timeout errors
- Warn if
:manager
or:compile
is set on dependencies when publishing - Add
--pre
flag tohex.outdated
- Use erlang binary term encoding for API instead of elixir encoding
- Pull package name from correct source when publish docs
- Pass canonical url to ex_doc task
- Change hexdocs links to use https
- Add
hex.outdated APP
to list all requirements on given dependency - Do not allow pre-releases for dependencies unless the requirement uses a pre-release version
- Optimize version cache memory usage
- Fix incorrect build version check for dev versions of Elixir
- Fix loop when backtracking in resolver
- Fix timeout errors on slow systems
- Make the experimental resolver the default
- Ensure registry can be opened/closed multiple times
- Ensure
hex.search
task handles empty results - Fix experimental resolvers only backtracking on parents that had requirements that failed
- Fix merging of overlapping parent and package versions in backtrack messages
- Fix bug when umbrella child has dependency with
:only
- General optimizations in dependency resolver
- Add experimental faster backtracker that does more aggressive backtracking, set environment variable
HEX_EXPERIMENTAL_RESOLVER=1
to use it - Merge backtrack messages that have similar parents
- Merge multiple versions into version ranges when possible for more succinct backtrack messages
- Reduce memory usage when resolver produces many backtrack messages
- Fix a crash when a dependency is missing its version requirement
- Add support for authentication when using HTTP proxies
- Add more build information to
hex.info
task to ease debugging - Greatly improve backtracking error messages
- Prevent packages for being published without a description
- Improve error printing when S3 return errors
- Improve output from
hex.outdated
task - Warn if a package dependency is missing its requirement
- Improve error message from
hex.docs
task whenex_doc
dependency is missing - Remove useless output when fetching dependencies
- Improve package output in
hex.info
task
- Fix a rare bug that could cause the resolver to go into an infinite loop
- UTF8 encode package metadata
- Only list missing files if
:files
is set - Fix bug when umbrella child has dependency with
:only
- Pass build tool information to Mix (supported in Elixir 1.1.0)
- Make Hex a proper OTP application
- Update CA store
- Warn if files are missing when building package
- Improve error message when resolution fails because of a locked dependency
- Add
hex.registry
task for loading and dumping registry - Add
HEX_OFFLINE
for running in offline mode which skips fetching registry and packages - Add
hex.build
task for building package without publishing - Reduce noise when users gets lots of resolution errors and generally improve their output
- Add Server Name Indication support for HTTPS requests
- Add
HEX_UNSAFE_HTTPS
for disabling certificate checking - Rename
:contributors
metadata to:maintainers
to better reflect purpose of field
HEX_API
no longer automatically addsapi/
to URL- Fix crash when user doesn't explicitly override Hex package when needed
- Fix bug where metadata in package tarball was not properly UTF8 encoded
- Fix error message when registry file is missing
- Support
hex.outdated
task for umbrella projects - Do not raise on bad data in a users old lock
- Fix a bug that would trust any certificate in the certificate chain signed by a trusted CA, this could allow the certificate, that is not a CA, to issue and sign new certificates for any host
- Sort dependency resolver results
- Fix build_tools metadata being sent incorrectly
- Warn if registry file is missing when loading deps
- Consider new optional requirements for already activated dependency
- Add multiple build tools to metadata
- Warn if using insecure SSL because of old OTP version
- Use yellow test for warning text
- Include build_tools in release metadata
- Print more metadata when publishing
- Fix an error when printing an http status codes
- Always fetch new registry if it's older than 7 days
- Add task
hex.user test
for testing user authentication. - Add task
hex.outdated
for listing outdated packages compared to the registry. - Update CA store as of April 3.
- Inform user if authentication failed because they did not confirm email.
- Improve error message for unsupported tarball version.
- Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding at least two levels deep in the dependency tree
- Include all conflicting requirements in backtrack message
- Fix a bug where backtrack message failed on optional requests
- Fix an error when merging locked and optional dependencies
- Print messages on backtracks if dependency resolution failed, this is intended to help users resolve conflicts
- Fix a bug where a dependency converged in mix did not consider all its requirements
- Fix a bug where dependencies in the lock was considered even if they weren't requested
- Fix updating the registry
- Print proxy options on startup
- Add
mix hex.user password reset
and removemix hex.user update
- Create version 3 tarballs with erlang term encoded metadata
- Verify peer certificate against CA certificate public key in
partial_chain
- Fix a bug where overriding a Hex dependency with a non-Hex dependency was ignored when the overriding happened in a sub-dependency
- Create hex directory before writing registry
- Add PKIX hostname verification according to RFC6125
- Improve error messages from HTTP error codes
- Improve HTTP performance
- Add config options
api_url
,cdn_url
,http_proxy
andhttps_proxy
- Support both doc/ and docs/ as documentation directory
- Convert config file to erlang term file
- Add support for packages with a different OTP application name than the package name
- Add task
mix hex.docs
for uploading project documentation - Add email confirmation
- Allow you to change your password with
mix hex.user update
- Correctly display dependencies in
mix hex.info PACKAGE VERSION
- Verify peer certificates when fetching tarball
- Verify peer certificate for SSL (only available in OTP 17.3)
- Reduce archive size with compiler option
debug_info: false
- Add support for config as an erlang term file
- Warn if Hex was built against a different major.minor Elixir version
- Add task
hex.user whoami
that prints the locally authorized user - Add task
hex.user deauth
to deauthorize the local user - Rename environment variable
HEX_URL
toHEX_API
to not confuse it withHEX_CDN
- Print newline after progress bar
- Add progress bar for uploading the tarball when publishing
- Compare tarball checksum against checksum in registry
- Bump tarball support to version 3
- Rename task for authenticating on the local machine from
hex.key new
tohex.user auth
- Remove the ability to pass password as a CLI parameter
- Support lower-case proxy environment variables
- Remove any timeouts when fetching package tarballs