Bump req from 0.5.17 to 0.6.1

[dependabot]

Bumps req from 0.5.17 to 0.6.1.

Release notes

Sourced from req's releases.

v0.6.1

• compressed, decompress_body: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0

• encode_body: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Changelog

Sourced from req's changelog.

v0.6.1 (2026-06-08)

• [compressed], [decompress_body]: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0 (2026-06-08)

• [encode_body]: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

  Custom decoders are supported via {format, codec} tuples, where codec is a module exporting decode/1 or a 1-arity function returning an :ok/:error tuple, for example:

... (truncated)

Commits

• 36a8252 Release v0.6.1
• ea5506f compressed, decompress_body: Disable automatic decompression
• 8e7425f Release v0.6.0
• 584a490 decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding
• 2d77dbe encode_body: Security fix for :form_multipart header injection
• 53c3b99 Release v0.5.18
• dc1f3be Update ex_doc
• dbd145c Update CHANGELOG.md
• 75f077e retry: Automatically retry on :pool_not_available
• 4cfbf54 run_finch: Normalize Finch.TransportError,HTTPError (Finch 0.22+) (#544)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)