Bump the production-dependencies group with 6 updates

[dependabot]

Bumps the production-dependencies group with 6 updates:

Package	From	To
bandit	1.10.4	1.11.0
jason	1.4.4	1.4.5
phoenix	1.8.5	1.8.7
phoenix_live_view	1.1.28	1.1.30
postgrex	0.22.0	0.22.1
swoosh	1.25.0	1.25.2

Updates bandit from 1.10.4 to 1.11.0

Changelog

Sourced from bandit's changelog.

1.11.0 (1 May 2026)

Fixes

• Fix WebSocket inflate vulnerability (CVE-2026-39804, commit 8156921, thanks @​PJUllrich & @​maennchen!)
• Fix WebSocket continuation frame handling vulnerability (CVE-2026-42786, commit 21612c7, thanks @​PJUllrich & @​maennchen!)
• Fix HTTP/2 frame size parsing vulnerability (CVE-2026-42788, commit 1e8e559, thanks @​PJUllrich & @​maennchen!)
• Improve handling of zero/negative length & offset parameters to send_file (#580, thanks @​PJUllrich & @​maennchen!)

Enhancements

• Define a new max_inflate_ratio WebSocket configuration option that defines a maximum allowable decompression ratio to help mitigate inflate bombing. Defaults to 25:1
• Define a new max_fragmented_message_size WebSocket configuration option which defines the maximum allowed WebSocket frame size (inclusive of continuation frames). Defaults to 8MB

Changes

• The default value of the max_frame_size WebSocket option has changed from :infinity to 8MB
• Zero length non-fin continuation frames are now disallowed (we now skip Autobahn 6.1.2 as a result)
• Multiple content-length fields in an HTTP/1 request are now disallowed (CVE-2026-39805, commit f2ca636, thanks @​PJUllrich & @​maennchen!)
• We now only use the underlying transport when determining scheme (CVE-2026-39807, commit 45feea2, thanks @​PJUllrich & @​maennchen!)

Commits

• e626198 Version bump to 1.11.0
• 014c157 Tweaks to Autobahn test suite
• 1e8e559 Merge commit from fork
• 45feea2 Merge commit from fork
• f2ca636 Merge commit from fork
• 21612c7 Merge commit from fork
• 8156921 Merge commit from fork
• fc3cf61 Improve handling of edge cases in send_file (#580)
• 1085ad0 Bump machete from 0.3.11 to 0.3.12 (#579)
• c70e175 Bump credo from 1.7.17 to 1.7.18 (#578)
• See full diff in compare view

Updates jason from 1.4.4 to 1.4.5

Changelog

Sourced from jason's changelog.

1.4.5 (05.05.2026)

• Add support for Decimal 3.0

Commits

• 4ede428 Bump v1.4.5
• b8c2185 Fix dialyzer job
• a363975 Modernise CI to currently supported versions
• 243c8a8 Allow decimal 3.0
• c8e8d05 Revert the experimental 1.5 branch and jason_native experiment
• 0e7a3e2 Add example/doctest for Jason.OrderedObject.new/1
• 984bc07 fix broken link
• f775592 Raise if trying to decode decimals without decimal
• 79d59df Remove unneeded workarounds for xref warnings
• baac78e Fix warnings by conditionally compiling Decimal support
• Additional commits viewable in compare view

Updates phoenix from 1.8.5 to 1.8.7

Changelog

Sourced from phoenix's changelog.

1.8.7 (2026-05-06)

Bug fixes

• Fix invalid status when longpoll request times out

Enhancements

• Mask token parameter in logs by default (in addition to "password")

JavaScript Client Bug Fixes

• Fix encoding of non-ASCII metadata in binary channel messages

1.8.6 (2026-05-05)

Security fixes

• CVE-2026-32689: Fix Phoenix.Socket Longpoll transport memory exhaustion in nd-JSON body splitting

Enhancements

• [phoenix] Raise if use Phoenix.VerifiedRoutes is called multiple times in the same module
• [phoenix] Fix more deprecation and type checker warnings on Elixir 1.20
• [phoenix] Raise when interpolating a list in Phoenix.VerifiedRoutes (#6632)
• [phoenix] Gracefully handle non-binary vsn socket parameter (#6662)
• [phx.gen.*] Use .eex filename suffix in generator files
• [phx.new] Add interactive mode: mix phx.new --interactive (#6630)
• [phx.new] Add phx-no-format to generated <.live_title> tag (#6667)

Bug fixes

• [phx.gen.*] Fix generated migrations for myxql when using scopes (#6635)
• [phx.new] Fix crash when parent directory contains a colon (#6633)

Commits

• ba3a131 Release v1.8.7
• e74eacc fix invalid status on longpoll window timeout
• 035fde9 Update assets
• eb5f52f Correctly serialize non ASCII metadata (#6664)
• a99c5e8 Filter token parameters by default (#6665)
• 2190111 update installer version
• ddcdadb Release v1.8.6
• 1a67c61 prevent unexpected memory usage on nd-json body splitting
• 8ca76a2 fix a couple of typos (#6672)
• 6214d83 Bump postcss from 8.5.6 to 8.5.13 (#6671)
• Additional commits viewable in compare view

Updates phoenix_live_view from 1.1.28 to 1.1.30

Release notes

Sourced from phoenix_live_view's releases.

v1.1.30

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214), introduced in v1.1.29.

v1.1.29

Bug fixes

• Prevent JS crash when hook has a duplicate ID (#4196)
• Recompute scroll container for phx-viewport bindings if it is no longer available (#4169)
• Fix phx-viewport events not firing when container has horizontal overflow (#3897)
• Handle locks on skipped nodes (#4209)
• Use moveBefore if available when reordering stream elements (#4212)

Changelog

Sourced from phoenix_live_view's changelog.

v1.1.30 (2026-05-05)

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214), introduced in v1.1.29.

v1.1.29 (2026-05-04)

Bug fixes

• Prevent JS crash when hook has a duplicate ID (#4196)
• Recompute scroll container for phx-viewport bindings if it is no longer available (#4169)
• Fix phx-viewport events not firing when container has horizontal overflow (#3897)
• Handle locks on skipped nodes (#4209)
• Use moveBefore if available when reordering stream elements (#4212)

Commits

• fdbbe52 Release v1.1.30
• 970932b Update assets
• ff31d01 Ensure phx-viewport hook does not fail if there's no scrollContainer
• 24090b5 Release v1.1.29
• cc83643 Update assets
• 8deb3e5 Use moveBefore if supported when reordering stream items (#4213)
• 174dad5 DOM patching: Fall back to PHX_MAGIC_ID if node ID was touched by client hook...
• 4e18a20 handle locks on skipped nodes (#4210)
• 031f00c Remove unreachable error clause in UploadTmpFileWriter.write_chunk/2
• 0b4005b Optimize traverse_dynamic for nil and binary entries
• Additional commits viewable in compare view

Updates postgrex from 0.22.0 to 0.22.1

Changelog

Sourced from postgrex's changelog.

v0.22.1 (2026-03-05)

• Enhancements

  • Relax decimal requirement
  • Set process labels in Postgrex processes

• Bug fixes

  • Return proper error when getting tcp closed after fatal errors

Commits

• f78f401 Release v0.22.1
• 03717e9 Add multirange to sidebar section
• 0f92ae3 Return proper error when getting tcp closed after fatal errors (#765)
• 3385a98 Set some process labels (#764)
• e4f7942 Simplify decode simple handling to avoid unused clauses
• df184a4 Release v0.22.0
• de38918 Add text query support (#761)
• b3e895a Support infinite intervals (#759)
• See full diff in compare view

Updates swoosh from 1.25.0 to 1.25.2

Release notes

Sourced from swoosh's releases.

v1.25.2 🚀

• chore: prepare 1.25.2 patch release @​copilot-swe-agent (#1136)
• Fix release comment workflow repository checkout @​copilot-swe-agent (#1128)

🐛 Bug Fixes

• fix(config): prioritize runtime config for Mailer @​ukashazia (#1134)

⛓️ Dependency

• Bump jason from 1.4.4 to 1.4.5 @​dependabot (#1130)
• Bump bandit from 1.10.4 to 1.11.0 @​dependabot (#1129)

v1.25.1 🚀

✨ Features

• fix: assert_no_email_sent and refute_email_sent now catch deliver_many @​donleandro (#1123)
• Escape email content in mailbox preview UI @​mogest (#1124)

⛓️ Dependency

• Bump plug_cowboy from 2.8.0 to 2.8.1 @​dependabot (#1126)

New Contributors

• @​donleandro made their first contribution in swoosh/swoosh#1123
• @​mogest made their first contribution in swoosh/swoosh#1124

Full Changelog: swoosh/swoosh@v1.25.0...v1.25.1

Changelog

Sourced from swoosh's changelog.

1.25.2

🐛 Bug Fixes

• fix(config): prioritize runtime config for Mailer @​ukashazia (#1134)

1.25.1

🐛 Bug Fixes

• Escape email content in mailbox preview UI @​mogest (#1124)
• fix: assert_no_email_sent and refute_email_sent now catch deliver_many @​donleandro (#1123)

Commits

• 7baea5c Bump jason from 1.4.4 to 1.4.5 (#1130)
• 37342ca chore: prepare 1.25.2 patch release (#1136)
• f6eedb4 fix(config): prioritize runtime config for Mailer (#1134)
• 5596e97 Bump bandit from 1.10.4 to 1.11.0 (#1129)
• f656c6b Fix release comment workflow checkout (#1128)
• 2aa9af4 Bump version to 1.25.1 (#1127)
• df97f1c Bump plug_cowboy from 2.8.0 to 2.8.1 (#1126)
• 397562e Regenerate styles with Tailwind CSS
• 3e4ff5f fix: use github.ref_name instead of github.ref for tailwind branch name
• f0b12c0 Escape email content in mailbox preview UI (#1124)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions