fix(deps): bump hackney to 4.x to address security advisories

[jtippett]

Summary

hackney releases <= 4.0.1 are affected by a batch of security advisories fixed in hackney 4.0.2+, including:

• CVE-2026-47075 — CRLF injection / HTTP request splitting
• CVE-2026-47066 — infinite loop (CVSS 8.7)
• CVE-2026-47070 — sensitive data exposure on cross-origin redirect
• CVE-2026-47077 — unbounded body accumulation (HTTP/3)

There is no 1.x backport, so the previous {:hackney, "~> 1.9"} constraint could only ever resolve to vulnerable releases (the lockfile sat at 1.20.1).

Changes

• Widen the hackney constraint to ~> 1.21 or ~> 4.0 and >= 4.0.2, mirroring Tesla's own hackney adapter constraint. This keeps backward compatibility for downstream consumers still on hackney 1.x while allowing (and, on a fresh resolve, preferring) the patched 4.x line.
• Update mix.lock so it resolves to hackney 4.4.5.
• Bump tesla 1.8.0 → 1.20.0: older Tesla capped its optional hackney dependency at ~> 1.6, which blocked 4.x resolution. Recent Tesla declares ~> 1.21 or ~> 4.0 and >= 4.0.2 and its hackney adapter supports the 4.x API.

Why this is low-risk

• The SDK uses hackney only as the default Tesla adapter — it never calls hackney directly — so the major bump is absorbed by Tesla's adapter.
• The test suite runs against Tesla.Mock, so hackney isn't exercised in tests.

Verification

• MIX_ENV=prod mix compile --force — clean compile with hackney 4.4.5 + tesla 1.20.0.
• mix test — 113 passed.
• mix hex.audit — no retired packages.

[greptile-apps]

Greptile Summary

This PR updates the HTTP dependency set used by the SDK. The main changes are:

• Widened the direct hackney constraint to allow patched 4.x releases while keeping a compatible 1.x path.
• Updated mix.lock to resolve hackney to 4.4.5.
• Updated tesla and related transitive dependencies needed for the new hackney resolution.

Confidence Score: 5/5

The dependency-only changes are merge-safe based on the provided compile, test, and audit verification.

The changed files are limited to dependency constraints and lockfile updates, and the described verification covers compilation, the test suite, and package audit results.

T-Rex Logs

What T-Rex did

• Compared before/after lockfile versions and constraints during dependency resolution and verified the downstream hackney compatibility checks; the scripts used to generate these captures are saved for review.
• Compared base dependency versions for hackney and tesla; observed that compile/test/audit could not run in this environment, so the PR claim remains unverified.

_{Ran code and verified through T-Rex}

_{Reviews (1): Last reviewed commit: "fix(deps): bump hackney to 4.x to addres..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cd57e85968

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid pulling quic into OTP 25 builds

The CI matrix still includes an OTP 25.3 job (.github/workflows/main.yml:30-31) and that job runs mix do deps.get, deps.compile (.github/workflows/main.yml:57-59), but this lock entry makes quic a non-optional transitive dependency of hackney 4.4.5. quic 1.6.x declares {minimum_otp_vsn, "26"}, so the OTP 25 job and users on that still-supported runtime will fail during dependency compilation even though mix.exs still advertises broad Elixir support. Please either drop OTP 25 support or avoid resolving a hackney version that pulls this OTP 26-only dependency for supported builds.

Useful? React with 👍 / 👎.