inhji/hajur

Fork 0

Update dependency erlang to v28.5 #50

Open

renovate wants to merge 1 commit from renovate/erlang-28.x into main

renovate commented

2026-05-06 14:32:28 +02:00

Collaborator

This PR contains the following updates:

Package	Update	Change
erlang	minor	`28.4.2` → `28.5`

Release Notes

erlang/otp (erlang)

`v28.5`: OTP 28.5

Compare Source

Patch Package:           OTP 28.5
Git Tag:                 OTP-28.5
Date:                    2026-04-23
Trouble Report Id:       OTP-16607, OTP-19162, OTP-19967, OTP-20038,
                         OTP-20043, OTP-20082, OTP-20094, OTP-20098,
                         OTP-20101, OTP-20106
Seq num:                 GH-10667, GH-10812, GH-10915, GH-10967,
                         OTP-16608, PR-10431, PR-10881, PR-10908,
                         PR-10924, PR-10957, PR-10976, PR-11002,
                         PR-11045
System:                  OTP
Release:                 28
Application:             erl_interface-5.7, erts-16.4, mnesia-4.25.3,
                         ssl-11.6
Predecessor:             OTP 28.4.3

Check out the git tag OTP-28.5, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

HIGHLIGHTS

There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.

Own Id: OTP-20043
Application(s): otp
Related Id(s): PR-10431

OTP-28.5

Improvements and New Features

There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.

Own Id: OTP-20043
Related Id(s): PR-10431

*** HIGHLIGHT ***

erl_interface-5.7

The erl_interface-5.7 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

A new configure option --{enable,disable}-use-embedded-3pp-alternatives has been added. When enabled, configure is forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled, configure will use all internal embedded 3pps. Currently this option affects zstd, zlib, ryu (with STL), openssl and tcl. The default is to use all built-in embedded 3pps except for zlib which by default will use zlib on the OS if available.

Requirements for alternatives:
- zstd - Static library and include files of at least version 1.5.6 needs to be available.
- zlib - Library and include files of at least version 1.2.5 needs to be available.
- ryu (with STL) - A usable C++ compiler with C++17 support.
- openssl - No requirements. Our own MD5 implementation will be used.
- tcl - The strerrorname_np() function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.
The argument embedded_3pps has been added to erlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.

Own Id: OTP-20106
Related Id(s): PR-11045

Known Bugs and Problems

The ei API for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled.

Own Id: OTP-16607
Related Id(s): OTP-16608

erts-16.4

The erts-16.4 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

Fixed bug in enif_make_map_from_arrays for arrays with at least 33 keys. If duplicate keys existed, instead of failing, it would skip the duplicates. If less than 33 unique keys existed, an internally inconsistent and broken map was returned.

Own Id: OTP-20098
Related Id(s): PR-10976
Fixed an issue when supplying the args_file option to erl.exe on windows that did not handle unicode characters correctly.

Own Id: OTP-20101
Related Id(s): GH-10667

Improvements and New Features

A new configure option --{enable,disable}-use-embedded-3pp-alternatives has been added. When enabled, configure is forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled, configure will use all internal embedded 3pps. Currently this option affects zstd, zlib, ryu (with STL), openssl and tcl. The default is to use all built-in embedded 3pps except for zlib which by default will use zlib on the OS if available.

Requirements for alternatives:
- zstd - Static library and include files of at least version 1.5.6 needs to be available.
- zlib - Library and include files of at least version 1.2.5 needs to be available.
- ryu (with STL) - A usable C++ compiler with C++17 support.
- openssl - No requirements. Our own MD5 implementation will be used.
- tcl - The strerrorname_np() function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.
The argument embedded_3pps has been added to erlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.

Own Id: OTP-20106
Related Id(s): PR-11045

Full runtime dependencies of erts-16.4

kernel-9.0, sasl-3.3, stdlib-4.1

mnesia-4.25.3

The mnesia-4.25.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

Added documentation for user_properties and functions read_table_property/2, write_table_property/2, delete_table_property. Enhanced documentation for frag_properties.

Own Id: OTP-20038
Related Id(s): GH-10812, PR-10881
Fixed a bug where stacktrace was not returned from mnesia:transaction/1 when transaction aborts with an error exception.

Own Id: OTP-20094
Related Id(s): GH-10967, PR-11002

Full runtime dependencies of mnesia-4.25.3

erts-9.0, kernel-5.3, stdlib-5.0

ssl-11.6

Note! The ssl-11.6 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.20.3 (first satisfied in OTP 28.4.2)

Fixed Bugs and Malfunctions

Preserve inet option order, as inet_backend option must be first option. Will make inet_backend option work for ssl independently of number of inet supplied options.

Own Id: OTP-19162
Related Id(s): PR-10908
Missing conformance check for signature algorithms in TLS-1.3 could cause selection of incompatible certificate when a server is configured with more than one possible certificate.

Own Id: OTP-20082
Related Id(s): GH-10915, PR-10924

Improvements and New Features

Avoid unnecessary memory consumption for temporary processes in a supervision tree.

Own Id: OTP-19967
Related Id(s): PR-10957

Full runtime dependencies of ssl-11.6

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

felipe stival, Hewwho, Hugo Baraúna, Nick Vatamaniuc, Viktor Söderqvist, William Yang

`v28.4.3`: OTP 28.4.3

Compare Source

Patch Package:           OTP 28.4.3
Git Tag:                 OTP-28.4.3
Date:                    2026-04-21
Trouble Report Id:       OTP-20081, OTP-20086, OTP-20104
Seq num:                 #&#8203;10968, CVE-2026-32147, PR-10985, PR-11027
System:                  OTP
Release:                 28
Application:             kernel-10.6.3, ssh-5.5.2
Predecessor:             OTP 28.4.2

Check out the git tag OTP-28.4.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-28.4.3

Fixed Bugs and Malfunctions

Fix the otp_patch_apply script to properly handle installation of documentation for OTP versions with more than one digit in version parts less significant than the major version.

Own Id: OTP-20086
Related Id(s): PR-10985

kernel-10.6.3

The kernel-10.6.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

On Windows, sockets has to be bound when using 'socket'. Therefor when using gen_tcp with inet_backend = socket, gen_tcp_socket bind even if the caller has not provided an explicit bind address. In that case it attempts to locate a "proper" address on its own. But if the connect address is the loopback address, this could lead to an attempt to bind to an external interface. So, this has now been changed so that if the connect address is the loopback address, the loopback address will also be used when binding.

Own Id: OTP-20104
Related Id(s): #10968

Full runtime dependencies of kernel-10.6.3

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

ssh-5.5.2

Note! The ssh-5.5.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

Fixed a vulnerability in the SFTP server where file attributes could be modified outside the configured root directory. When using FSETSTAT on an open file handle, the operation used the path stored in the handle without verifying it was within the root directory, allowing attribute changes to files outside the chroot boundary.

Thanks to John Downey.

Own Id: OTP-20081
Related Id(s): PR-11027, CVE-2026-32147

Full runtime dependencies of ssh-5.5.2

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [erlang](https://github.com/erlang/otp) | minor | `28.4.2` → `28.5` | --- ### Release Notes <details> <summary>erlang/otp (erlang)</summary> ### [`v28.5`](https://github.com/erlang/otp/releases/tag/OTP-28.5): OTP 28.5 [Compare Source](https://github.com/erlang/otp/compare/OTP-28.4.3...OTP-28.5) ``` Patch Package: OTP 28.5 Git Tag: OTP-28.5 Date: 2026-04-23 Trouble Report Id: OTP-16607, OTP-19162, OTP-19967, OTP-20038, OTP-20043, OTP-20082, OTP-20094, OTP-20098, OTP-20101, OTP-20106 Seq num: GH-10667, GH-10812, GH-10915, GH-10967, OTP-16608, PR-10431, PR-10881, PR-10908, PR-10924, PR-10957, PR-10976, PR-11002, PR-11045 System: OTP Release: 28 Application: erl_interface-5.7, erts-16.4, mnesia-4.25.3, ssl-11.6 Predecessor: OTP 28.4.3 ``` Check out the git tag OTP-28.5, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp\_patch\_apply' tool. For information on install requirements, see descriptions for each application version below. ### HIGHLIGHTS - There is a new "Secure Coding Guidelines" document in [Design Principles] describing how to write secure Erlang code. Own Id: OTP-20043\ Application(s): otp\ Related Id(s): [PR-10431] ### OTP-28.5 #### Improvements and New Features - There is a new "Secure Coding Guidelines" document in [Design Principles] describing how to write secure Erlang code. Own Id: OTP-20043\ Related Id(s): [PR-10431] \*\*\* HIGHLIGHT \*\*\* ### erl\_interface-5.7 The erl\_interface-5.7 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - A new `configure` option [`--{enable,disable}-use-embedded-3pp-alternatives` ][`--{enable,disable}-use-embedded-3pp-alternatives`] has been added. When *enabled*, `configure` is forced to find alternatives, to a subset, of the embedded third-party products (*3pps*) in the runtime system, and when *disabled*, `configure` will use all internal embedded 3pps. Currently this option affects `zstd`, `zlib`, `ryu` (with `STL`), `openssl` and `tcl`. The default is to use all built-in embedded 3pps except for `zlib` which by default will use `zlib` on the OS if available. Requirements for alternatives: - `zstd` - Static library and include files of at least version 1.5.6 needs to be available. - `zlib` - Library and include files of at least version 1.2.5 needs to be available. - `ryu` (with `STL`) - A usable C++ compiler with C++17 support. - `openssl` - No requirements. Our own MD5 implementation will be used. - `tcl` - The `strerrorname_np()` function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available. The argument [`embedded_3pps`] has been added to `erlang:system_info/1`. It returns a map with information about the use of embedded 3pps in the runtime system. Own Id: OTP-20106\ Related Id(s): [PR-11045] #### Known Bugs and Problems - The `ei` API for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled. Own Id: OTP-16607\ Related Id(s): OTP-16608 ### erts-16.4 The erts-16.4 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Fixed bug in `enif_make_map_from_arrays` for arrays with at least 33 keys. If duplicate keys existed, instead of failing, it would skip the duplicates. If less than 33 unique keys existed, an internally inconsistent and broken map was returned. Own Id: OTP-20098\ Related Id(s): [PR-10976] - Fixed an issue when supplying the args\_file option to erl.exe on windows that did not handle unicode characters correctly. Own Id: OTP-20101\ Related Id(s): [GH-10667] #### Improvements and New Features - A new `configure` option [`--{enable,disable}-use-embedded-3pp-alternatives` ][`--{enable,disable}-use-embedded-3pp-alternatives`] has been added. When *enabled*, `configure` is forced to find alternatives, to a subset, of the embedded third-party products (*3pps*) in the runtime system, and when *disabled*, `configure` will use all internal embedded 3pps. Currently this option affects `zstd`, `zlib`, `ryu` (with `STL`), `openssl` and `tcl`. The default is to use all built-in embedded 3pps except for `zlib` which by default will use `zlib` on the OS if available. Requirements for alternatives: - `zstd` - Static library and include files of at least version 1.5.6 needs to be available. - `zlib` - Library and include files of at least version 1.2.5 needs to be available. - `ryu` (with `STL`) - A usable C++ compiler with C++17 support. - `openssl` - No requirements. Our own MD5 implementation will be used. - `tcl` - The `strerrorname_np()` function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available. The argument [`embedded_3pps`] has been added to `erlang:system_info/1`. It returns a map with information about the use of embedded 3pps in the runtime system. Own Id: OTP-20106\ Related Id(s): [PR-11045] > #### Full runtime dependencies of erts-16.4 > > kernel-9.0, sasl-3.3, stdlib-4.1 ### mnesia-4.25.3 The mnesia-4.25.3 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Added documentation for `user_properties` and functions `read_table_property/2`, `write_table_property/2`, `delete_table_property`. Enhanced documentation for `frag_properties`. Own Id: OTP-20038\ Related Id(s): [GH-10812], [PR-10881] - Fixed a bug where stacktrace was not returned from `mnesia:transaction/1` when transaction aborts with an error exception. Own Id: OTP-20094\ Related Id(s): [GH-10967], [PR-11002] > #### Full runtime dependencies of mnesia-4.25.3 > > erts-9.0, kernel-5.3, stdlib-5.0 ### ssl-11.6 Note! The ssl-11.6 application *cannot* be applied independently of other applications on an arbitrary OTP 28 installation. ``` On a full OTP 28 installation, also the following runtime dependencies have to be satisfied: -- crypto-5.8 (first satisfied in OTP 28.3) -- public_key-1.20.3 (first satisfied in OTP 28.4.2) ``` #### Fixed Bugs and Malfunctions - Preserve inet option order, as inet\_backend option must be first option. Will make inet\_backend option work for ssl independently of number of inet supplied options. Own Id: OTP-19162\ Related Id(s): [PR-10908] - Missing conformance check for signature algorithms in TLS-1.3 could cause selection of incompatible certificate when a server is configured with more than one possible certificate. Own Id: OTP-20082\ Related Id(s): [GH-10915], [PR-10924] #### Improvements and New Features - Avoid unnecessary memory consumption for temporary processes in a supervision tree. Own Id: OTP-19967\ Related Id(s): [PR-10957] > #### Full runtime dependencies of ssl-11.6 > > crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public\_key-1.20.3, runtime\_tools-1.15.1, stdlib-7.0 ### Thanks to felipe stival, Hewwho, Hugo Baraúna, Nick Vatamaniuc, Viktor Söderqvist, William Yang [design principles]: https://www.erlang.org/doc/system/design_principles.html [gh-10667]: https://github.com/erlang/otp/issues/10667 [gh-10812]: https://github.com/erlang/otp/issues/10812 [gh-10915]: https://github.com/erlang/otp/issues/10915 [gh-10967]: https://github.com/erlang/otp/issues/10967 [pr-10431]: https://github.com/erlang/otp/pull/10431 [pr-10881]: https://github.com/erlang/otp/pull/10881 [pr-10908]: https://github.com/erlang/otp/pull/10908 [pr-10924]: https://github.com/erlang/otp/pull/10924 [pr-10957]: https://github.com/erlang/otp/pull/10957 [pr-10976]: https://github.com/erlang/otp/pull/10976 [pr-11002]: https://github.com/erlang/otp/pull/11002 [pr-11045]: https://github.com/erlang/otp/pull/11045 [`--{enable,disable}-use-embedded-3pp-alternatives`]: https://erlang.org/doc/system/install.html#advanced-configuration-and-build-of-erlang-otp_configuring [`embedded_3pps`]: https://erlang.org/doc/man/erlang#system_info_embedded_3pps ### [`v28.4.3`](https://github.com/erlang/otp/releases/tag/OTP-28.4.3): OTP 28.4.3 [Compare Source](https://github.com/erlang/otp/compare/OTP-28.4.2...OTP-28.4.3) ``` Patch Package: OTP 28.4.3 Git Tag: OTP-28.4.3 Date: 2026-04-21 Trouble Report Id: OTP-20081, OTP-20086, OTP-20104 Seq num: #10968, CVE-2026-32147, PR-10985, PR-11027 System: OTP Release: 28 Application: kernel-10.6.3, ssh-5.5.2 Predecessor: OTP 28.4.2 ``` Check out the git tag OTP-28.4.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp\_patch\_apply' tool. For information on install requirements, see descriptions for each application version below. ### OTP-28.4.3 #### Fixed Bugs and Malfunctions - Fix the `otp_patch_apply` script to properly handle installation of documentation for OTP versions with more than one digit in version parts less significant than the major version. Own Id: OTP-20086\ Related Id(s): [PR-10985] ### kernel-10.6.3 The kernel-10.6.3 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - On Windows, sockets has to be bound when using 'socket'. Therefor when using gen\_tcp with inet\_backend = socket, gen\_tcp\_socket bind even if the caller has not provided an explicit bind address. In that case it attempts to locate a "proper" address on its own. But if the connect address is the loopback address, this could lead to an attempt to bind to an external interface. So, this has now been changed so that if the connect address is the loopback address, the loopback address will also be used when binding. Own Id: OTP-20104\ Related Id(s): [#10968] > #### Full runtime dependencies of kernel-10.6.3 > > crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0 ### ssh-5.5.2 Note! The ssh-5.5.2 application *cannot* be applied independently of other applications on an arbitrary OTP 28 installation. ``` On a full OTP 28 installation, also the following runtime dependency has to be satisfied: -- crypto-5.7 (first satisfied in OTP 28.1) ``` #### Fixed Bugs and Malfunctions - Fixed a vulnerability in the SFTP server where file attributes could be modified outside the configured root directory. When using FSETSTAT on an open file handle, the operation used the path stored in the handle without verifying it was within the root directory, allowing attribute changes to files outside the chroot boundary. Thanks to John Downey. Own Id: OTP-20081\ Related Id(s): [PR-11027], [CVE-2026-32147] > #### Full runtime dependencies of ssh-5.5.2 > > crypto-5.7, erts-14.0, kernel-10.3, public\_key-1.6.1, runtime\_tools-1.15.1, stdlib-5.0, stdlib-6.0 [#10968]: https://github.com/erlang/otp/issues/10968 [cve-2026-32147]: https://nvd.nist.gov/vuln/detail/CVE-2026-32147 [pr-10985]: https://github.com/erlang/otp/pull/10985 [pr-11027]: https://github.com/erlang/otp/pull/11027 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate added 1 commit

2026-05-06 14:32:28 +02:00

chore(deps): update dependency erlang to v28.5 a6b09e0633

renovate force-pushed renovate/erlang-28.x from a6b09e0633 to 4eea69b750

2026-05-06 14:43:49 +02:00

Compare

renovate force-pushed renovate/erlang-28.x from 4eea69b750 to 15932b8dd2

2026-05-06 14:54:22 +02:00

Compare

renovate force-pushed renovate/erlang-28.x from 15932b8dd2 to 15053e570b

2026-05-06 14:57:29 +02:00

Compare