v0.17.0

• Add aliases field to SecurityAdvisory proto for cross-referencing advisories (e.g. GHSA/CVE pairs).
• Add hex_advisory:group_for_display/1 to deduplicate advisories that share aliases.

v0.16.0

• Validate tarball file paths and symlink targets when creating package and docs tarballs.
• Add tarball_files_root config for tarball source paths, defaulting to the current directory and allowing absolute paths only inside that root.
• Add streaming metadata.config decoding and increase max metadata size to 1024KB.
• Add metadata_fields config to decode only selected package metadata fields.
• Add security advisory fields to package and versions registry resources.
• Add hex_repo:fingerprint/1 and hex_repo:fingerprint_equal/2 for repository public key verification.
• Return response headers from hex_http_httpc:request_to_file/6.
• Accept SPDX LicenseRef-* license identifiers.

v0.15.0

• Add request_to_file callback to hex_http behaviour for streaming HTTP response body directly to a file.
• Add hex_repo:get_tarball_to_file/4 and hex_repo:get_docs_to_file/4 for downloading tarballs and docs directly to disk.
• Implement request_to_file in hex_http_httpc using httpc's {stream, Filename} option.

v0.14.1

• Add max_size extraction limit to package inner tarball and docs tarball unpacking for zip bomb protection.

v0.14.0

• Stream tar extraction to disk, writing file entries in chunks instead of loading into memory.
• Add {file, Path} support to hex_tarball:unpack_docs/2,3 to read doc tarballs from disk.
• Add none output mode to hex_tarball:unpack/2,3 to extract only metadata and checksums, skipping contents.

v0.13.0

• Add file-based unpack via hex_tarball:unpack({file, Path}, Output) to avoid loading entire tarball into memory.
• Add size validations for outer tarball entries (VERSION, CHECKSUM, metadata.config) during creation and extraction.

v0.12.1

• Fix unsafe deserialization of Erlang terms in API responses (CVE-2026-21619)

v0.12.0

• Add short URL API hex_api_short_url:create/2.
• Add OAuth API:
  • hex_api_oauth:device_authorization/3,4
  • hex_api_oauth:poll_device_token/3
  • hex_api_oauth:refresh_token/3
  • hex_api_oauth:revoke_token/3
  • hex_api_oauth:client_credentials_token/4,5
• Support 2FA authentication, any API request can now return {error, otp_required | invalid_totp}
  if 2FA is required. The config option api_otp can be used to provide the TOTP code.
• Differentiate between registry verification errors. {error, unverified} has been replaced with
  {error, bad_repo_name | bad_signature}.
• Support nested maps in extra package metadata field.

v0.10.1

• Update hex_licenses module to reflect most recent list available from SPDX.

v0.10.0

• Drop support for old OTP and Rebar versions. hex_core now requires OTP20+ and Rebar 3.15.1+.

• Add hex_repo:get_docs/3 and hex_repo:get_public_key/1.