chore(deps): bump hackney from 1.25.0 to 3.0.1

[dependabot]

Bumps hackney from 1.25.0 to 3.0.1.

Changelog

Sourced from hackney's changelog.

3.0.1 - 2026-01-28

Bug Fixes

• Fix dialyzer warning in follow_redirect by removing dead code branch that checked is_pid() on a value that was always binary
• Store final redirect location in connection process state so it can be retrieved via hackney:location/1
• Clean up request_ret() type spec to accurately reflect return values

3.0.0 - 2026-01-27

BREAKING CHANGES

This is a major release with breaking changes to the high-level API. See Migration Guide for detailed upgrade instructions.

Response Format Change

The high-level API now returns the response body directly in the tuple, consistent across all protocols (HTTP/1.1, HTTP/2, HTTP/3):

%% Before (2.x) - HTTP/1.1
{ok, 200, Headers, ConnPid} = hackney:get(URL),
{ok, Body} = hackney:body(ConnPid).
%% After (3.x) - All protocols
{ok, 200, Headers, Body} = hackney:get(URL).

Removed Functions

The following deprecated functions have been removed:

Function	Replacement
hackney:body/1	Body returned directly in response tuple
hackney:body/2	Body returned directly in response tuple
hackney:stream_body/1	Use async mode with [async] or [{async, once}]
hackney:skip_body/1	Not needed - body always consumed

Security: Cross-Host Redirect Behavior (CVE-2018-1000007)

Authorization headers and credentials are no longer forwarded when following redirects to a different host. This prevents credential leakage when a server redirects to an untrusted host.

To restore the previous behavior (not recommended), use the location_trusted option:

hackney:get(URL, [], <<>>, [{location_trusted, true}]).

... (truncated)

Commits

• 6c8046d release: version 3.0.1
• 515745f fix: store final redirect location in connection process
• bee5ae0 fix: resolve dialyzer warning in follow_redirect
• 38d8baa Merge pull request #822 from benoitc/fix/consistent-response-format
• 491faa3 fix(docs): use edoc quote syntax for inline code
• b4436d3 docs: update version references to 3.0.0
• 854d57a docs: add manual connection management documentation
• 64412e6 release: version 3.0.0
• badebc6 feat(http3): add setopts/2 support for HTTP/3 connections
• ac4ebb0 feat(http3): add peercert/1 support for HTTP/3 connections
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #193.