Releases: hexpm/hex
v0.20.1
Bug fixes
- Do not print transfer message when not transferring ownership
v0.20.0
Enhancements
- Add per-project Hex configuration. Configure Hex under the
:hexkey inside your project configuration inmix.exs - Show location of package after running
mix hex.build - List all available Hex tasks when running
mix hex - List subtasks when running
mix hex - Remove tarball if it is invalid to avoid it being as cache in the future
- Show umbrella children
mix.exslocation inmix hex.outdated - Add
mix hex.owner transfertask - Show improved error message on invalid configs
- Add
mix hex.package fetchtask - Add
mix hex.package difftask
Bug fixes
- Fix
mirror_urlconfig - Fix
api_urlconfig - Do no try to remove docs after reverting package – docs are already automatically removed
v0.19.0
Enhancements
- Improve output of
mix hex.config - Print publisher in
mix hex.info PACKAGE VERSION - Add organization flag to dependency config in
mix hex.info PACKAGE
Bug fixes
- Don't follow symlinks when adding files to tarballs
- Error with a descriptive msg when building a package with git dependencies
- Improve listing of incompatible package versions when displaying backtrack error message
- Improve resolver performance when it needs to do a lot of backtracking
Security fixes
- Verify authenticity of registry records. This fixes a vulnerability that would allow a malicious mirror to serve modified versions of Hex packages. A new check has been introduced that requires the latest registry record version, if you are using a repository or mirror that has not been updated yet you can disable this check by setting the environment variable
HEX_NO_VERIFY_REPO_ORIGIN=1. Further clarification of this issue will come at a later stage.
v0.18.2
Enhancements
- Add checks before publishing docs
- Update generated protobuf files for Registry with OTP 21 compatibility
- No longer list tasks in
mix hextask - Use hexdocs organization URLs
- Adds
--dry-runoption to publish tasks - Do not print "Unchanged" dependencies on mix deps.get in green
- Validate hex config keys
- Add
c_src/andMakefileto default package files - Publish Mix task docs on https://hexdocs.pm/hex
- Add recommendation when retiring and require
--messageflag
Bug fixes
- Use rebar3, not rebar, when guessing build tool
- Fix issue saving write key when reseting local password
v0.18.1
v0.18.0
API keys
When authenticating with mix hex.user auth two API keys are generated instead of single one. One key is unencrypted with read access and the other is encrypted with your local password and has full read/write access to the API. Now commands that don't make any changes will not require a password.
Additionally, we generate a single key that gives access to all your organization repositories, instead of one key for each repository. It also has the added benefit that you don't have to reauthenticate if you are added to a new organization.
We have also added support for keys owned directly by an organization instead of a specific user, these keys can be accessed through mix hex.organization. This is useful when generating keys for a CI environment, previously when personal keys were used, a person leaving an organization or revoking the key could negatively affect CI workflow.
Improvements to continuous integration workflows
The HEX_API_KEY environment variable has been introduced to be able run commands that require an authentication without having to authenticate manually with mix hex.user auth which has user input prompts. The key set with HEX_API_KEY can be generated with mix hex.user key generate or mix hex.organization key ORGANIZATION generate. It also makes it possible to run commands such as mix hex.publish without being prompted for a password.
By passing the --yes flag to mix hex.publish you can publish your package (together with HEX_API_KEY) without any confirmation prompts. This allows you to publish your package as part of your CI build process.
Ignoring :maintainers field
In previous Hex versions we required :maintainers key to be present when publishing package. At the same time, on hex.pm we are also showing package owners (controlled by the mix hex.owner task). It was confusing to show both maintainers and owners and figure out which really control the package, so we've dropped showing maintainers on hex.pm and the field will no longer be added to package's metadata.
If maintainers field was used to give credit to current and/or past contributors we encourage to mention that in project's README instead.
Enhancements
- Add
--yesflag tohex.publishfor publishing without any confirmation prompts - Add
HEX_API_KEYenvironment variable for setting and overriding the key used when authenticating against the API - Generate a single key for all organization repositories when authenticating a new user
- Return a non-zero exit code from
hex.outdatedwhen dependencies are outdated - Generate two API keys when authenticating, one encrypted with write access, and one unencrypted with only read access
- Add ownership levels to
hex.ownertask - When resolving, try all possible backtrack branches and select the best solution
- Improve formatting of multi-line validation errors
- Do not use
:maintainerspackage configuration field - Change
hex.organizationto generate keys owned by organization instead of the user generating them - Add options to
hex.organization keyfor revoking and listing keys owned by organization - Improve interface for
hex.user keyandhex.organization key, the following commands have changed:hex.user key --generate=>hex.user key generatehex.user key --list=>hex.user key listhex.user key --revoke KEY_NAME=>hex.user key revoke KEY_NAMEhex.user key --revoke-all=>hex.user key revoke --allhex.organization key ORGANIZATION=>hex.organization key ORGANIZATION generate
v0.17.8
45e8479
wojtekmach
Wojtek Mach
Bug fixes
- Fix private packages on Windows