chore(deps): update dependency erlang to v28.4.2

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
erlang	minor	28.3.1 → 28.4.2

---

Release Notes

erlang/otp (erlang)

v28.4.2: OTP 28.4.2

Compare Source

Patch Package:           OTP 28.4.2
Git Tag:                 OTP-28.4.2
Date:                    2026-04-07
Trouble Report Id:       OTP-19506, OTP-19889, OTP-19931, OTP-20027,
                         OTP-20037, OTP-20042, OTP-20044, OTP-20046,
                         OTP-20047, OTP-20049, OTP-20050, OTP-20052,
                         OTP-20053, OTP-20056, OTP-20060, OTP-20064,
                         OTP-20065, OTP-20068
Seq num:                 CVE-2026-28810, CVE-2026-32144, ERIERL-1310,
                         ERIERL-1311, ERIERL-1312, GH-10454, GH-10562,
                         GH-10606, GH-10785, GH-10876, GH-10901,
                         GH-7156, GH-9476, PR-10456, PR-10569,
                         PR-10620, PR-10788, PR-10864, PR-10866,
                         PR-10867, PR-10873, PR-10874, PR-10889,
                         PR-10893, PR-10899, PR-10904, PR-10906,
                         PR-10911, PR-10941, PR-9481
System:                  OTP
Release:                 28
Application:             compiler-9.0.6, erts-16.3.1, eunit-2.10.3,
                         inets-9.6.2, kernel-10.6.2,
                         public_key-1.20.3, sasl-4.3.2, snmp-5.20.2,
                         ssl-11.5.4
Predecessor:             OTP 28.4.1

Check out the git tag OTP-28.4.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

POTENTIAL INCOMPATIBILITIES

• When OCSP stapling is enabled via the {stapling, staple} or {stapling, #{...}} options, the handshake now fails if the server does not provide an OCSP stapled response.

  Previously, a missing OCSP staple was silently accepted (soft-fail). Since Erlang/OTP only supports OCSP via stapling with no fallback to direct OCSP queries or CRL checking, soft-fail meant no revocation check at all.

  Applications that need the previous soft-fail behavior can use a custom verify_fun that accepts {bad_cert, missing_ocsp_staple}.

  Own Id: OTP-20064
  Application(s): ssl
  Related Id(s): PR-10941, CVE-2026-32144

compiler-9.0.6

The compiler-9.0.6 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The type inference for maps:from_list/1 was incorrect: when the provided list was statically known to be bogus when non-empty (e.g. a list of atoms), the compiler assumed it would also fail when the list was empty.

  Own Id: OTP-19506
  Related Id(s): GH-9476, PR-9481

• Fixed a bug in the type analysis pass that could erroneously eliminate code blocks.

  Own Id: OTP-19931
  Related Id(s): GH-10562, PR-10569

• A binary as the value of a -moduledoc() attribute would be silently ignored.

  Own Id: OTP-20065
  Related Id(s): GH-10901, PR-10904

Full runtime dependencies of compiler-9.0.6

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

erts-16.3.1

The erts-16.3.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a JIT bug that miscompiled expressions like X * X + X * X.

  Own Id: OTP-19889
  Related Id(s): GH-10454, PR-10456

• Fixed bug on windows that made tools dialyzer, erlc and typer unusable in powershell or cmd.exe, when there are spaces in the installation path.

  Own Id: OTP-20027
  Related Id(s): PR-10620

• Fixed a bug with prim_tty that could occur on windows if we cannot get the console mode, mark the TTY as unavailable. This can happen when the input handle is a pipe, but the output handle is a console.

  Own Id: OTP-20060
  Related Id(s): PR-10899

Full runtime dependencies of erts-16.3.1

kernel-9.0, sasl-3.3, stdlib-4.1

eunit-2.10.3

The eunit-2.10.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed EUnit {node, ...} instantiation by passing node name (instead of pid) and restored net_kernel auto-start for non-distributed nodes.

  Own Id: OTP-20047
  Related Id(s): PR-10788

Full runtime dependencies of eunit-2.10.3

erts-9.0, kernel-8.3, stdlib-6.0

inets-9.6.2

The inets-9.6.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed authentication bypass in httpd when script_alias maps a URL to a directory outside document_root with mod_auth directory-based access controls. The mod_alias:which_alias/1 function now includes script_alias entries so authorization is evaluated against the correct path before CGI execution. CVE-2026-28808.

  Own Id: OTP-20068

Improvements and New Features

• Fixed typo in http_server.md guide

  Own Id: OTP-20044
  Related Id(s): GH-10785, PR-10867

• Expected error accept_socket_timeout in httpd_request_handler now exits gracefully, without generating a crash and supervisor reports.

  Own Id: OTP-20052
  Related Id(s): ERIERL-1310, PR-10893

Full runtime dependencies of inets-9.6.2

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6.2

The kernel-10.6.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Before this patch, the Erlang/OTP built-in DNS resolver (inet_res) used a sequential, process-global 16-bit transaction ID for UDP queries and did not implement source port randomization. Response validation relied almost entirely on this ID. Together, this made DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. The design conflicted with RFC 5452 recommendations for mitigating forged DNS answers.

  inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where faked DNS responses are possible.

  Therefore, the documentation is been updated to clarify that inet_res should only be used in trusted networks and with trusted recursive resolvers.

  The implementation is also improved to use strong random DNS transaction IDs and source ports for every DNS transaction. This should give ample protection against brute forcing fake DNS replies, known as DNS cache poisoning, but it still does not protect against, for example, an adversary in the path of the DNS transaction that can observe the random values before faking malicious replies, an attack known as DNS spoofing.

  For randomization to happen, the Crypto application has to be loaded, which most probably already should be the case for an Erlang node in an exposed network.

  If performance should become an issue, for applications within safe network environments, the previous light weight behaviour can be configured by setting the resolver option random to false.

  Own Id: OTP-20037
  Related Id(s): PR-10864, CVE-2026-28810

Full runtime dependencies of kernel-10.6.2

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

public_key-1.20.3

Note! The public_key-1.20.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)

Fixed Bugs and Malfunctions

• OCSP designated responder certificate verification now checks the CA's cryptographic signature on the responder certificate. Previously, only the issuer DN match and id-kp-OCSPSigning EKU were verified, which meant a forged self-signed certificate with the CA's subject DN would be accepted as a valid designated responder (Case 2 in RFC 6960 §4.2.2.2).

  Own Id: OTP-20042
  Related Id(s): PR-10873, CVE-2026-32144

• Update handling of encoding 'OTPSubjectPublicKeyInfo' in public_key:pkix_encode/3, so that it works for update spec added in OTP-28.

  Own Id: OTP-20050
  Related Id(s): GH-10876, PR-10889

Improvements and New Features

• Relax upper bound of common names in certificates for pragmatic interoperability reasons.

  Own Id: OTP-20049
  Related Id(s): GH-10606, PR-10866

Full runtime dependencies of public_key-1.20.3

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

sasl-4.3.2

The sasl-4.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed the typespec of release_handler:eval_appup_script/4.

  Own Id: OTP-20053
  Related Id(s): PR-10906

Full runtime dependencies of sasl-4.3.2

erts-15.0, kernel-6.0, stdlib-4.0, tools-2.6.14

snmp-5.20.2

The snmp-5.20.2 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• The SNMP manager now propagates msgAuthoritativeEngineID and msgUserName from USM security parameters through to the snmpm_user:handle_error/3 callback when an incoming message is discarded due to an unknown EngineID (usmStatsUnknownEngineIDs).

  This enables users to programmatically discover the correct authoritative EngineID from the error callback and re-register USM credentials, supporting SNMPv3 USM EngineID discovery as described in RFC 3414, Section 4. The failed_processing_message variant has been added to the snmpm:user:handle_error/3 callback type specification.

  Own Id: OTP-20056
  Related Id(s): ERIERL-1312, GH-7156, PR-10911

Full runtime dependencies of snmp-5.20.2

asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-5.0

ssl-11.5.4

Note! The ssl-11.5.4 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.20.3 (first satisfied in OTP 28.4.2)

Fixed Bugs and Malfunctions

• Server supporting TLS-1.3 and TLS-1.2, with SLH-DSA algorithms for TLS-1.3, now correctly filter out those algorithms if client is TLS-1.2 only, instead of failing with internal error.

  Own Id: OTP-20046
  Related Id(s): ERIERL-1311, PR-10874

• When OCSP stapling is enabled via the {stapling, staple} or {stapling, #{...}} options, the handshake now fails if the server does not provide an OCSP stapled response.

  Previously, a missing OCSP staple was silently accepted (soft-fail). Since Erlang/OTP only supports OCSP via stapling with no fallback to direct OCSP queries or CRL checking, soft-fail meant no revocation check at all.

  Applications that need the previous soft-fail behavior can use a custom verify_fun that accepts {bad_cert, missing_ocsp_staple}.

  Own Id: OTP-20064
  Related Id(s): PR-10941, CVE-2026-32144

  *** POTENTIAL INCOMPATIBILITY ***

Full runtime dependencies of ssl-11.5.4

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

Linus Marton, williamthome

v28.4.1: OTP 28.4.1

Compare Source

Patch Package:           OTP 28.4.1
Git Tag:                 OTP-28.4.1
Date:                    2026-03-12
Trouble Report Id:       OTP-20007, OTP-20009, OTP-20011, OTP-20012,
                         OTP-20014, OTP-20018, OTP-20022
Seq num:                 CVE-2026-23941, CVE-2026-23942,
                         CVE-2026-23943, ERIERL-1303, ERIERL-1305,
                         GH-10694, PR-10707, PR-10798, PR-10809,
                         PR-10811, PR-10813, PR-10825, PR-10833
System:                  OTP
Release:                 28
Application:             crypto-5.8.3, inets-9.6.1, kernel-10.6.1,
                         ssh-5.5.1, ssl-11.5.3
Predecessor:             OTP 28.4

Check out the git tag OTP-28.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

crypto-5.8.3

The crypto-5.8.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix memory leak in crypo:engine_load if called with incorrect commands.

  Own Id: OTP-20014
  Related Id(s): PR-10798

Full runtime dependencies of crypto-5.8.3

erts-9.0, kernel-6.0, stdlib-3.9

inets-9.6.1

The inets-9.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The httpd server now rejects HTTP requests containing multiple Content-Length headers with different values, returning a 400 Bad Request response. This prevents potential HTTP request smuggling attacks. Thanks Luigino Camastra at Aisle Research for responsibly disclosing this vulnerability

  Own Id: OTP-20007
  Related Id(s): PR-10833, CVE-2026-23941

Full runtime dependencies of inets-9.6.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6.1

The kernel-10.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• A vulnerability has been resolved in the (undocumented, unsupported and unused in OTP) inet_dns_tsig module that leads to a validation bypass.

  If a request contained an error code (forbidden by spec), it was treated as a response and skipped the verification of the MAC. The user of the module would then receive an "all ok" response, depending on the use case, this could lead to such things as AXFR or UPDATE being allowed.

  The code has also been tightening up of the client side to make sure too large (bad) MAC sizes cannot be selected and the limit is the output size of the algorithm chosen.

  Own Id: OTP-20012
  Related Id(s): PR-10825

Full runtime dependencies of kernel-10.6.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

ssh-5.5.1

Note! The ssh-5.5.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• Fixed path traversal vulnerability in SFTP server's root option allowing authenticated users to access sibling directories with matching name prefixes. The root option used string prefix matching instead of path component validation. With {root, "/home/user1"}, attackers could access /home/user10/ or /home/user123/. Thanks to Luigino Camastra, Aisle Research.

  Own Id: OTP-20009
  Related Id(s): PR-10811, CVE-2026-23942

• Fixed excessive memory usage vulnerability in SSH compression allowing attackers to consume system resources through decompression bombs. The 'zlib' and 'zlib@openssh.com' algorithms lacked decompression size limits, allowing 256 KB packets to expand to 255 MB (1029:1 ratio). This could lead to crashes on systems with limited memory.

  The fix removes zlib from default compression algorithms and implements decompression size limits for both algorithms. Thanks to Igor Morgenstern at Aisle Research

  Own Id: OTP-20011
  Related Id(s): PR-10813, CVE-2026-23943

Full runtime dependencies of ssh-5.5.1

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.5.3

Note! The ssl-11.5.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.18.3 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• TLS-1.3 certificate request now preserves the order of signature algorithms in certificate request extension to be in the servers preferred order, which might affect the choice made by some TLS clients.

  Own Id: OTP-20022
  Related Id(s): ERIERL-1305, GH-10694, PR-10707

Improvements and New Features

• Document that setting transport protocol specific socket options is not generally expected to work for TLS and if it happens to work it comes with consequences that should be understood an accepted by the user. Also retain some backwards compatibility with such an option that happened to work to buy time for people to come up with better solutions.

  Own Id: OTP-20018
  Related Id(s): ERIERL-1303, PR-10809

Full runtime dependencies of ssl-11.5.3

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.18.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

Alexander Clouter, Hewwho

v28.4: OTP 28.4

Compare Source

Patch Package:           OTP 28.4
Git Tag:                 OTP-28.4
Date:                    2026-03-04
Trouble Report Id:       OTP-16607, OTP-19824, OTP-19860, OTP-19886,
                         OTP-19892, OTP-19901, OTP-19904, OTP-19905,
                         OTP-19907, OTP-19908, OTP-19911, OTP-19913,
                         OTP-19914, OTP-19920, OTP-19923, OTP-19928,
                         OTP-19937, OTP-19939, OTP-19940, OTP-19941,
                         OTP-19948, OTP-19950, OTP-19951, OTP-19952,
                         OTP-19959, OTP-19972, OTP-19973, OTP-19974,
                         OTP-19976, OTP-19977, OTP-19979, OTP-19987,
                         OTP-19988, OTP-19989, OTP-19990, OTP-19992,
                         OTP-19998, OTP-20006
Seq num:                 ERIERL-1251, ERIERL-1264, ERIERL-1283,
                         GH-10351, GH-10371, GH-10470, GH-10474,
                         GH-10494, GH-10495, GH-10501, GH-10513,
                         GH-10567, GH-10652, GH-10698, GH-10705,
                         GH-9681, OTP-16608, PR-10271, PR-10385,
                         PR-10434, PR-10438, PR-10451, PR-10469,
                         PR-10484, PR-10486, PR-10496, PR-10512,
                         PR-10521, PR-10522, PR-10536, PR-10537,
                         PR-10546, PR-10550, PR-10576, PR-10583,
                         PR-10586, PR-10588, PR-10599, PR-10602,
                         PR-10623, PR-10624, PR-10625, PR-10630,
                         PR-10655, PR-10665, PR-10668, PR-10672,
                         PR-10673, PR-10675, PR-10678, PR-10684,
                         PR-10708, PR-10714, PR-10723, PR-10752,
                         PR-9695
System:                  OTP
Release:                 28
Application:             asn1-5.4.3, common_test-1.30, compiler-9.0.5,
                         crypto-5.8.2, diameter-2.6.1,
                         erl_interface-5.6.4, erts-16.3, et-1.7.3,
                         eunit-2.10.2, inets-9.6, kernel-10.6,
                         megaco-4.8.3, mnesia-4.25.2, observer-2.18.2,
                         odbc-2.16.1, parsetools-2.7.1,
                         public_key-1.20.2, reltool-1.0.3,
                         runtime_tools-2.3.1, sasl-4.3.1, snmp-5.20.1,
                         ssh-5.5, ssl-11.5.2, stdlib-7.3,
                         syntax_tools-4.0.3, tools-4.1.4, wx-2.5.4,
                         xmerl-2.1.9
Predecessor:             OTP 28.3.3

Check out the git tag OTP-28.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

HIGHLIGHTS

• Added support for the PQC key exchange (kex) algorithm mlkem768x25519-sha256, a hybrid quantum-resistant algorithm combining ML-KEM-768 with X25519.

  Own Id: OTP-19824
  Application(s): ssh
  Related Id(s): [PR-10512], [PR-10655]

• Added persistent_term:put_new/2 that will quickly do nothing if a term with the given name and value already exists, and raise a badarg exception if the term exists with a different value.

  Own Id: OTP-19908
  Application(s): erts
  Related Id(s): [GH-9681], [PR-9695]

POTENTIAL INCOMPATIBILITIES

• Added a new HttpOption {autoretry, timeout()} to httpc:request/4,5. This option allows the client to decide how to act upon receiving a Retry-After response header. The default behavior changes, as now only one retry is made before returning the error code, instead of retrying infinitely.

  Own Id: OTP-19892
  Application(s): inets
  Related Id(s): ERIERL-1283, [PR-10469]

OTP-28.4

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

• The GH Actions CI forbids non-maintainers to commit *.beam files to the Erlang/OTP repo

  Own Id: OTP-19923
  Related Id(s): [PR-10550]

• Updated openssl from 3.6.0 to 3.6.1.

  This change does not perform any changes in the md5 vendor implementation from openssl. The change merges upstream cosmetic changes from openssl. This is necessary to automatically migrate cleanly to the next openssl version without conflicts with upstream.

  Own Id: OTP-19959
  Related Id(s): [PR-10630]

• The removal of the [slave] and [slave] modules have been postponed to Erlang/OTP 31.

  The partial removal of the archive feature has been postponed to Erlang/OTP 30.

  Own Id: OTP-19989
  Related Id(s): [PR-10714]

asn1-5.4.3

The asn1-5.4.3 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of asn1-5.4.3

erts-14.0, kernel-9.0, stdlib-5.0

common_test-1.30

The common_test-1.30 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Added documentation about the behavior of ct:comment/1 and ct:comment/2 when executed from processes other than the process running test functions.

  Own Id: OTP-19913
  Related Id(s): ERIERL-1264, [PR-10271]

Improvements and New Features

• Updated jquery to 4.0.0

  Own Id: OTP-19972
  Related Id(s): [PR-10623], [PR-10624], [PR-10625], [PR-10665]

• The removal of the [slave] and [slave] modules have been postponed to Erlang/OTP 31.

  The partial removal of the archive feature has been postponed to Erlang/OTP 30.

  Own Id: OTP-19989
  Related Id(s): [PR-10714]

Full runtime dependencies of common_test-1.30

compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8

compiler-9.0.5

The compiler-9.0.5 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a compiler alias analysis bug that could generate unsafe code for repeated binary segments.

  Own Id: OTP-19951
  Related Id(s): [PR-10588]

Full runtime dependencies of compiler-9.0.5

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

crypto-5.8.2

The crypto-5.8.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed crypto:crypto_one_time_aead/4, which could crash the runtime system if invoked in parallel with the same state.

  Own Id: OTP-19973
  Related Id(s): [GH-10652], [PR-10668]

Full runtime dependencies of crypto-5.8.2

erts-9.0, kernel-6.0, stdlib-3.9

diameter-2.6.1

The diameter-2.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of diameter-2.6.1

erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0

erl_interface-5.6.4

The erl_interface-5.6.4 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Updated openssl from 3.6.0 to 3.6.1.

  This change does not perform any changes in the md5 vendor implementation from openssl. The change merges upstream cosmetic changes from openssl. This is necessary to automatically migrate cleanly to the next openssl version without conflicts with upstream.

  Own Id: OTP-19959
  Related Id(s): [PR-10630]

Known Bugs and Problems

• The ei API for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled.

  Own Id: OTP-16607
  Related Id(s): OTP-16608

erts-16.3

The erts-16.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a documentation build warning when one or more applications failed their configure step and were skipped.

  Own Id: OTP-19914
  Related Id(s): ERIERL-1251, [PR-10537]

• The (IPv6) flowinfo control message header was not properly supported.

  Own Id: OTP-19977

• Fixed NetBSD thread naming, using pthread_setname_np(); used for debugging.

  Own Id: OTP-19987
  Related Id(s): [PR-10684]

Improvements and New Features

• The erlang:link_option/0 type is now exported.

  Own Id: OTP-19904
  Related Id(s): [PR-10451]

• Added persistent_term:put_new/2 that will quickly do nothing if a term with the given name and value already exists, and raise a badarg exception if the term exists with a different value.

  Own Id: OTP-19908
  Related Id(s): [GH-9681], [PR-9695]

  *** HIGHLIGHT ***

• The manifest.xml file for the Windows build now has version numbers updated to correctly report OS versions on Windows 10, 11, Server 2016, 2019, 2022.

  Own Id: OTP-19920
  Related Id(s): [GH-10371], [PR-10546]

• Improved yielding inside re:run. Regular expressions searching for one specific byte character could spin in memchr() without any yielding or reduction counting.

  Own Id: OTP-19950
  Related Id(s): [PR-10486]

• Updated openssl from 3.6.0 to 3.6.1.

  This change does not perform any changes in the md5 vendor implementation from openssl. The change merges upstream cosmetic changes from openssl. This is necessary to automatically migrate cleanly to the next openssl version without conflicts with upstream.

  Own Id: OTP-19959
  Related Id(s): [PR-10630]

• Updated ryu implementation used to convert floats to strings.

  Own Id: OTP-19974
  Related Id(s): [PR-10672]

• Upgraded asmjit to v1.18

  Own Id: OTP-19979
  Related Id(s): [PR-10675]

• Updated zlib to version 1.3.2.

  Own Id: OTP-19998
  Related Id(s): [PR-10752]

Full runtime dependencies of erts-16.3

kernel-9.0, sasl-3.3, stdlib-4.1

et-1.7.3

The et-1.7.3 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of et-1.7.3

erts-9.0, kernel-5.3, runtime_tools-1.10, stdlib-3.4, wx-1.2

eunit-2.10.2

The eunit-2.10.2 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of eunit-2.10.2

erts-9.0, kernel-5.3, stdlib-6.0

inets-9.6

The inets-9.6 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

• Added a new HttpOption {autoretry, timeout()} to httpc:request/4,5. This option allows the client to decide how to act upon receiving a Retry-After response header. The default behavior changes, as now only one retry is made before returning the error code, instead of retrying infinitely.

  Own Id: OTP-19892
  Related Id(s): ERIERL-1283, [PR-10469]

  *** POTENTIAL INCOMPATIBILITY ***

• Httpc will not add a Content-Length header for requests, that do not have defined semantics for request content in [RFC9110] and do not include content. The list includes methods: [GET, HEAD, OPTIONS, TRACE, DELETE]. The behavior for headers_as_is option remains unchanged.

  Own Id: OTP-19928
  Related Id(s): [GH-10513], [PR-10521]

• Improved documentation and specs for do/1 callback in httpd module.

  Own Id: OTP-19952
  Related Id(s): [GH-10501], [PR-10602]

Full runtime dependencies of inets-9.6

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6

The kernel-10.6 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The built in DNS resolver inet_res has been fixed to do a final request assuming that the request name is absolute, as customary for many DNS resolver client libraries.

  Own Id: OTP-19937
  Related Id(s): [GH-10494], [PR-10576]

Improvements and New Features

• Added support for zstd compression in the [file] module.

  Own Id: OTP-19860
  Related Id(s): [PR-10385]

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of kernel-10.6

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

megaco-4.8.3

The megaco-4.8.3 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of megaco-4.8.3

asn1-3.0, debugger-4.0, erts-12.0, et-1.5, kernel-8.0, runtime_tools-1.8.14, stdlib-2.5

mnesia-4.25.2

The mnesia-4.25.2 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of mnesia-4.25.2

erts-9.0, kernel-5.3, stdlib-5.0

observer-2.18.2

The observer-2.18.2 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of observer-2.18.2

erts-15.0, et-1.5, kernel-10.0, runtime_tools-2.1, stdlib-5.0, wx-2.3

odbc-2.16.1

The odbc-2.16.1 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Corrected specs to eliminate Dialyzer warnings for applications.

  Own Id: OTP-19992
  Related Id(s): [PR-10678]

Full runtime dependencies of odbc-2.16.1

erts-6.0, kernel-3.0, stdlib-2.0

parsetools-2.7.1

The parsetools-2.7.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The documentation for the token/3 and tokens/3 functions was corrected. The return value when there were too few characters is {more,Cont}.

  Own Id: OTP-19901
  Related Id(s): [PR-10484]

Full runtime dependencies of parsetools-2.7.1

erts-6.0, kernel-3.0, stdlib-3.4

public_key-1.20.2

Note! The public_key-1.20.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)

Fixed Bugs and Malfunctions

• Added missing mapping for der_encode/decode to handle 'OCSPRequest'.

  Own Id: OTP-19905
  Related Id(s): [GH-10474], [PR-10522]

• public_key:pkix_crl_verify/2 now handles certificates with EdDSA keys correctly instead of causing a runtime error.

  Own Id: OTP-19907
  Related Id(s): [GH-10495], [PR-10496]

Full runtime dependencies of public_key-1.20.2

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

reltool-1.0.3

The reltool-1.0.3 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of reltool-1.0.3

erts-15.0, kernel-9.0, sasl-4.2.1, stdlib-5.0, tools-2.6.14, wx-2.3

runtime_tools-2.3.1

The runtime_tools-2.3.1 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if they were running source code.

  Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run ./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, entering test_server` and running the emulator.

  Improves the source Software-Bill-of-Materials

  • The improvements adds new SPDX relations for asmjit and zlib to be optional_components_of the Erlang/OTP project.
  • The autoconf scripts in make and erts have now been categorised as build_tool_of the Erlang/OTP project.
  • All remaining configure, configure.ac, config.h.in, Makefile.in, Makefile.src, EMakefile, and GNUMakefile are now part of a specific SPDX package with relation build_tool_of the Erlang/OTP project.

  Own Id: OTP-19886
  Related Id(s): [PR-10434]

Full runtime dependencies of runtime_tools-2.3.1

erts-16.0, kernel-10.0, mnesia-4.12, stdlib-6.0

sasl-4.3.1

The sasl-4.3.1 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.

  A make release application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.

  make release_docs places the documentation in the released code under the doc folder.

  make release_tests places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.

  The Software Bill of Materials places the examples folders as if they are part of the SPDX-otp-<app>-doc packge, instead of placing examples as if th

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coveralls]

coverage: 88.949% (+0.02%) from 88.926% — renovate/erlang-28.x into master