chore(deps): bump hackney from 1.25.0 to 3.2.1

[dependabot]

Bumps hackney from 1.25.0 to 3.2.1.

Release notes

Sourced from hackney's releases.

3.2.1

Bug Fixes

• Fix recv_timeout option being ignored for pooled connections (#832)
• Fix off-by-one error in HPACK decoding (#831)
• Fix invalid match in handle_h2_frame/2 for HTTP/2 window updates (#829)
• Fix binary syntax in EDoc comment to fix XML parsing error

3.2.0

Refactor

• Replace all cowlib modules with hackney-native implementations
• Remove src/libs/ directory (all modules moved to src/)

Performance

• HTTP/2 state machine optimizations:
  • Stream caching for recently accessed streams
  • gb_sets for lingering streams (O(log N) vs O(N) lookups)
  • IOList accumulation for header fragments
• HPACK and QPACK header compression with O(1) static table lookups
• WebSocket: use rand:bytes/1 instead of crypto:strong_rand_bytes/1 for mask keys

Added

• h2spec HTTP/2 compliance testing (95% pass rate - 139/146 tests)
  • h2spec_server.erl: Minimal HTTP/2 server for compliance testing
  • h2spec_SUITE.erl: CT suite for running h2spec tests
  • Makefile target: make h2spec-test
• HTTP/3 E2E tests against real servers
  • hackney_http3_e2e_SUITE.erl: Tests against Cloudflare, Google, quic.tech
  • Makefile targets: make http3-e2e-test, make all-e2e-test
• HTTP/2 machine benchmarks (hackney_http2_machine_bench.erl)

Bug Fixes

• Fix HTTP/2 flow control for body sending (use send_or_queue_data/4)
• Fix async 204/304/HEAD responses not sending done message
• Fix unknown HTTP/2 frame types not being ignored (RFC 7540 4.1)
• Fix HTTP/2 frame size validation

3.1.2

Dependencies

• Bump quic dependency to 0.10.1

3.1.1

Bug Fixes

• Fix HTTP/3 Fin flag handling for HEAD requests and responses without body

... (truncated)

Changelog

Sourced from hackney's changelog.

3.2.1 - 2026-03-01

Bug Fixes

• Fix recv_timeout option being ignored for pooled connections (#832)
• Fix off-by-one error in HPACK decoding (#831)
• Fix invalid match in handle_h2_frame/2 for HTTP/2 window updates (#829)
• Fix binary syntax in EDoc comment to fix XML parsing error

3.2.0 - 2026-02-21

Refactor

• Replace all cowlib modules with hackney-native implementations
  • hackney_cow_http2_machine → hackney_http2_machine (with optimizations)
  • hackney_cow_http2 → hackney_http2
  • hackney_cow_deflate → hackney_deflate
  • hackney_cow_ws → hackney_ws_proto
  • hackney_cow_hpack_dec_huffman_lookup.hrl → hackney_hpack_huffman_dec.hrl
  • Remove hackney_cow_hpack (already replaced by hackney_hpack)
• Remove src/libs/ directory (all modules moved to src/)

Performance

• HTTP/2 state machine optimizations:
  • Stream caching for recently accessed streams
  • gb_sets for lingering streams (O(log N) vs O(N) lookups)
  • IOList accumulation for header fragments
• HPACK and QPACK header compression with O(1) static table lookups
• WebSocket: use rand:bytes/1 instead of crypto:strong_rand_bytes/1 for mask keys

Added

• h2spec HTTP/2 compliance testing (95% pass rate - 139/146 tests)
  • h2spec_server.erl: Minimal HTTP/2 server for compliance testing
  • h2spec_SUITE.erl: CT suite for running h2spec tests
  • Makefile target: make h2spec-test
• HTTP/3 E2E tests against real servers
  • hackney_http3_e2e_SUITE.erl: Tests against Cloudflare, Google, quic.tech
  • Makefile targets: make http3-e2e-test, make all-e2e-test
• HTTP/2 machine benchmarks (hackney_http2_machine_bench.erl)

Bug Fixes

• Fix HTTP/2 flow control for body sending (use send_or_queue_data/4)
• Fix async 204/304/HEAD responses not sending done message
• Fix unknown HTTP/2 frame types not being ignored (RFC 7540 4.1)
• Fix HTTP/2 frame size validation

... (truncated)

Commits

• fdd1576 release: version 3.2.1
• 26004e4 docs: update changelog with recv_timeout fix
• 88348a0 Merge pull request #833 from benoitc/fix/recv-timeout-pooled-connections
• 2b074ea fix: recv_timeout option now respected for pooled connections
• ed809af Merge pull request #829 from ycastorium/fix_http2_window_match
• 0db3fb4 Merge pull request #831 from ycastorium/fix_off_by_one_error
• dd35c3e fix: Fixes off-by-one error in HPACK
• dce9abb fix: Invalid match in handle_h2_frame/2
• 2c7e638 fix: escape binary syntax in EDoc comment to fix XML parsing error
• b25b509 docs: update changelog with libs removal
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)