chore(deps): update dependency req to ~> 0.6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
req (source)	prod	minor	~> 0.5 → ~> 0.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

wojtekmach/req (req)

v0.6.2

• Use finch ~> 0.21.

v0.6.1

Compare Source

• [compressed], [decompress_body]: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0

Compare Source

• [encode_body]: Security fix for :form_multipart header injection
  (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and
  content_type into the part headers without escaping, so an
  attacker-controlled value could inject extra headers or smuggle additional
  parts into the request. These values are now escaped per RFC 7578 / WHATWG
  form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

  • [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding,
    (GHSA-655f-mp8p-96gv).

    Req previously auto-decoded archive and compressed response bodies (zip,
    tar, tgz, gz, zst, and csv) based on the server-supplied
    content-type, materialising the full decompressed contents in memory with
    no size cap. An attacker-controlled (or redirect-reachable) endpoint could
    return a tiny "decompression bomb" that expanded to gigabytes and exhausted
    the node's memory.

    Now only JSON is decoded by default. Other formats are opt-in via the new
    :decoders option, which defaults to [:json, :json_api]. Setting it
    replaces the default (include :json to keep JSON decoding), and false
    disables all decoding:

opt into archives (only for endpoints you trust):

    Req.get!(url, decoders: [:json, :zip])

**Note**: The decoded zip/tar is still list of
`{filename :: charlist(), contents :: binary}` tuples.
In the future release, this will be list of
`{filename :: binary(), contents :: binary()}` tuples.

While automatic CSV decoding wasn't a security issue, the behaviour based
on presence/absence of `nimble_csv` dependency was suprising. CSV support
is still built-in but need to be enabled with `decoders: [:csv]`.

Custom decoders are supported via `{format, codec}` tuples, where `codec` is
a module exporting `decode/1` or a 1-arity function returning an `:ok`/`:error`
tuple, for example:

    Req.get!(url, decoders: [:json, ics: &{:ok, ICal.from_ics(&1)}])

Thanks to @​PJUllrich for reporting it.

v0.5.18

Compare Source

• [run_finch]: Allow :finch option with IPv6 URLs.

  • [run_finch]: Normalize Finch.TransportError and Finch.HTTPError
    (introduced in Finch v0.22.0) into Req.TransportError and Req.HTTPError.

  • [retry]: Automatically retry on :pool_not_available.

  • Require Finch ~> 0.21.0 or ~> 0.22.0.

v0.5.17

Compare Source

• [retry]: Use default delay if retry-after is "negative"

  Previously, we were only handling "negative" retry-after in "http date"
  format and slept for zero seconds. We were crashing on retry-after with
  negative seconds.

  Now, we're using the default delay (1s, 2s, 4s, ...) in either format.

v0.5.16

Compare Source

• [Req.Test]: Fix verify_on_exit! accidentally using Mox name
  • [auth]: Support MFArgs
  • [auth]: Support digest auth
  • [put_aws_sigv4]: Support MFArgs
  • [put_path_params]: Encode :path_params even with reserved characters
  • [put_path_params]: Set :path_params_template on empty params
  • [run_plug]: Handle compressed request body

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: providers/openfeature-provider-flagd/mix.lock

Command failed: install-tool elixir v1.20.1