chore(deps): update dependency erlang to v28.4

[renovate]

This PR contains the following updates:

Package	Update	Change
erlang	minor	28.3.1 → 28.4

---

Release Notes

erlang/otp (erlang)

v28.4

Compare Source

v28.3.3: OTP 28.3.3

Compare Source

Patch Package:           OTP 28.3.3
Git Tag:                 OTP-28.3.3
Date:                    2026-02-27
Trouble Report Id:       OTP-19902, OTP-20008
Seq num:                 PR-10518
System:                  OTP
Release:                 28
Application:             erl_interface-5.6.3, erts-16.2.2
Predecessor:             OTP 28.3.2

Check out the git tag OTP-28.3.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

erl_interface-5.6.3

The erl_interface-5.6.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Add missing copyrights.

  Own Id: OTP-20008

erts-16.2.2

The erts-16.2.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed bug in erlang:monitor_node for rare reconnect race with multiple node monitoring from the same process.

  Own Id: OTP-19902
  Related Id(s): PR-10518

• Add missing copyrights.

  Own Id: OTP-20008

Full runtime dependencies of erts-16.2.2

kernel-9.0, sasl-3.3, stdlib-4.1

v28.3.2: OTP 28.3.2

Compare Source

Patch Package:           OTP 28.3.2
Git Tag:                 OTP-28.3.2
Date:                    2026-02-20
Trouble Report Id:       OTP-19864, OTP-19915, OTP-19926, OTP-19958,
                         OTP-19962, OTP-19978, OTP-19981, OTP-19983,
                         OTP-19993
Seq num:                 CVE-2026-21620, GH-10651, GH-8676, PR-10539,
                         PR-10547, PR-10575, PR-10616, PR-10664,
                         PR-10696, PR-10706, PR-10732
System:                  OTP
Release:                 28
Application:             crypto-5.8.1, erts-16.2.1, ssh-5.4.1,
                         stdlib-7.2.1, tftp-1.2.4
Predecessor:             OTP 28.3.1

Check out the git tag OTP-28.3.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

crypto-5.8.1

The crypto-5.8.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed static linking of OpenSSL 3.5+ on Windows.

  Own Id: OTP-19993
  Related Id(s): PR-10732

Full runtime dependencies of crypto-5.8.1

erts-9.0, kernel-6.0, stdlib-3.9

erts-16.2.1

The erts-16.2.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fail the windows build properly when nsis is not recognised.

  Own Id: OTP-19926
  Related Id(s): PR-10547

• Socket accept cancel could cause fatal crash (core dump) on Windows.

  Own Id: OTP-19958

• Fixed bug in ets:update_counter/4 and ets:update_element/4 accepting and inserting a default tuple smaller than the keypos of the table. Such a tuple without a key element would make the table internally inconsistent and might lead to bad behavior at table access, like ERTS runtime crash.

  Now a call to ets:update_counter/4 or ets:update_element/4 will fail with badarg if the key does not exist in the table and the default tuple is too small.

  Own Id: OTP-19962
  Related Id(s): PR-10616

• A missing memory barrier when unlocking process locks could cause unexpected behavior on architectures with weak memory ordering such as for example ARM.

  Own Id: OTP-19978
  Related Id(s): PR-10664

• A process could fail to wake from hibernation when a non‑message signal followed by a message signal arrived concurrently as the receiving process hibernated. If the process had a large heap, triggering a dirty GC, the wakeup could be lost.

  This bug existed since OTP 27.0.

  Own Id: OTP-19983
  Related Id(s): GH-10651, PR-10696

Full runtime dependencies of erts-16.2.1

kernel-9.0, sasl-3.3, stdlib-4.1

ssh-5.4.1

The ssh-5.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix handling of the SSH "each side may guess" key-exchange mechanism as defined in RFC 4253, Section 7.

  Own Id: OTP-19864
  Related Id(s): GH-8676, PR-10575

• Fix ssh_file:encode handling of OpenSSH V1 private keys generated by public_key module. Also correct type specifications for OpenSSH V1 keys in ssh_file encode and decode operations.

  Own Id: OTP-19915
  Related Id(s): PR-10539

Full runtime dependencies of ssh-5.4.1

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

stdlib-7.2.1

Note! The stdlib-7.2.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-16.0.3 (first satisfied in OTP 28.0.3)

Fixed Bugs and Malfunctions

• Fixed bug in ets:update_counter/4 and ets:update_element/4 accepting and inserting a default tuple smaller than the keypos of the table. Such a tuple without a key element would make the table internally inconsistent and might lead to bad behavior at table access, like ERTS runtime crash.

  Now a call to ets:update_counter/4 or ets:update_element/4 will fail with badarg if the key does not exist in the table and the default tuple is too small.

  Own Id: OTP-19962
  Related Id(s): PR-10616

Full runtime dependencies of stdlib-7.2.1

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

tftp-1.2.4

The tftp-1.2.4 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• An issue in the undocumented initial state option [{root_dir,Dir}] to the tftp_file module has been fixed. The request file name was just concatenated to Dir so it was possible to traverse above Dir by using "../" file path components. Now the option actually restricts local file operations to the Dir directory and subdirectories.

  The initial state option and how to use it was previously undocumented, so it is unlikely that anyone would have used it without understanding its peculiarities.

  The documentation of the TFTP application has also been clarified to make it obvious that the default server configuration allows read and write access to all files that are readable or writable by the user running the Erlang VM, and that the default configuration therefore should be avoided.

  Thanks to Luigino Camastra at Aisle Research, for finding and reporting this issue.

  Own Id: OTP-19981
  Related Id(s): PR-10706, CVE-2026-21620

Full runtime dependencies of tftp-1.2.4

erts-6.0, kernel-6.0, stdlib-5.0

Thanks to

Daniel Hryzbil, Jan Uhlig

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coveralls]

coverage: 88.949% (+0.02%) from 88.926%
when pulling 2e47871 on renovate/erlang-28.x
into fc99fa0 on master.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (28.4). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.