From 507ba75cf2a057d56c238cdea9f6532512567da4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 17:03:04 +0000
Subject: [PATCH 1/2] Bump hex_core from 0.15.0 to 0.16.0

Bumps [hex_core](https://github.com/hexpm/hex_core) from 0.15.0 to 0.16.0.
- [Release notes](https://github.com/hexpm/hex_core/releases)
- [Changelog](https://github.com/hexpm/hex_core/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hexpm/hex_core/compare/v0.15.0...v0.16.0)

---
updated-dependencies:
- dependency-name: hex_core
  dependency-version: 0.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 mix.exs  | 2 +-
 mix.lock | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/mix.exs b/mix.exs
index 7732891..2d490a4 100644
--- a/mix.exs
+++ b/mix.exs
@@ -48,7 +48,7 @@ defmodule Hexdocs.MixProject do
       {:sentry, "~> 13.0"},
       {:ssl_verify_fun, "~> 1.1", manager: :rebar3, override: true},
       {:sweet_xml, "~> 0.7.0"},
-      {:hex_core, "~> 0.15.0"},
+      {:hex_core, "~> 0.16.0"},
       {:mox, "~> 1.0", only: :test}
     ]
   end
diff --git a/mix.lock b/mix.lock
index abc94dc..935a6e3 100644
--- a/mix.lock
+++ b/mix.lock
@@ -8,7 +8,7 @@
   "finch": {:hex, :finch, "0.22.0", "5c48fa6f9706a78eb9036cacb67b8b996b4e66d111c543f4c29bb0f879a6806b", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.8", [hex: :mint, repo: "hexpm", optional: false]}, {:nimble_options, "~> 0.4 or ~> 1.0", [hex: :nimble_options, repo: "hexpm", optional: false]}, {:nimble_pool, "~> 1.1", [hex: :nimble_pool, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "b94e83c47780fc6813f746a1f1a34ee65cda42da4c5ea26a68f0acc4498e23dc"},
   "gen_stage": {:hex, :gen_stage, "1.3.2", "7c77e5d1e97de2c6c2f78f306f463bca64bf2f4c3cdd606affc0100b89743b7b", [:mix], [], "hexpm", "0ffae547fa777b3ed889a6b9e1e64566217413d018cabd825f786e843ffe63e7"},
   "goth": {:hex, :goth, "1.4.5", "ee37f96e3519bdecd603f20e7f10c758287088b6d77c0147cd5ee68cf224aade", [:mix], [{:finch, "~> 0.17", [hex: :finch, repo: "hexpm", optional: false]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:jose, "~> 1.11", [hex: :jose, repo: "hexpm", optional: false]}], "hexpm", "0fc2dce5bd710651ed179053d0300ce3a5d36afbdde11e500d57f05f398d5ed5"},
-  "hex_core": {:hex, :hex_core, "0.15.0", "8eadc0ccb08e3742f2313073d04f39eaa7904617329039e9d3c402f5dd227673", [:rebar3], [], "hexpm", "c2093764c7af8ef0818c104fa141eba431e7be93f8374638c45c7037b26a52f8"},
+  "hex_core": {:hex, :hex_core, "0.16.0", "c846e75d73a84b9ab6d0c516aef21350579701a500fbf88315df27c9daa1a5af", [:rebar3], [], "hexpm", "35d4e23df07b23103f6d5cacf717b0543713ed93404f97508d195e5fd28e1af7"},
   "hpax": {:hex, :hpax, "1.0.3", "ed67ef51ad4df91e75cc6a1494f851850c0bd98ebc0be6e81b026e765ee535aa", [:mix], [], "hexpm", "8eab6e1cfa8d5918c2ce4ba43588e894af35dbd8e91e6e55c817bca5847df34a"},
   "jason": {:hex, :jason, "1.4.5", "2e3a008590b0b8d7388c20293e9dcc9cf3e5d642fd2a114e4cbbb52e595d940a", [:mix], [{:decimal, "~> 1.0 or ~> 2.0 or ~> 3.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "b0c823996102bcd0239b3c2444eb00409b72f6a140c1950bc8b457d836b30684"},
   "jose": {:hex, :jose, "1.11.10", "a903f5227417bd2a08c8a00a0cbcc458118be84480955e8d251297a425723f83", [:mix, :rebar3], [], "hexpm", "0d6cd36ff8ba174db29148fc112b5842186b68a90ce9fc2b3ec3afe76593e614"},

From 2c8192927283476fd06592158b846e7a1ecfc9d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eric=20Meadows-J=C3=B6nsson?=
 <eric.meadows.jonsson@gmail.com>
Date: Thu, 21 May 2026 20:57:06 +0200
Subject: [PATCH 2/2] Remove unsafe-paths test obsoleted by hex_core 0.16.0

hex_core 0.16.0 validates paths at the public API boundary in both
:hex_tarball.create_docs/1 and :hex_tarball.unpack_docs/2. The test
relied on create_docs accepting unsafe paths so it could exercise the
unpacker's rejection. With validation now enforced at create, the case
the test covered is no longer reachable through the library's contract.
---
 test/hexdocs/queue_test.exs | 29 -----------------------------
 1 file changed, 29 deletions(-)

diff --git a/test/hexdocs/queue_test.exs b/test/hexdocs/queue_test.exs
index 47beeef..9e0969f 100644
--- a/test/hexdocs/queue_test.exs
+++ b/test/hexdocs/queue_test.exs
@@ -80,35 +80,6 @@ defmodule Hexdocs.QueueTest do
       assert Store.get(@public_bucket, "package_names.csv") == "package1\npackage2\n"
     end
 
-    test "unsafe paths", %{test: test} do
-      Mox.expect(HexpmMock, :get_package, fn repo, package ->
-        assert repo == "hexpm"
-        assert package == "#{test}"
-
-        %{"releases" => []}
-      end)
-
-      tar =
-        Hexdocs.Tar.create([
-          {"dir/./foo.html", ""},
-          {"dir/../bar.html", ""},
-          {"dir/../../baz.html", ""}
-        ])
-
-      key = "docs/#{test}-1.0.0.tar.gz"
-      Store.put!(:repo_bucket, key, tar)
-
-      log =
-        ExUnit.CaptureLog.capture_log(fn ->
-          ref = Broadway.test_message(Hexdocs.Queue, put_message(key))
-          assert_receive {:ack, ^ref, [_], []}
-        end)
-
-      assert log =~ "Failed unpack"
-      assert log =~ "unsafe_path"
-      assert ls(@public_bucket, "#{test}/1.0.0/") == []
-    end
-
     test "overwrite main docs with newer versions", %{test: test} do
       Mox.expect(HexpmMock, :get_package, fn repo, package ->
         assert repo == "queuetest"