build(deps-dev): bump the development-dependencies group with 3 updates

[dependabot]

Bumps the development-dependencies group with 3 updates: bandit, ex_doc and phoenix_live_reload.

Updates bandit from 1.6.11 to 1.10.1

Changelog

Sourced from bandit's changelog.

1.10.1 (5 Jan 2026)

Changes

• Change default preference order for compression methods to be 'zstd (if present), gzip, deflate' (#562)

Fixes

• Allow :zstd_options key to be set in config (#558, thanks @​Fudoshiki!)
• Fix error where deflate responses weren't always completely sent (#559, thanks @​josevalim!)

1.10.0 (29 Dec 2025)

Enhancements

• Expose response_encodings to allow specifying an explicit preference order to compression encodings (#555)

1.9.0 (12 Dec 2025)

Enhancements

• Skip body draining when Connection: close is set (#546, thanks @​pepicrft!)
• Make deflate options for WebSockets configurable (#540, thanks @​proxima!)
• Mitigate HTTP/2 rapid reset attacks (#533, thanks @​NelsonVides!)
• Implement improved respect for SETTINGS_MAX_CONCURRENT_STREAMS (#524, thanks @​NelsonVides!)
• Support zstd HTTP compression (#514, thanks @​mattmatters!)

1.8.0 (18 Aug 2025)

Enhancements

• If the user has set a content-length header when calling send_chunked/3, the response is streamed via content-length delimited framing and not chunked (#510)

1.7.0 (29 May 2025)

Enhancements

• Add support for new get_sock_data/1 and get_ssl_data/1 callbacks from Plug 1.18 (#497)
• Honour server-sent Connection: close headers (#495, thanks @​ruslandoga!)

Fixes

• Don't overwrite non-default HTTP/2 settings when receiving HTTP/2 settings (#494, thanks @​ns-blee!)
• Fix handling of early-connection error handling in HTTP/2 (#486)

Commits

• cd2b7c5 Version bump to 1.10.1
• bdb424b Demote deflate, promote zstd in compression choices (#562)
• 0f51165 Ensure data is fully deflated on compression (#559)
• 0088145 Remove unused requires (#561)
• 798f0be Optimize iodata emptiness checks (#560)
• 49aac49 Add missing :zstd_options key (#558)
• c26756c Bump credo from 1.7.14 to 1.7.15 (#556)
• deb098d Version bump to 1.10.0
• c72c3b6 Add response_encodings option to http_options (#555)
• 26d741f Bump ex_doc from 0.39.2 to 0.39.3 (#553)
• Additional commits viewable in compare view

Updates ex_doc from 0.37.3 to 0.39.3

Changelog

Sourced from ex_doc's changelog.

v0.39.3 (2025-12-09)

• Enhancements
  • Add the option to trim down the footer

v0.39.2 (2025-12-04)

• Bug fixes
  • Do not strip hrefs on summaries
  • Show go to latest for prereleases
  • Prevent fake italic in autocomplete text
  • Rename "Search Hexdocs" link to "Go to package docs"

v0.39.1 (2025-10-23)

• Bug fixes
  • Improve box-shadow around autocompletion
  • Trim search engine selector on small screens
  • Fix admonition titles on small screens

v0.39.0 (2025-10-23)

• Enhancements
  • Allow custom search engines to be configured with support for https://hexdocs.pm
  • Improve admonition blocks so they better integrate with the page flow
• Bug fixes
  • Add .cheatmd to EPUB to avoid broken links
• Backwards incompatible changes
  • Validate :extras fields: if you were previously setting them to unexpected values, you may now get an exception
  • Setting exdoc:full-text-search-url metadata is no longer supported, using the new search engines configuration

v0.38.4 (2025-09-09)

• Bug fixes
  • Fix escaping of links when they have ampersand in them
  • Increase spacing of footers in pages
  • Align stale icon positioning

v0.38.3 (2025-08-17)

• Enhancements
  • Allow configuring autocomplete limit, and default it to 10 instead of 8
  • Display description text in docs groups
  • Load discovered makeup apps for CLI

v0.38.2 (2025-05-27)

• Bug fixes
  • Render documents with hardcoded <h2>/<h3> entries correctly
  • Fix padding on external links

... (truncated)

Commits

• a359f56 Release v0.39.3
• 94134e0 Add the option to trim down the footer
• 08482c0 Bump js-yaml from 4.1.0 to 4.1.1 in /assets (#2170)
• 425378e Release v0.39.2
• 10d8315 Ensure IDs rather than hrefs are stripped, closes #2175
• 72bb755 Show go to latest for prereleases, closes #2173
• 6db9cab Fix docs: Move source_url to project (#2172)
• e7abbae Add Elixir v1.19 and Erlang/OTP 28 to CI (#2166)
• 60203be Update assets
• a4927a4 Prevent fake italic in autocomplete text (#2168)
• Additional commits viewable in compare view

Updates phoenix_live_reload from 1.5.3 to 1.6.2

Changelog

Sourced from phoenix_live_reload's changelog.

1.6.2 (2025-12-08)

• Bug fixes
  • Properly deal with Unicode when forwarding logs

1.6.1 (2025-08-31)

• Enhancements
  • Set :phoenix_live_reload private field to downstream instrumentation
  • Add @import directive support to CSS reload strategy

1.6.0 (2025-04-10)

• Enhancements

  • Add support for __RELATIVEFILE__ when invoking editors
  • Change the default target window to :parent to not reload the whole page if a Phoenix app is shown inside an iframe. You can get the old behavior back by setting the :target_window option to :top:

    config :phoenix_live_reload, MyAppWeb.Endpoint,
      target_window: :top,
      ...

• Bug fixes

  • Inject iframe if web console logger is enabled but there are no patterns
  • Allow web console to shutdown cleanly

Commits

• 6e139d2 Release v1.6.2
• e09911e Deal with charlists in logger
• a2a3702 Release v1.6.1
• 3644706 Set :phoenix_live_reload private field to downstream instrumentation
• 1c5c150 Add @​import directive support to CSS reload strategy (#172)
• 5e8c104 Merge pull request #170 from cloud8421/patch-1
• 2c864c8 Fix default target window mention in CHANGELOG
• f129710 Release v1.6.0
• 95c956e show code example in 1.6 changelog
• bd16ec6 Update CHANGELOG
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions