Bump the production-dependencies group with 3 updates

[dependabot]

Bumps the production-dependencies group with 3 updates: bandit, phoenix and phoenix_live_view.

Updates bandit from 1.7.0 to 1.8.0

Changelog

Sourced from bandit's changelog.

1.8.0 (18 Aug 2025)

Enhancements

• If the user has set a content-length header when calling send_chunked/3, the response is streamed via content-length delimited framing and not chunked (#510)

Commits

• d15dd87 Version bump to 1.8.0
• 441573b Bump dialyxir from 1.4.5 to 1.4.6 (#513)
• a0110ac Bump actions/checkout from 4 to 5 (#512)
• 619e536 Add support for streaming responses if content-length is set when chunking (#...
• e3f29e8 Bump req from 0.5.12 to 0.5.15 (#507)
• b812b2d Bump plug from 1.18.0 to 1.18.1 (#506)
• 112ff43 Add changelog link to package metadata (#505)
• b1ec62b Bump req from 0.5.11 to 0.5.12 (#504)
• 82ffbbf Bump req from 0.5.10 to 0.5.11 (#501)
• 98918c6 Bump mix_test_watch from 1.2.0 to 1.3.0 (#500)
• Additional commits viewable in compare view

Updates phoenix from 1.7.21 to 1.8.1

Changelog

Sourced from phoenix's changelog.

1.8.1 (2025-08-28)

Bug fixes

• [phx.new] Fix AGENTS.md failing to include CSS and JavaScript sections

1.8.0 (2025-08-05)

Bug fixes

• [phx.new] Don't include node_modules override in generated tsconfig.json

Enhancements

• [phx.gen.live|html|json] - Make context argument optional. Defaults to the plural name.
• [phx.new] Add mix precommit alias
• [phx.new] Add AGENTS.md generation compatible with usage_rules
• [phx.new] Add usage_rules folder to installer, allowing to sync generic Phoenix rules into new projects
• [phx.new] Use LiveView 1.1 release in generated code
• [phx.new] Ensure theme selector and flash closing works without LiveView

1.8.0-rc.4 (2025-07-14)

Bug Fixes

• Fix phx.gen.presence PubSub server name for umbrella apps
• Fix phx.gen.live subscribing to pubsub in disconnected mounts

Enhancements

• [phx.new] Initialize initial git repo when git is installed
• [phx.new] Opt-in to HEEx :debug_tags_location in development
• [phx.gen.live|html|json|context] Make context name optional and inflect based on schema when missing
• [phx.gen.*] Use new Ecto 3.13 Repo.transact/2 in generators
• [phx.gen.auth] Warn when using phx.gen.auth without esbuild as features assume phoenix_html.js in bundle
• Add security.md guide for security best practices
• [phoenix.js] - Add fetch() support to LongPoll when XMLHTTPRequest is not available
• Optimize parameter scrubbing by precompiling patterns

1.8.0-rc.3 (2025-05-07)

Enhancements

• [phx.gen.auth] Allow configuring the scope's assign key in phx.gen.auth
• [phx.new] Do not override theme in root layout if explicitly set

1.8.0-rc.2 (2025-04-29)

Bug Fixes

• [phx.gen.live] Only subscribe to pubsub if connected
• [phx.gen.auth] Remove unused current_password field
• [phx.gen.auth] Use context_app for scopes to fix generated scopes in umbrella apps

1.8.0-rc.1 (2025-04-16)

Enhancements

... (truncated)

Commits

• 675e924 Release 1.8.1
• 21ee261 Bump eslint from 9.33.0 to 9.34.0 (#6440)
• a280eed Bump @​eslint/js from 9.33.0 to 9.34.0 (#6439)
• c3d2fa9 Touchup
• 8502ed0 Clarify timestamp further. Closes #6438
• 820b0ba Clarify timestamp. Closes #6438
• a64dd8c Run mix compile before assets.build in generated aliases (#6407)
• b0fe7ec Update controllers documentation (#6416)
• a5646df Fix some typos (#6386)
• 14faee2 Fix controller.ex documentation typo (#6417)
• Additional commits viewable in compare view

Updates phoenix_live_view from 1.1.2 to 1.1.8

Changelog

Sourced from phoenix_live_view's changelog.

v1.1.8 (2025-08-20)

Bug fixes

• Fix race condition where patches were discarded when a join was still pending (#3957)

v1.1.7 (2025-08-18)

Bug fixes

• Fix regression introduced in v1.1.6

v1.1.6 (2025-08-18)

Bug fixes

• Fix live components in nested views accidentally destroying live components in parent views (#3953)

v1.1.5 (2025-08-18)

Bug fixes

• Fix hooks not working when used inside of Phoenix.Component.portal/1 (#3950)
• Fix form participating custom elements not being reset to empty in some cases (#3946)

Enhancements

• Allow assign_async to return a keyword list
• Add Phoenix.LiveView.stream_async/4 to asynchronously insert items into a stream

v1.1.4 (2025-08-13)

Bug fixes

• Fix LiveComponent updates being inadvertently discarded in rare circumstances when locked DOM trees are restored (#3941)

v1.1.3 (2025-08-05)

Bug fixes

• Fix warning when importing LiveView JS (#3926)
• Ensure form recovery respects fieldsets (#3921)
• LiveViewTest: Fix crash when submitting a form with custom submitter, but without ID (#3927)
• LiveViewTest: Ensure whitespace in textarea content is preserved when submitting a form (#3928)
• Make hook types less strict (#3913)

Enhancements

• HTMLFormatter: do not try to format attributes into a single line when they are spread over multiple lines. This follows the behavior of the Elixir formatter that also respects newlines.

... (truncated)

Commits

• 4838611 release v1.1.8
• 223d351 Update assets
• 7e0b15a fix pending diff race condition when join is still pending (#3957)
• ccc2132 release v1.1.7
• a7aa090 release v1.1.6
• fc04af4 check owner when sending cids_will_destroy
• e2b8c11 release v1.1.5
• ac0f703 Update assets
• e0b1a1d add stream_async (#3944)
• 6c0bd38 fix ownsElement to account for portals (#3951)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions