Welcome to GigaElixir Gazette, your 5-minute digest of Elixir ecosystem news that actually matters.
This week in Elixir: OTP patches CVE-2026-42789 and CVE-2026-42790 across release branches 26, 27, 28, and 29, the hostname verification fallback against subject common name is gone.
Also: Elixir 1.20.0-rc.6 arrives as the likely final release candidate before v1.20.0 ships, LiveStash adds WebSocket reconnect state recovery, Francis brings Sinatra-style routing to Plug, and a developer implements GPT-2 architecture from scratch using Nx.
. WEEKLY PICKS .
🛠️ Two SSL CVEs Patched Across All Active OTP Release Branches
OTP 26, 27, 28, and 29 all patched on the same day with two public_key fixes. CVE-2026-42789 corrects basic constraint path validation per RFC 5280. CVE-2026-42790 removes the legacy hostname check against subject common name, RFC 9525 compliance, but any certificate without a SAN field will now fail verification. Potential incompatibility is flagged in the release notes. OTP 28.5.0.1 also patches ERTS, kernel, snmp, and wx with additional bug fixes beyond the security changes.
⚡ Elixir 1.20.0 Final RC Arrives, LiveStash Adds LiveView State Recovery
Episode 305 covers a busy week for Elixir and the BEAM. Elixir 1.20.0-rc.6 arrives as the likely final release candidate before v1.20.0 ships - completing a 15-week roadmap with full type inference across applications and dependencies. LiveStash v0.3.0 adds a Redis adapter and auto-stashing for Phoenix LiveView state recovery on WebSocket reconnects. The EEF 2026 election results are in, and the BEAM community is called on to fund critical security work.
💡 Francis Brings Sinatra-Style Routing to Plug Without the Phoenix Boilerplate
Francis is a micro-framework on Plug and Bandit. Define routes with get, post, ws, and sse macros - one function per route, no controllers, no context boilerplate. Return a string and it renders HTML. Return a map and it renders JSON. WebSocket and SSE use the same pattern. Add to any project with {:francis, "~> 0.3"} or scaffold with mix francis.new. Not a Phoenix replacement, for when raw Plug starts generating boilerplate you did not ask for.
🔮 GPT-2 Built from Scratch in Elixir Using Nx - Transformer Blocks to Text
A blog post implements a GPT-style model from scratch in Elixir using Nx, building on a prior attention mechanism post. Starting from GPT-2 configuration and parameter counts, the walkthrough adds layer normalization, GELU feed-forward layers, shortcut connections, transformer blocks, and a greedy text generation loop. No pre-built ML framework - each component built manually using Nx tensor operations. Source code on GitHub.
🎯 Surveyor and Assay Bring Behavior-Equivalent Testing to Legacy Phoenix Rewrites
Surveyor maps a legacy codebase into a C4-style workspace file with LLM-assisted component analysis, confidence scores included so humans can accept, edit, or retry each inference. Assay pairs with it: write behavior specs in plain text, run them against both the legacy system and the new Phoenix build, and green on both means the rewrite is behavior-equivalent for that scope. Target audience is JS SPA teams evaluating a LiveView migration.
💡 Pro Tip
Your Playwright Suite Times Out Because LiveView Doesn't Fire the Load Event
Playwright waits for the load event by default. That assumption bakes in a traditional request/response cycle: the browser makes a request, the server returns a full document, the browser fires load when everything is done.
LiveView navigation happens over a persistent WebSocket connection, the URL changes, the DOM updates, but no new document is requested and no load event fires in the way Playwright expects.
The result is a test suite that passes in isolation and hangs overnight when run as a full batch. Every failure points to navigation. The cause is a default that was never designed for WebSocket-first apps.
The fix requires two steps per navigation.
First, add waitUntil: 'commit' to every goto or waitForURL call, this returns as soon as the server responds and navigation is committed, without waiting for a load event that will not arrive. Second, follow each navigation with a waitForLiveView helper that waits for the .phx-connected selector before the test continues.
LiveView's WebSocket still needs to mount after the navigation commits, and acting on the page before that point produces flaky results. Consistency is the constraint: one navigation in the entire suite missing waitUntil: 'commit' is enough to hang the overnight run.
One documented exception, plain href link transitions go through a standard request cycle and do not need the pattern.
Remember, for Playwright and LiveView testing:
waitUntil: 'commit' on every LiveView navigation - The default 'load' waits for a page load event that WebSocket navigation never fires; 'commit' returns when the server responds and the URL is committed
Follow each navigation with waitForLiveView - The WebSocket still needs to mount after commit; acting on the page before .phx-connected is set produces flaky results
Consistency is non-negotiable - One navigation missing waitUntil: 'commit' is enough to hang the full overnight suite; touch every goto and waitForURL
Plain href transitions are the exception - Navigations through standard HTML links use a full request cycle and do not need the WebSocket wait pattern
. TIRED OF DEVOPS HEADACHES? .
Deploy your next Elixir app hassle-free with Gigalixir and focus more on coding, less on ops.
We're specifically designed to support all the features that make Elixir special, so you can keep building amazing things without becoming a DevOps expert.
Keep it simple, keep it functional.
See you next week,
Michael
P.S. Forward this to a friend who loves Elixir as much as you do 💜
