Use forked version of Poison to use Decimal v3

[jaeyson]

Closes #52

Summary by Sourcery

Update dependencies to use a forked Poison compatible with Decimal v3 and bump project version.

Enhancements:

• Replace Hex Poison dependency with a forked Git-based version to support Decimal v3.

Build:

• Bump project version to 1.3.5 in mix.exs and update dependency declarations accordingly.

Documentation:

• Add changelog entry for version 1.3.5 describing the switch to the forked Poison dependency.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the project to version 1.3.5 and switches the Poison dependency to a forked git repository that supports Decimal v3, while cleaning up the explicit Decimal dependency and documenting the change in the changelog.

File-Level Changes

Change	Details	Files
Bumped library version and updated dependency configuration to use a forked Poison compatible with Decimal v3.	Incremented project version from 1.3.4 to 1.3.5. Replaced the Hex-based Poison dependency constraint with a git dependency pointing to the jaeyson/poison fork, intended to support Decimal v3. Removed the explicit Decimal dependency since it is now expected to be resolved via the forked Poison dependency. Kept dialyxir and other dev/test dependencies intact while adjusting their placement in the dependency list.	mix.exs mix.lock
Documented the new release and the switch to the forked Poison dependency in the changelog.	Added a 1.3.5 changelog entry with date 2026.06.09. Described the chore-level change of forking Poison to support Decimal v3 and linked to the forked repository.	CHANGELOG.md

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#52	Update the project to use a forked version of Poison that depends on Decimal v3 in order to address the Decimal DoS advisory (GHSA-rhv4-8758-jx7v).	✅
#52	Adjust project dependencies and metadata (versioning / changelog) to reflect the switch to the forked Poison/Decimal v3 setup.	✅

Possibly linked issues

• Use forked version of Poison to use Decimal v3 #52: PR updates Poison dependency to a fork using Decimal v3, exactly implementing the security workaround described in issue Use forked version of Poison to use Decimal v3 #52.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In mix.exs the poison dependency options include a typo (banch instead of branch), which will prevent Mix from resolving the dependency correctly.
• Consider pinning the git poison dependency to a specific tag or commit rather than master to avoid unexpected changes from upstream affecting builds.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `mix.exs` the `poison` dependency options include a typo (`banch` instead of `branch`), which will prevent Mix from resolving the dependency correctly.
- Consider pinning the git `poison` dependency to a specific tag or commit rather than `master` to avoid unexpected changes from upstream affecting builds.

## Individual Comments

### Comment 1
<location path="mix.exs" line_range="52" />
<code_context>
       {:excoveralls, "~> 0.18", only: [:dev, :test], runtime: false},
       {:mix_audit, "~> 2.1", only: [:dev, :test], runtime: false},
-      {:poison, "~> 4.0 or ~> 5.0 or ~> 6.0"},
+      {:poison, git: "https://github.com/jaeyson/poison.git", banch: "master"},
       {:oapi_generator, "~> 0.4.0", only: :dev, runtime: false},
-      {:dialyxir, "~> 1.4", only: [:dev, :test], runtime: false},
</code_context>
<issue_to_address>
**issue (bug_risk):** The `banch` option appears to be a typo and will be ignored by Mix.

Mix only recognizes `branch:` for Git dependencies; with `banch:` the branch isn’t pinned and Mix will use the default branch (or fail, depending on repo config). Please change this to `branch: "master"` (or another specific ref) so the dependency is resolved deterministically.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[codescene-delta-analysis]

Gates Passed
3 Quality Gates Passed

See analysis details in CodeScene

Quality Gate Profile: The Bare Minimum
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.