build(deps): bump decimal from 2.3.0 to 2.4.1

[dependabot]

Bumps decimal from 2.3.0 to 2.4.1.

Release notes

Sourced from decimal's releases.

v2.4.1

Bug fixes

• Fix infinite loop in Decimal.to_integer/1 when the coefficient is zero and the exponent is negative (e.g. Decimal.new("0.0")). Such values now correctly convert to the integer 0.

v2.4.0

Security

• Mitigate exponent amplification (CVE-2026-32686). Compact inputs such as 1e1000000 could force multi-second expansions during arithmetic, parsing, normalization, comparison, or formatting. Decimal.add/2 and Decimal.sub/2 now scale operands to precision + 2 digits with a sticky bit instead of materializing the full coefficient.

Enhancements

• Add :max_digits and :max_exponent options to Decimal.parse/2 and Decimal.cast/2 to reject pathological inputs without expansion
• Add :max_digits option to Decimal.to_string/3 to cap formatted output before materialization
• Add :emax and :emin fields to Decimal.Context for IBM General Decimal Arithmetic-style overflow and underflow signaling
• Optimize hot paths for large decimals: coef_length, normalize, to_integer, integer?, parsing, and large-coefficient string formatting

Changelog

Sourced from decimal's changelog.

v2.4.1 (2026-05-08)

Bug fixes

• Fix infinite loop in Decimal.to_integer/1 when the coefficient is zero and the exponent is negative (e.g. Decimal.new("0.0")). Such values now correctly convert to the integer 0.

v2.4.0 (2026-05-07)

Security

• Mitigate exponent amplification (CVE-2026-32686). Compact inputs such as 1e1000000 could force multi-second expansions during arithmetic, parsing, normalization, comparison, or formatting. Decimal.add/2 and Decimal.sub/2 now scale operands to precision + 2 digits with a sticky bit instead of materializing the full coefficient.

Enhancements

• Add :max_digits and :max_exponent options to Decimal.parse/2 and Decimal.cast/2 to reject pathological inputs without expansion
• Add :max_digits option to Decimal.to_string/3 to cap formatted output before materialization
• Add :emax and :emin fields to Decimal.Context for IBM General Decimal Arithmetic-style overflow and underflow signaling
• Optimize hot paths for large decimals: coef_length, normalize, to_integer, integer?, parsing, and large-coefficient string formatting

Commits

• d071621 Release v2.4.1
• 9c361f8 Release v2.4.0
• 97a23e6 Mitigate decimal exponent amplification (CVE-2026-32686)
• 06bc35d Add support for Elixir 1.19, bump CI actions and runner (#225)
• 1414ccc Add support for OTP 28 and Elixir 1.18 (#224)
• cd6aa59 Update custom JSON encoder example
• c9347ed Document protocol implementations (#220)
• 8843f5b Check DBL_MIN/DBL_MAX on Decimal.from_float (#207)
• d53c625 Fix parsing of 1e-d (#218)
• c631296 Fix typo in typespec (#217)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)