Skip to content

Warn when a vulnerable package version is added as a dependency #5725

Description

@lpil

Hex now contains information on CVEs that we can use to display warnings when used. Let's use this information to display a warning when a newly resolved version of a dependency is vulnerable.

We could also have a command for showing vulnerabilities for the current package versions.

Reference implementation for Elixir: hexpm/hex#1150

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedContributions encouraged

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions