Hex Vulnerability Handling
- Initiative
- Back to Initiative
- Area
- Supply Chain
- Status
- Planning
- Sponsors
- -
- Funding
- More Funding Required
Goals
Complete Vulnerability Reporting & Audit capabilities inside the standard tooling
Impact
By integrating vulnerability reporting, auditing, and analysis directly into Hex’s standard tooling, this milestone significantly elevates the security and trustworthiness of the entire Erlang and Elixir ecosystem. Through streamlined reporting to the EEF CNA, automated ingestion of vulnerability data from OSV.dev, real-time alerts for suspicious or malicious packages, and a standardized API, developers and users can quickly identify, assess, and respond to potential threats. Introducing CLI warnings during installation, implementing a formal security policy, and enabling VEX-based vulnerability assessments further reinforce proactive threat mitigation. In tandem with robust malware scanning, these measures not only protect the ecosystem from harmful packages but also foster a culture of transparency and continuous security improvement.
Deliverables
- Vulnerability Reporting in Hex.pm UI ⇒ EEF CNA
- Suspicious / Malicious Package Reporting in Hex.pm ⇒ EEF CNA
- Hex.pm ingests vulnerability reports from OSV.dev
- Hex.pm offers standardized API for exposing Vulnerability Information on Packages
- Show Vulnerabilities in Hex.pm UI
- Warn on installation of vulnerable packages in CLI (similar to retired packages; rebar3, mix, and gleam support)
- Implement Security Policy for the hexpm GitHub organization
- VEX Support to publish Vulnerability Analysis on affected packages
- Implement Malware Scanning for Package Publishing
- Finding ⇒ Version is not published and an audit is triggered
Relevant Standards
- Principles for Package Repository Security
- Security Capabilities of Package Repositories / Level 1, 2
- General Capabilities / Level 1, 2, 3