gleam-lang/gleam

Warn when a vulnerable package version is added as a dependency

Open

#5725 opened on May 18, 2026

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Rust (21,417 stars) (960 forks)batch import
help wanted

Description

Hex now contains information on CVEs that we can use to display warnings when used. Let's use this information to display a warning when a newly resolved version of a dependency is vulnerable.

We could also have a command for showing vulnerabilities for the current package versions.

Reference implementation for Elixir: https://github.com/hexpm/hex/pull/1150

Contributor guide

Tech stack
rust
Domain
securitytooling
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Knowledge of Gleam and HexRust programmingUnderstanding of CVEs
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
55
Research direction
Examine the reference implementation at hexpm/hex PR #1150 to understand how CVE data is fetched and warnings displayed. Identify the part of Gleam's dependency resolution code that adds new dependencies, likely in the Hex client or compiler source. Add a check for vulnerability data (perhaps from Hex API) and emit a warning when a newly resolved version is vulnerable. Also consider adding a command to show vulnerabilities for current package versions. Look at existing warning patterns in the Gleam source for consistency.