Warn when a vulnerable package version is added as a dependency · gleam-lang/gleam#5725

(2 comments) (0 reactions) (0 assignees)Rust (21,417 stars) (960 forks)batch import

help wanted

説明

Hex now contains information on CVEs that we can use to display warnings when used. Let's use this information to display a warning when a newly resolved version of a dependency is vulnerable.

We could also have a command for showing vulnerabilities for the current package versions.

Reference implementation for Elixir: https://github.com/hexpm/hex/pull/1150

コントリビューターガイド

技術スタック: rust
領域: securitytooling
Issue 種別: feature
難度: 4
推定時間: 3-5 days
活動状況: fresh
明確さ: clear
前提条件: Knowledge of Gleam and HexRust programmingUnderstanding of CVEs
初心者向け度: 55
調査方針: Examine the reference implementation at hexpm/hex PR #1150 to understand how CVE data is fetched and warnings displayed. Identify the part of Gleam's dependency resolution code that adds new dependencies, likely in the Hex client or compiler source. Add a check for vulnerability data (perhaps from Hex API) and emit a warning when a newly resolved version is vulnerable. Also consider adding a command to show vulnerabilities for current package versions. Look at existing warning patterns in the Gleam source for consistency.