Warn when a vulnerable package version is added as a dependency · gleam-lang/gleam#5725

(2 评论) (0 反应) (0 负责人)Rust (21,417 star) (960 fork)batch import

help wanted

描述

Hex now contains information on CVEs that we can use to display warnings when used. Let's use this information to display a warning when a newly resolved version of a dependency is vulnerable.

We could also have a command for showing vulnerabilities for the current package versions.

Reference implementation for Elixir: https://github.com/hexpm/hex/pull/1150

贡献者指南

技术栈: rust
领域: securitytooling
议题类型: feature
难度: 4
预计时间: 3-5 days
活动状态: fresh
清晰度: clear
前置要求: Knowledge of Gleam and HexRust programmingUnderstanding of CVEs
新手友好度: 55
研究方向: Examine the reference implementation at hexpm/hex PR #1150 to understand how CVE data is fetched and warnings displayed. Identify the part of Gleam's dependency resolution code that adds new dependencies, likely in the Hex client or compiler source. Add a check for vulnerability data (perhaps from Hex API) and emit a warning when a newly resolved version is vulnerable. Also consider adding a command to show vulnerabilities for current package versions. Look at existing warning patterns in the Gleam source for consistency.