gleam-lang/gleam

Warn when a vulnerable package version is added as a dependency

Open

#5,725 opened on May 18, 2026

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Rust (960 forks)batch import
help wanted

Repository metrics

Stars
 (21,417 stars)
PR merge metrics
 (Avg merge 8d 6h) (59 merged PRs in 30d)

Description

Hex now contains information on CVEs that we can use to display warnings when used. Let's use this information to display a warning when a newly resolved version of a dependency is vulnerable.

We could also have a command for showing vulnerabilities for the current package versions.

Reference implementation for Elixir: https://github.com/hexpm/hex/pull/1150

Contributor guide