gleam-lang/gleam
View on GitHubWarn when a vulnerable package version is added as a dependency
Open
#5,725 opened on May 18, 2026
help wanted
Repository metrics
- Stars
- (21,417 stars)
- PR merge metrics
- (Avg merge 8d 6h) (59 merged PRs in 30d)
Description
Hex now contains information on CVEs that we can use to display warnings when used. Let's use this information to display a warning when a newly resolved version of a dependency is vulnerable.
We could also have a command for showing vulnerabilities for the current package versions.
Reference implementation for Elixir: https://github.com/hexpm/hex/pull/1150