Using Vulnerable Libraries

Why is this important?

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

Check out this video for a high-level explanation:

Updating Vulnerable libraries

Option A: Update the dependency

1. Look at the vulnerable component in the GuardRails PR comment.
2. Identify the right <dependency> in the mix.exs.
3. Change the <version> of the related <dependency> in the mix.exs to reflect the patched version.
   • Alternatively, run mix deps.update <dependency>
4. Test to verify that the upgrade doesn't break the app.
5. Ship it 🚢 and relax 🌴

More information

• OWASP TOP 10 Reference: Using Components with Known Vulnerabilities