Skip to main content

Using Vulnerable Libraries

Why is this important?

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

Check out this video for a high-level explanation:

Using Known Vulnerable Components

Updating Vulnerable libraries

Option A: Update the dependency

  1. Look at the vulnerable component in the GuardRails PR comment
  2. Identify the right <dependency> in the mix.exs
  3. Change the <version> of the related <dependency> in the mix.exs to reflect the patched version
    • Alternatively, run mix deps.update <dependency>
  4. Test to verify that the upgrade doesn't break the app
  5. Ship it 🚢 and relax 🌴

More information