Non-upgradable Dependencies

Need

Use a dependency manager to ensure smooth updates and maintainability

Context

• Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications

• Usage of Mix as the package manager

Description

1. Non compliant code

defmodule InsecureDependencies do
  # Here the user is using the copied code of the UUID package directly into the file
  def generate_uuid do
    #...Code copied from UUID package...
  end
end

The `generate_uuid` function uses code directly copied from a package (UUID package for instance). This makes it hard to update and maintain the code. Also, if a vulnerability is found in the original package, the code here will also be vulnerable and would need a manual update.

2. Steps

• Define all dependencies in your mix.exs file.

• Run `mix deps.get` in your command line to fetch the defined dependencies.

3. Secure code example

# mix.exs file

defp deps do
  [
    {:uuid, "~> 1.8"}
  ]
end
# Using the UUID package in your code...

Now, the UUID package is declared as a dependency in the mix.exs file and fetched using `mix deps.get`. This way, it's easier to update and maintain the code. Moreover, if a vulnerability is found in the original package, you just need to update the version in the mix.exs file and run `mix deps.get` again.

References

• 079. Non-upgradable Dependencies

On this page