Hex.pm Pull Request Proposes OSV.dev Vulnerability Database Integration for Elixir/Erlang Packages

A significant pull request has been opened proposing the integration of the OSV.dev vulnerability database directly into Hex.pm, the primary package manager for the Elixir and Erlang ecosystems. This integration would fundamentally change how security risks are surfaced to developers, moving vulnerability warnings from external tools into the core package management workflow. The PR introduces a new database table to store vulnerabilities, an automated updater job to pull data from OSV.dev, and modifications to both the Hex.pm user interface and API to flag affected package versions.

The proposal aims to bake security directly into the dependency management process. If implemented, the Hex.pm UI would visually mark vulnerable versions, and the API would expose this data for use by build tools like Mix and Rebar3. The long-term vision, as outlined by the contributor, is for `mix deps.get` or a dedicated `mix hex.audit` command to automatically warn users—or even block installations—when pulling in packages with known security flaws, mirroring the existing functionality for retired packages. This represents a proactive shift towards a more secure-by-default ecosystem.

While the PR author acknowledges the current code requires refinement—citing suboptimal naming conventions for database relations and API fields—the core concept has been presented for review by the Hex core team. Successful integration would place Hex.pm alongside other modern language ecosystems that have embedded vulnerability scanning, applying significant pressure on maintainers to update or patch flawed releases and giving developers critical, actionable security intelligence at the point of dependency resolution.