[erlang-questions] rebar3 dependencies

Loïc Hoguin <>
Wed Mar 23 14:19:51 CET 2016

On 03/23/2016 02:00 PM, Roberto Ostinelli wrote:
> On Wed, Mar 23, 2016 at 1:56 PM, Loïc Hoguin <
> <mailto:>> wrote:
>     Of course this can happen with hex.pm <http://hex.pm>. :-)
>     https://hex.pm/docs/codeofconduct
>        Data published to Hex is hosted at the discretion
>        of the Hex team, and may be removed.
>     It can also happen to github, gitlab, bitbucket, and any other
>     repository of code that allows removal.
> Indeed, but let me be more less cryptic on what I was referring to: what
> I find more dangerous in this npm story is that:
> "[...] the global names used by the removed packages are available for
> anyone to register and replace with any code they wish.The fact that
> this is possible with NPM seems really dangerous. The author unpublished
> (erm, "liberated") over 250 NPM modules, making those global names (e.g.
> "map", "alert", "iframe", "subscription", etc) available for anyone to
> register and replace with any code they wish. Since these libs are now
> baked into various package.json configuration files (some with 10s of
> thousands of installs per month, "left-pad" with 2.5M/month), meaning a
> malicious actor could publish a new patch version bump (for every major
> and minor version combination) of these libs and ship whatever they want
> to future npm builds." [1].
> I just don't know if hex.pm <http://hex.pm> does some checksum of code,
> which would impeded for this to happen.

Don't know about hex, but this particular problem doesn't exist when you 
refer to git commits directly.

Just saying. :-)

Loïc Hoguin
Author of The Erlanger Playbook,
A book about software development using Erlang

More information about the erlang-questions mailing list