[erlang-questions] rebar3 dependencies

Eric Meadows-Jönsson <>
Fri Mar 25 13:16:21 CET 2016


Hex.pm does not allow users to remove or overwrite published packages so
the issue that happened with npm cannot happen. Packages will only be
removed in very special circumstances, such as us being forced to do so for
legal reasons and even then we will of course not allow a new package to be
published with the removed's package name.

Rebar and Mix will also add package checksums to the lock so if you don't
trust the Hex repository you are using you can at least trust the checksum
check. Additionally, over the next days I will work on improving and
documenting hex.pm's policies so that it will hopefully be clear how we
will act in circumstances such as these.

On Wed, Mar 23, 2016 at 1:47 PM, Roberto Ostinelli <>
wrote:

> On the subject on additional reasons to vendor dependencies:
> http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
>
> BTW, not saying this can happen with hex.pm.
>
> Best,
> r.
>
>
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
>
>


-- 
Eric Meadows-Jönsson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160325/e1ff812d/attachment.html>


More information about the erlang-questions mailing list