Improper Dependency Pinning

Need

Prevent installation of unsupported or vulnerable dependencies.

Context

Usage of Elixir (v1.11+) for building scalable and concurrent applications
Usage of Mix for managing assets in Laravel

Description

Non compliant code

defp deps do
  [
    {:plug, ">= 1.0.0"},
    {:cowboy, "~> 2.1"}
  ]
end

This code can be vulnerable as it specifies a minimum version for 'plug', which means any version higher than 1.0.0 could be installed, including potentially incompatible or vulnerable versions. The cowboy dependency uses a version range which could potentially install a version with known vulnerabilities.

Steps

Specify the exact versions of the dependencies.
Regularly update the dependencies and thoroughly test the application after updates.

Compliant code

defp deps do
  [
    {:plug, "1.12.1"},
    {:cowboy, "2.8.0"}
  ]
end

This code is safer as it specifies the exact versions of the dependencies to be used. This ensures that known, compatible versions are installed, reducing the risk of installing incompatible or vulnerable dependencies.

References

120.Improper dependency pinning

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​