Skip to main content

Improper Dependency Pinning


Prevent installation of unsupported or vulnerable dependencies.


  • Usage of Elixir (v1.11+) for building scalable and concurrent applications
  • Usage of Mix for managing assets in Laravel


Non compliant code

defp deps do
{:plug, ">= 1.0.0"},
{:cowboy, "~> 2.1"}

This code can be vulnerable as it specifies a minimum version for 'plug', which means any version higher than 1.0.0 could be installed, including potentially incompatible or vulnerable versions. The cowboy dependency uses a version range which could potentially install a version with known vulnerabilities.


  • Specify the exact versions of the dependencies.
  • Regularly update the dependencies and thoroughly test the application after updates.

Compliant code

defp deps do
{:plug, "1.12.1"},
{:cowboy, "2.8.0"}

This code is safer as it specifies the exact versions of the dependencies to be used. This ensures that known, compatible versions are installed, reducing the risk of installing incompatible or vulnerable dependencies.