Eric Meadows-Jönsson ericmj

Hex Dependency Cooldown — Design

Date: 2026-04-29

Status: Design proposal (user facing design only; internal implementation deferred)

Background

Recent supply-chain attacks against package registries (npm, PyPI, RubyGems) have followed a recurring pattern: a maintainer's credentials are compromised or a dormant package is taken over, a malicious version is published, and automated dependency tooling pulls it into thousands of downstream projects within hours — well before the release can be reported and either flagged, retired or removed. Analyses of these incidents observe windows of opportunity under a week between publication and detection.

Proposal for strict matching comprehensions

Background

for comprehensions are one of the most powerful features in Elixir. It supports both enumerable and bitstring generators, filters through boolean expressions and pattern matching, collectibles with :into and folding with :reduce.

One of the features are automatic filtering by patterns in generators:

Keybase proof

I hereby claim:

I am ericmj on github.
I am ericmj (https://keybase.io/ericmj) on keybase.
I have a public key whose fingerprint is 7CAD D4BE 0F78 C84D 2AE6 4400 280D 7504 4899 B196

To claim this, I am signing this object:

	active 0.9.0
	amqp_client 3.0.2
	amqp_client 3.3.5
	amqp_client 3.4.0
	amqp_client 3.5.0
	amqp_client 3.5.6
	b64fast 0.2.0
	b64fast 0.2.1
	base64url 0.0.1
	bbmustache 1.0.0

	-module(gun_proxied_tls).

	-behaviour(gen_server).

	%% Gun-specific interface.
	-export([ssl_connect/2]).
	-export([ssl_connect/3]).
	-export([proxy_received/2]).

	%% Transport callback.

	#!/bin/bash

	otp_version=$1

	asdf_dir=$(dirname $(dirname $(which asdf)))

	pushd $asdf_dir/installs/erlang

	rm -rf $otp_version
	rm -rf src_$otp_version

	defmodule WhatHappensIn_1_3 do

	def some_func() do
	receive do
	{from, message} ->
	send from, "hello #{inspect message}"
	some_func()
	_ ->
	IO.puts "quittin' time"
	end

	https://s3.amazonaws.com/s3.hex.pm/builds/erlang/cedar-14

	OTP-17.0.1.tar.gz
	OTP-17.1.tar.gz
	OTP-17.3.2.tar.gz
	OTP-17.4.tar.gz
	OTP-17.5.5.tar.gz
	OTP-17.5.6.tar.gz
	OTP-18.0.2.tar.gz
	OTP-18.1.3.tar.gz

	defmodule AWS do
	defmodule Credentials do
	defstruct [:access_key, :secret_key, :bucket, :region, :protocol]
	end

	def auth_s3(path, expires, credentials, datetime \\ :calendar.universal_time) do
	request = canonical_request(path, expires, datetime, credentials)
	string_to_sign = string_to_sign(request, datetime, credentials)
	signing_key = signing_key(datetime, credentials)
	signature = signature(signing_key, string_to_sign)

	host all postgrex_md5_pw 127.0.0.1/32 md5
	host all postgrex_cleartext_pw 127.0.0.1/32 password

	# PostgreSQL Client Authentication Configuration File
	# ===================================================
	#
	# Refer to the "Client Authentication" section in the PostgreSQL
	# documentation for a complete description of this file. A short
	# synopsis follows.
	#