First of I'd like you to thank you Bram for looking into potential security
issues and starting discussions about what you find. We need more people
doing that.
Also, your discussions with the core team and your blog post made me find
this issue https://github.com/hexpm/hex/issues/243 in the Hex
Hi,
The other day I wrote a post on security best-practices around dependencies
(https://blog.voltone.net/post/5). One of the issues I raised was the risk
of unexpected code execution when pulling in dependencies from Git
repositories: "mix deps.get" recursively installs any sub-dependencies,