Update Security Docs#65
Draft
maennchen wants to merge 3 commits into
Draft
Conversation
Replace the ordered Rule list with a repeated RepositoryPolicy, one entry
per repository the policy constrains (in practice "hexpm" and the org's own
repository). Each entry has:
* restriction — baseline advisory_min_severity / retirement_reasons /
cooldown limits applied to every release in the repository
* overrides — per-package ALLOW/DENY with an optional requirement
For each candidate release the client matches the entry for its repository,
then evaluates overrides (most specific requirement wins; ALLOW bypasses the
restriction, DENY blocks), then the restriction. An ALLOW override is exempt
from the restriction; everything else in the repository is subject to it. The
Filter, Rule, oneof action, and Availability messages are gone.
Restriction imports package.proto and types advisory_min_severity and
retirement_reasons as the AdvisorySeverity and RetirementReason enums rather
than bare uint32, so the values are symbolic. This is wire-identical to
uint32 (proto2 enums encode as varints) and still decodes unknown future
values as integers.
visibility is unchanged. Regenerate hex_pb_policy.erl and update the policy
test fixtures.
Reflect Hex (Elixir/Mix) client support for consuming security advisories and enforcing organization-defined dependency policies (cooldown, advisory severity, retirement, overrides) at resolution time. Rebar3 and Gleam do not yet consume advisories or enforce policies. See hexpm/hexpm#1622 and hexpm/hex#1168. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Docs are now served from per-package origins so the browser same-origin policy prevents cross-package attacks: public packages at <package>.hexdocs.pm and organization packages at <org>.hexorgs.pm/<package>. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge #62 first