Posts in English

Incorrect Access Control in Simple Form (CVE-2019-16676)

Simple Form version 5.0 was released today with a fix for a security issue that could allow an attacker to execute methods on form objects. The issue is explained in details below.

Using Broadway at Hexdocs.pm

This is a quick blog post about our experience replacing Hexdocs.pm’s GenStage pipeline with Broadway. To give some background information, Hexdocs.pm started out as basically just static file hosting for documentation. With the introduction of private Hexdocs it became a distinct Elixir application. Over time, we have also moved handling of documentation tarballs there to offload API servers. Instead of API servers doing … »

Improve confirmation token validation in Devise (CVE-2019-16109)

Devise version 4.7.1 was released with a fix for an edge case that could confirm accounts by mistake. We’ll explain now in details what is the issue, how it was fixed and which actions you might want to take in your applications. Description We received a security report saying that it was possible to confirm … »

How to manage deadlines in agile environments? Get to know the Reality Check Tool

TL;DR: The Reality Check is an agile tool designed to check if a deadline is feasible given the project context. It works by formulating a hypothesis, which can be updated every week by the technical team, where we organize our demands and the weeks before the delivery date. It only requires a simple board – physical or … »

Announcing MiniRepo, a minimal Hex server

In 2017 Hex.pm got support for Private packages and organizations, a way for teams to publish and manage packages without making them public. While this works great for many organizations, some have stricter compliance requirements and need to host packages on their own infrastructure. Today we are happy to announce MiniRepo, a minimal Hex server … »

Updating Hex.pm to use Elixir releases

Elixir v1.9 will ship with releases support and in this blog post we want to show how we have used this exciting new feature on the Hex.pm project. Installing Elixir master (Update: This section is no longer relevant since v1.9 is already out!) Since Elixir v1.9 is not out yet, we need to use the … »