Exploring Recent Security Vulnerabilities in Elixir and NPM Packages

News includes a Kickstarter campaign to fund Rebar4 development with the goal of making it an official part of the OTP build system, Tidewave Web adding React support and OpenRouter integration for accessing multiple LLM models, Phoenix 1.8.1 release fixing AGENTS.md generation issues, ElixirConf US 2025 videos being slowly released on YouTube including keynotes from José Valim and Chris McCord, an AshFramework security advisory about before_transaction hooks, and more!

Show Notes online - http://podcast.thinkingelixir.com/270

Elixir Community News

• https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.
• https://x.com/grisporg/status/1963674539008639403 – Tweet about Peer Stritzinger launching a new Kickstarter for Rebar4 development
• https://www.kickstarter.com/projects/peerstritzinger/rebar3-integrating-with-erlang-otp – Kickstarter campaign to fund Rebar4 development with goal to integrate into OTP project as official build system
• https://tidewave.ai/blog/open-router-open-ai – Tidewave Web now supports OpenRouter, unlocking access to other LLM models
• https://tidewave.ai/blog/tidewave-goes-full-stack – Announcement that Tidewave Web adds React support and goes full-stack
• https://x.com/josevalim/status/1962922957933625593 – José Valim's tweet about Tidewave Web React support
• https://hexdocs.pm/tidewave/react.html – Tidewave documentation on React integration
• https://github.com/tidewave-ai/roadmap/issues?q=is%3Aissue%20state%3Aopen%20sort%3Areactions-%2B1-desc – Tidewave roadmap on GitHub where users can vote for next framework to support
• https://github.com/phoenixframework/phoenix/blob/main/CHANGELOG.md – Phoenix 1.8.1 release changelog with fixes for AGENTS.md CSS and JavaScript sections
• https://www.youtube.com/playlist?list=PLqj39LCvnOWZzC6nN1OaBZLmxhpqCLfKt – ElixirConf US 2025 videos playlist being slowly released on YouTube
• https://www.youtube.com/watch?v=6fj2u6Vm42E – Chris McCord's keynote "Elixir's AI Future" from ElixirConf US 2025
• https://bsky.app/profile/did:plc:lpylqrcpp6ttqqtrykj5wyoa/post/3lxvntora2c2k – Bluesky post about ElixirConf videos being accidentally published early
• https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9 – AshFramework CVE advisory about before_transaction hooks executing despite policy restrictions
• https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised – Industry news about major NPM packages being compromised affecting 2+ billion downloads per week

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

• Message the show - Bluesky
• Message the show - X
• Message the show on Fediverse - @ThinkingElixir@genserver.social
• Email the show - show@thinkingelixir.com
• Mark Ericksen on X - @brainlid
• Mark Ericksen on Bluesky - @brainlid.bsky.social
• Mark Ericksen on Fediverse - @brainlid@genserver.social
• David Bernheisel on Bluesky - @david.bernheisel.com
• David Bernheisel on Fediverse - @dbern@genserver.social

Sponsored By:

• Paraxial.io: Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.