Prevent installation of unsupported or vulnerable dependencies.
defp deps do
[
{:plug, ">= 1.0.0"},
{:cowboy, "~> 2.1"}
]
end
This code can be vulnerable as it specifies a minimum version for 'plug', which means any version higher than 1.0.0 could be installed, including potentially incompatible or vulnerable versions. The cowboy dependency uses a version range which could potentially install a version with known vulnerabilities.
defp deps do
[
{:plug, "1.12.1"},
{:cowboy, "2.8.0"}
]
end
This code is safer as it specifies the exact versions of the dependencies to be used. This ensures that known, compatible versions are installed, reducing the risk of installing incompatible or vulnerable dependencies.