Enhancements
-
Add organization-defined dependency policies that filter the package versions available during dependency resolution. An organization publishes a named policy through its repository, and a project opts into one with the
policyconfig (HEX_POLICY,[org: "ORG", name: "NAME"]in themix.exs:hexblock, ormix hex.config). A policy constrains one or more repositories — typically the organization's own repo andhexpm— and for each can block releases that:- carry a security advisory at or above a minimum severity
- are retired for one of a given set of reasons
- are newer than a release-age cooldown window
Per-package allow/deny overrides take precedence over the restriction (an allow also exempts the release, and the most specific match wins), and versions already in
mix.lockare never filtered. Usemix hex.policy showto summarize the active policy andmix hex.policy why PACKAGEto see why specific versions are blocked. -
Add a configurable release-age cooldown to dependency resolution that withholds freshly published versions until they reach a minimum age, mitigating supply-chain attacks where a compromised release is pulled into projects before it can be detected and retired. Configure it with the
cooldownconfig (HEX_COOLDOWN), accepting durations like7d,2w, or1mo, and exempt specific repositories withcooldown_exclude_repos. Versions already inmix.lock, and locked versions that are retired or carry an advisory, bypass the cooldown so existing projects and security fixes are never held back. -
Warn about packages with known security advisories during
mix deps.getandmix deps.update -
Add
mix hex.search QUERYto search documentation from the terminal, and move package name search tomix hex.package search -
Add
--pageand--format mdoptions tomix hex.docs -
Support JSON output in
mix hex.outdated -
Annotate cooldown-held versions in
mix hex.outdated -
Validate package files in
mix hex.build -
Accept
LicenseRef-license identifiers inmix hex.build -
Use subdomain URLs (
PACKAGE.hexdocs.pm) for package docs -
Escape terminal control sequences in server-provided
x-hex-messageheaders
Bug fixes
- Fix a crash when a server responds with an
x-hex-messageheader - Deduplicate aliased security advisories
- Warn when the OAuth session cannot be refreshed instead of silently sending unauthenticated requests
Deprecations
- Deprecate
mix hex.organization auth ORGANIZATIONwithout--key; authenticate as a user withmix hex.user authinstead, or pass a pre-generated organization key with--keyfor CI - Deprecate authenticating to organization repositories with a stored key; a future release will require
mix hex.user author a short-lived organization token - Deprecate authenticating to organization repositories with
HEX_REPOS_KEY; authenticate per organization withmix hex.organization auth ORGANIZATION --key KEY(HEX_REPOS_KEYcontinues to authenticate the base hexpm repository and trusted mirrors)