Skip to content

Track dependency advisories: cowlib 2.18.0, earmark 1.4.49 #367

Description

@DROOdotFOO

Summary

mix deps.get / hex.audit surfaces security advisories on two dependencies during CI (currently non-blocking in the Unified CI Pipeline). Dependabot is disabled on this repo, so these will not auto-surface via GitHub. Tracking them here.

Advisories

cowlib 2.18.0 (transitive)

Provenance: transitive, plug_cowboy ~> 2.7 -> cowboy 2.17.0 -> cowlib >= 2.18.0 and < 3.0.0.

Exposure: low. Phoenix is a library-only dependency; there is no active web server in core (Ecto.Repo disabled at runtime, MCP served over stdio). The vulnerable code paths (HTTP header/cookie encoding) are only reachable if a cowboy-backed HTTP listener is actually served.

Fix path: bump cowlib to a patched release once cowboy publishes one compatible with the >= 2.18.0 and < 3.0.0 constraint (or bump cowboy). Re-run mix hex.audit to confirm resolution.

earmark 1.4.49 (near-top-level, optional)

Provenance: declared earmark ~> 1.4, resolved from docs/markdown tooling. Loaded optionally via apply/3 (not a compile-time hard dep).

Exposure: low. Used for markdown-to-HTML rendering in doc/optional paths, not on any untrusted-input request path in core runtime.

Fix path: evaluate dropping earmark in favor of earmark_parser (already present, used by ex_doc) or migrating to MDEx. Confirm no runtime code relies on Earmark.as_html/* before removing.

Suggested actions

  • Bump/patch cowlib (via cowboy) once a fixed release is available
  • Migrate off retired earmark (MDEx or earmark_parser)
  • Consider enabling Dependabot / GitHub security advisories on the repo so these surface automatically
  • Keep the CI security scan non-blocking until fixes land

Notes

Neither advisory affects the core terminal/agent/payments runtime hot paths. Priority: low-to-medium, pre-launch hardening.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions