Summary
mix deps.get / hex.audit surfaces security advisories on two dependencies during CI (currently non-blocking in the Unified CI Pipeline). Dependabot is disabled on this repo, so these will not auto-surface via GitHub. Tracking them here.
Advisories
cowlib 2.18.0 (transitive)
Provenance: transitive, plug_cowboy ~> 2.7 -> cowboy 2.17.0 -> cowlib >= 2.18.0 and < 3.0.0.
Exposure: low. Phoenix is a library-only dependency; there is no active web server in core (Ecto.Repo disabled at runtime, MCP served over stdio). The vulnerable code paths (HTTP header/cookie encoding) are only reachable if a cowboy-backed HTTP listener is actually served.
Fix path: bump cowlib to a patched release once cowboy publishes one compatible with the >= 2.18.0 and < 3.0.0 constraint (or bump cowboy). Re-run mix hex.audit to confirm resolution.
earmark 1.4.49 (near-top-level, optional)
Provenance: declared earmark ~> 1.4, resolved from docs/markdown tooling. Loaded optionally via apply/3 (not a compile-time hard dep).
Exposure: low. Used for markdown-to-HTML rendering in doc/optional paths, not on any untrusted-input request path in core runtime.
Fix path: evaluate dropping earmark in favor of earmark_parser (already present, used by ex_doc) or migrating to MDEx. Confirm no runtime code relies on Earmark.as_html/* before removing.
Suggested actions
Notes
Neither advisory affects the core terminal/agent/payments runtime hot paths. Priority: low-to-medium, pre-launch hardening.
Summary
mix deps.get/ hex.audit surfaces security advisories on two dependencies during CI (currently non-blocking in the Unified CI Pipeline). Dependabot is disabled on this repo, so these will not auto-surface via GitHub. Tracking them here.Advisories
cowlib 2.18.0(transitive)cow_http_struct_hd:escape_string/2. https://osv.dev/vulnerability/EEF-CVE-2026-43966cow_cookie:cookie/1. https://osv.dev/vulnerability/EEF-CVE-2026-43969Provenance: transitive,
plug_cowboy ~> 2.7->cowboy 2.17.0->cowlib >= 2.18.0 and < 3.0.0.Exposure: low. Phoenix is a library-only dependency; there is no active web server in core (
Ecto.Repodisabled at runtime, MCP served over stdio). The vulnerable code paths (HTTP header/cookie encoding) are only reachable if a cowboy-backed HTTP listener is actually served.Fix path: bump
cowlibto a patched release once cowboy publishes one compatible with the>= 2.18.0 and < 3.0.0constraint (or bump cowboy). Re-runmix hex.auditto confirm resolution.earmark 1.4.49(near-top-level, optional)Provenance: declared
earmark ~> 1.4, resolved from docs/markdown tooling. Loaded optionally viaapply/3(not a compile-time hard dep).Exposure: low. Used for markdown-to-HTML rendering in doc/optional paths, not on any untrusted-input request path in core runtime.
Fix path: evaluate dropping
earmarkin favor ofearmark_parser(already present, used byex_doc) or migrating toMDEx. Confirm no runtime code relies onEarmark.as_html/*before removing.Suggested actions
cowlib(via cowboy) once a fixed release is availableearmark(MDEx or earmark_parser)Notes
Neither advisory affects the core terminal/agent/payments runtime hot paths. Priority: low-to-medium, pre-launch hardening.