The v0.19 release includes an important security fix to anyone accessing Hex repositories through a mirror. A bug has been found that would allow a malicious mirror to serve modified versions of Hex packages. hex versions 0.14.0 to 0.18.2 and rebar3 versions 3.7.0 to 3.7.5 are vulnerable. Make sure to update to hex 0.19.0 and rebar3 3.8.0 .
If you are using a version manager such as asdf, keep in mind you probably have a copy of Hex installed for each Elixir version. And remember to update Hex/Rebar3 installations on your build servers as well.
Note that mix local.rebar does not update the rebar version you may have in PATH. It only updates the rebar that is used to compile rebar dependencies. mix local.rebar does not update to 3.8.0 yet but rebar compilation is not affected by this vulnerability.
If you use rebar3 directly for rebar3 projects you need to update it separately.
