The v0.19 release includes an important security fix to anyone accessing Hex repositories through a mirror. A bug has been found that would allow a malicious mirror to serve modified versions of Hex packages. hex versions
0.18.2and rebar3 versions
3.7.5are vulnerable. Make sure to update to hex
If you are using a version manager such as asdf, keep in mind you probably have a copy of Hex installed for each Elixir version. And remember to update Hex/Rebar3 installations on your build servers as well.