306: Don't Exhaust Your Atoms

What this episode covers

Security takes center stage this week as the EEF's Jonatan Männchen highlights that atom exhaustion accounts for roughly one tenth of all CVEs in the BEAM ecosystem and Sobelow can help catch it before it hits production. Hackney users get an urgent nudge to upgrade to v4.0.3, which patches 9 CVEs including high-severity issues and fixes missing HTTP/3 certificate verification, thanks in part to Peter Ullrich's AI-assisted vulnerability research. On the exciting side, the new Elixir 1.20-rc.6 type system is proving its worth in the real world, with Tyler Young reporting it caught ~500 issues, including outright bugs, that 1.19 completely missed. Dannote releases "vibe", an ambitious BEAM-native coding agent for Elixir/OTP projects featuring a TUI, LiveView web console, subagents, and more! Show Notes online - http://podcast.thinkingelixir.com/306 Elixir Community News https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer. The Thinking Elixir Podcast is ending June 23rd, 2026, after 6 years of weekly episodes. https://x.com/maennchen_/status/2059586280711651745 – Jonatan Männchen of the EEF notes that 35% of EEF CVEs are uncontrolled resource consumption, with atom exhaustion as a recurring cause. https://erlef.org/blog/security/atom-exhaustion – EEF blog post — atom exhaustion accounts for roughly one tenth of all BEAM ecosystem CVEs, yet it's well understood and preventable. https://cna.erlef.org/common-weaknesses – EEF CNA Common Weaknesses page showing the current CVE category distribution. https://hex.pm/packages/sobelow – Sobelow is a great Elixir security scanner that detects atom exhaustion and other issues — easy to add to CI. https://x.com/benoitc/status/2058909986084819267 – Announcement of hackney 4.0.1, a security release fixing vulnerabilities across HTTP/1.1, HTTP/2, HTTP/3, and WebSocket. https://github.com/benoitc/hackney/releases/tag/4.0.1 – hackney 4.0.1 release — fixes 9 CVEs (1 low, 4 medium, 4 high); upgrade to v4.0.3 for HTTP/3 certificate verification too. https://github.com/benoitc/hackney/blob/master/NEWS.md – hackney changelog with full details on all security fixes in 4.0.1 through 4.0.3. https://www.linkedin.com/posts/pjullrich_elixirlang-share-7464694254557237248-sICM/ – Peter Ullrich urges upgrading hackney to 4.0.1 ASAP after he and two others reported the vulnerabilities using AI-assisted research. https://cna.erlef.org/cves/ – EEF CNA CVE listing page referenced by Peter Ullrich in his hackney disclosure post. https://bsky.app/profile/tylerayoung.com/post/3mmwal5yrkc2y – Tyler Young upgraded to Elixir 1.20-rc.6 and the new type system found ~500 issues 1.19 missed, including real bugs. https://x.com/dan_note/status/2057966143369777407 – Dannote announces "vibe", a new BEAM-native coding agent for Elixir/OTP projects. https://github.com/elixir-vibe/vibe – vibe GitHub repo — a local OTP app with TUI, LiveView console, subagents, plugins, and project-aware Elixir eval. Experimental. https://bsky.app/profile/tylerayoung.com/post/3mmrla7tqrs2d – Tyler Young releases jump_credo_checks v0.3.0 with a new UnusedLiveViewAssign check. https://x.com/claudedevs/status/2059385239781384341 – Anthropic ships a free security-guidance plugin for Claude Code that reviews code at three levels; saw 30-40% fewer security PR comments internally. https://x.com/ogrizkov/status/2059417410940145689 – A user tested the Claude Code security plugin — it immediately blocked eval() and a dangerous regex with OWASP explanations. Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at [email protected] Find us online Message the show - Bluesky Message the show - X Message the show on Fediverse - @[email protected] Email the show - [email protected] Mark Ericksen on X - @brainlid Mark Ericksen on Bluesky - @brainlid.bsky.social Mark Ericksen on Fediverse - @[email protected] David Bernheisel on Bluesky - @david.bernheisel.com David Bernheisel on Fediverse - @[email protected] Sponsored By:Paraxial.io: Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.