Hoplon is a package that helps you verify that the code in your project's dependencies contains exactly what's on their GitHub and no other malicious code.

Check out nietaki/suffixer to see how it works in practice.

NOTE: Hoplon is still in early stage of development and might not be stable enough for your needs.

Usage

To use Hoplon, add it as a dependency in your project.

Once it's in your deps, you can run $ mix hoplon.check to see if any of the dependencies pulled into your project contain code that differs from the code on their GitHub.

To see the diff for a specific package, run $ mix hoplon.diff <package name>.

Both of these mix tasks will exit with a non-zero code if any problems are found - the dependencies differ from their github repository, the github repository itself could not be found or the right commit could not be identified by Hoplon.

Installation

The package can be installed by adding hoplon to your list of dependencies in mix.exs:

def deps do
  [
    {:hoplon, ">= 0.3.0", app: false, runtime: false, optional: true}
  ]
end

In order for Hoplon to work correctly, you'll need git and diff programs in your PATH.

FAQ

How do I know Hoplon is not malicious itself?

TODO (deps options and maybe other ways)

How does it work?

TODO (conventions, heuristics, git and diff)