Confirm that the user is installing the correct package before adding it to the mix.exs file

[sevenseacat]

Is your feature request related to a problem? Please describe.

My thought is around a possible attack vector and how we can mitigate it. If you make a typo eg. mix igniter.install pheonix and a bad actor is squatting that package, you could download a malicious package and have malicious code automatically run in an installer.

Describe the solution you'd like

One way I thought of helping with this is to show details of the package to be installed, even before the 'confirm adding this to mix.exs'. For hex packages, Igniter has to fetch details of the package to figure out what version to add to mix.exs, so it would also fetch details like description, authors, publish date, # of downloads of the version/all versions, etc.

We could have a nice summary screen for users to confirm that yes, this is the correct package they really want to install. eg.

You are installing the package "ash_phoenix":

Description:       Utilities for integrating Ash and Phoenix
Current version:   2.1.8 (released Oct 29, 2024)
hex.pm authors:    ash-project
hex.pm publishers: ash-project
Dependencies:      ash, phoenix, phoenix_html, phoenix_live_view
Downloads:         164 (this version), 3 850 (last 7 days), 229 751 (all time)

Is this correct? (y/N)

For non-hex packages, I'm not sure what you could do. Maybe fetch the mix.exs file from the project root (eg. on GitHub) and read it, but that could come with its own security issues?

[zachdaniel]

Looks like a great idea to me 👍 We can display it on the screen we use for "the following deps must be installed....", because that happens before we download or run anything.