Thinking Elixir Podcast

Mark shares a bittersweet housekeeping update — the Thinking Elixir Podcast is winding down, with the final episode airing June 23rd, 2026, closing the book on over six years of weekly shows. On the news front, Ecto 3.14 lands with long-awaited UUIDv7 support (time-sortable UUIDs for better index performance) along with a host of other improvements, Oban Pro adds a “human approval” workflow step that lets jobs pause mid-execution and resume on a signal without holding a database connection open, Hologram v0.9 arrives with a new Realtime feature enabling pure-Elixir WebSocket push from server to browser, Dashbit shares a behind-the-scenes look at how they designed Git integration in Tidewave Web across three developer personas, and the NSA drops new Zero Trust Implementation Guidelines that pair nicely with the Erlang Ecosystem Foundation's own security hardening document, and more!

Show Notes online - http://podcast.thinkingelixir.com/307

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.

The Thinking Elixir Podcast ends June 23rd, 2026 — over 6 years weekly, ~9 years of Elixir podcasting.

Episode recorded ahead of time; major news that dropped after recording will be covered next episode.

https://x.com/ryanwinchester/status/2057905815160258709 – Tweet announcing Ecto 3.14 with UUIDv7 support.

https://github.com/elixir-ecto/ecto – Ecto GitHub repository.

https://github.com/elixir-ecto/ecto/blob/master/CHANGELOG.md – Ecto v3.14 changelog — UUIDv7, reorder_assoc/2, HOT upserts, Ecto.Type.trim/2, Decimal v3, and more.

https://hexdocs.pm/ecto/Ecto.UUID.html – Ecto.UUID docs — how to opt in to UUIDv7 or UUIDv7 monotonic via @primary_key.

https://oban.pro/docs/pro/changelog.html – Oban Pro changelog — jobs can pause mid-execution for human approval via await_signal/1.

https://x.com/bart_blast/status/2059830682143305781 – Tweet announcing Hologram v0.9 with new Realtime feature.

https://hologram.page/blog/hologram-v0-9 – Hologram v0.9 blog post — full-stack Elixir framework adds server-to-browser WebSocket push in pure Elixir.

https://x.com/josevalim/status/2060076009261515134 – José Valim tweets about Tidewave's new Git integration article.

https://tidewave.ai/blog/designing-git-integration – Dashbit article on Tidewave's Git integration design — commits, push, PRs, and three developer personas.

https://www.nsa.gov/Cybersecurity/ZIG/ – NSA Zero Trust Implementation Guidelines (ZIG) — comprehensive least-privilege access guidelines.

https://www.nsa.gov/Cybersecurity/ZIG/Technology-Mapping/ – NSA ZIG Technology Mapping — capabilities and associated risks table.

https://security.erlef.org/secure_coding_and_deployment_hardening/ – ERLEF Security WG's Secure Coding and Deployment Hardening guide.

https://github.com/dashbitco/nimble_zta – nimble_zta — Dashbit's open-source Zero Trust Authentication library for Cloudflare, GCP, and Tailscale.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky

Message the show - X

Message the show on Fediverse - @ThinkingElixir@genserver.social

Email the show - show@thinkingelixir.com

Mark Ericksen on X - @brainlid

Mark Ericksen on Bluesky - @brainlid.bsky.social

Mark Ericksen on Fediverse - @brainlid@genserver.social

David Bernheisel on Bluesky - @david.bernheisel.com

David Bernheisel on Fediverse - @dbern@genserver.social

Security takes center stage this week as the EEF's Jonatan Männchen highlights that atom exhaustion accounts for roughly one tenth of all CVEs in the BEAM ecosystem and Sobelow can help catch it before it hits production. Hackney users get an urgent nudge to upgrade to v4.0.3, which patches 9 CVEs including high-severity issues and fixes missing HTTP/3 certificate verification, thanks in part to Peter Ullrich's AI-assisted vulnerability research. On the exciting side, the new Elixir 1.20-rc.6 type system is proving its worth in the real world, with Tyler Young reporting it caught ~500 issues, including outright bugs, that 1.19 completely missed. Dannote releases "vibe", an ambitious BEAM-native coding agent for Elixir/OTP projects featuring a TUI, LiveView web console, subagents, and more!

Show Notes online - http://podcast.thinkingelixir.com/306

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.

The Thinking Elixir Podcast is ending June 23rd, 2026, after 6 years of weekly episodes.

https://x.com/maennchen_/status/2059586280711651745 – Jonatan Männchen of the EEF notes that 35% of EEF CVEs are uncontrolled resource consumption, with atom exhaustion as a recurring cause.

https://erlef.org/blog/security/atom-exhaustion – EEF blog post — atom exhaustion accounts for roughly one tenth of all BEAM ecosystem CVEs, yet it's well understood and preventable.

https://cna.erlef.org/common-weaknesses – EEF CNA Common Weaknesses page showing the current CVE category distribution.

https://hex.pm/packages/sobelow – Sobelow is a great Elixir security scanner that detects atom exhaustion and other issues — easy to add to CI.

https://x.com/benoitc/status/2058909986084819267 – Announcement of hackney 4.0.1, a security release fixing vulnerabilities across HTTP/1.1, HTTP/2, HTTP/3, and WebSocket.

https://github.com/benoitc/hackney/releases/tag/4.0.1 – hackney 4.0.1 release — fixes 9 CVEs (1 low, 4 medium, 4 high); upgrade to v4.0.3 for HTTP/3 certificate verification too.

https://github.com/benoitc/hackney/blob/master/NEWS.md – hackney changelog with full details on all security fixes in 4.0.1 through 4.0.3.

https://www.linkedin.com/posts/pjullrich_elixirlang-share-7464694254557237248-sICM/ – Peter Ullrich urges upgrading hackney to 4.0.1 ASAP after he and two others reported the vulnerabilities using AI-assisted research.

https://cna.erlef.org/cves/ – EEF CNA CVE listing page referenced by Peter Ullrich in his hackney disclosure post.

https://bsky.app/profile/tylerayoung.com/post/3mmwal5yrkc2y – Tyler Young upgraded to Elixir 1.20-rc.6 and the new type system found ~500 issues 1.19 missed, including real bugs.

https://x.com/dan_note/status/2057966143369777407 – Dannote announces "vibe", a new BEAM-native coding agent for Elixir/OTP projects.

https://github.com/elixir-vibe/vibe – vibe GitHub repo — a local OTP app with TUI, LiveView console, subagents, plugins, and project-aware Elixir eval. Experimental.

https://bsky.app/profile/tylerayoung.com/post/3mmrla7tqrs2d – Tyler Young releases jump_credo_checks v0.3.0 with a new UnusedLiveViewAssign check.

https://x.com/claudedevs/status/2059385239781384341 – Anthropic ships a free security-guidance plugin for Claude Code that reviews code at three levels; saw 30-40% fewer security PR comments internally.

https://x.com/ogrizkov/status/2059417410940145689 – A user tested the Claude Code security plugin — it immediately blocked eval() and a dangerous regex with OWASP explanations.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky

Message the show - X

Message the show on Fediverse - @ThinkingElixir@genserver.social

Email the show - show@thinkingelixir.com

Mark Ericksen on X - @brainlid

Mark Ericksen on Bluesky - @brainlid.bsky.social

Mark Ericksen on Fediverse - @brainlid@genserver.social

David Bernheisel on Bluesky - @david.bernheisel.com

David Bernheisel on Fediverse - @dbern@genserver.social

News includes Elixir 1.20.0-rc.6 arriving as likely the final release candidate before v1.20.0 ships, completing a ~15-week roadmap and delivering full type inference across applications and dependencies. The EEF 2026 election results are in with 3 returning and 1 new board member, LiveStash v0.3.0 lands with a Redis adapter and auto-stashing for Phoenix LiveView state recovery on WebSocket reconnects, a call goes out for BEAM ecosystem companies to step up and support the EEF’s critical security work, and GitHub suffered a significant breach when a hijacked VS Code extension quietly exfiltrated ~3,800 internal repositories in just 11 minutes, and more!

Show Notes online - http://podcast.thinkingelixir.com/305

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.

https://elixirforum.com/t/elixir-v1-20-0-rc-6-released/75448 – Elixir v1.20.0-rc.6 released on the ElixirForum - the likely final release candidate before v1.20.0 final, completing the ~15 week type inference roadmap. Includes tips for profiling compile times before and after upgrading.

https://github.com/elixir-lang/elixir/releases/tag/v1.20.0-rc.6 – GitHub release page for Elixir v1.20.0-rc.6. Highlights include full type inference across applications and type inference across deps.

https://erlef.org/blog/eef/election-2026-results – EEF 2026 election results - David Bernheisel, Francesco Cesarini, Amos King, and Alistair Woodman were elected.

https://x.com/swmansionelixir/status/2054945784148201684 – Software Mansion announces LiveStash v0.3.0, featuring a new Redis Adapter and Auto-Stashing for Phoenix LiveView state recovery on WebSocket reconnects.

https://github.com/software-mansion-labs/live-stash – GitHub repo for LiveStash - a library providing a reliable API to stash and recover Phoenix LiveView assigns when socket connections are interrupted or re-established.

https://x.com/ZachSDaniel1/status/2057517360060522872 – A call to action for companies generating revenue on the BEAM ecosystem to support the EEF. The EEF maintains a CNA and coordinates security across the ecosystem including hex.pm, but the current effort is no longer sustainable.

https://hauleth.dev/post/writing-tests/ – A solid blog post on writing better Elixir tests. Covers using a @subject module attribute, grouping tests with describe, preferring dependency injection over mocking, avoiding factory libraries in favor of calling context functions directly, and using property-based testing with StreamData.

https://x.com/github/status/2056884788179726685 – GitHub's official tweet confirming unauthorized access to their internal repositories. No confirmed evidence of impact to customer data outside GitHub's internal repos at time of posting.

https://x.com/intcyberdigest/status/2056970677668770117 – Report that GitHub was compromised by TeamPCP via a poisoned VS Code extension on an employee device, resulting in ~3,800 internal repositories being exfiltrated and sold on a cybercrime forum.

https://x.com/star_knight12/status/2056977944334266428 – Detailed breakdown of the GitHub hack - the Nx Console VS Code extension (2.2M installs) was hijacked with a credential stealer hidden in an orphan commit. It harvested tokens from GitHub, npm, AWS, Kubernetes, and 1Password. The poisoned version was live for only 11 minutes before detection.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky

Message the show - X

Message the show on Fediverse - @ThinkingElixir@genserver.social

Email the show - show@thinkingelixir.com

Mark Ericksen on X - @brainlid

Mark Ericksen on Bluesky - @brainlid.bsky.social

Mark Ericksen on Fediverse - @brainlid@genserver.social

David Bernheisel on Bluesky - @david.bernheisel.com

David Bernheisel on Fediverse - @dbern@genserver.social

News includes a major milestone for Elixir's set-theoretic types as inference of all language constructs is completed and merged with Elixir v1.20.0-rc.5 hot on its heels, OTP 29.0 drops as a major release with secure-by-default SSH, post-quantum SSL key exchange, Erlang doctests, and more, a wave of high-severity CVEs hits the Elixir and Phoenix stack prompting the EEF CNA to take on a larger work load as AI-driven vulnerability reports surge, string processing in Elixir gets a serious speed boost via SWAR (SIMD Within A Register) optimizations with 1.5–5x improvements across Base and String operations, and a handy tip for enabling state-preserving hot reloads in Phoenix LiveView with just a small dev.exs config tweak, and more!

Show Notes online - http://podcast.thinkingelixir.com/304

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.

https://x.com/josevalim/status/2054202778990383152 – José Valim announces that "inference of all language constructs" for Elixir's set-theoretic types has been completed and merged.

https://github.com/elixir-lang/elixir/issues/14558 – The meta-issue tracking set-theoretic type inference of all Elixir constructs, now wrapped up. Includes occurrence typing for high-degree precision. A new RC is expected soon on the way to Elixir v1.20.

https://x.com/josevalim/status/2054631923893313662 – José Valim announces the release of Elixir v1.20.0-rc.5 with the latest batch of typing and performance improvements.

https://github.com/elixir-lang/elixir/releases/tag/v1.20.0-rc.5 – Release notes for Elixir v1.20.0-rc.5. The team says they are very close to the final release and encourages users to try it and report issues.

https://cna.erlef.org/ – The EEF CNA (CVE Numbering Authority) has seen a large increase in volume of CVEs, largely driven by AI tools. They are considering a funding campaign to cover the increased costs of fixing and administering CVEs.

https://bsky.app/profile/tylerayoung.com/post/3mlsxbdmrw22e – Tyler Young highlights a heap of recent high-severity CVEs published against the typical Elixir + Phoenix web stack. Packages to check include cowboy < 2.15.0, cowlib < 2.16.1, plug < 1.19.2, bandit < 1.11.1, and decimal < 3.0.0.

https://cna.erlef.org/cves/ – Full list of CVEs issued by the EEF CNA.

https://hex.pm/packages/mix_audit – The mix_audit package can be installed and run via mix deps.audit to check your app against up-to-date published CVEs. Recommended to make it part of your CI pipeline.

https://www.erlang.org/news/188 – OTP 29.0 released as a new major version. Highlights include unsafe function warnings, SSH daemon now defaults to disabled shell/exec services, SFTP no longer enabled by default, post-quantum hybrid key exchange as default in SSL, ANSI terminal support, Erlang doctest support, and xref now handles ignore_xref natively. Note that 32-bit Windows builds are no longer available.

https://bsky.app/profile/peterullrich.com/post/3mlmb7kwgoc2w – Peter Ullrich highlights performance improvements landing in Elixir — Base.valid(16|32|64)? is now 1.5-2.8x faster thanks to SWAR (SIMD Within A Register) optimizations.

https://github.com/elixir-lang/elixir/pull/15357 – PR adding SWAR (SIMD Within A Register) versions of Base validations to Elixir. SWAR treats a CPU register like a small vector to check multiple bytes at once instead of one by one.

https://github.com/elixir-lang/elixir/pull/15255 – PR applying SWAR optimization to ASCII fast paths in String.length/1 and String.slice, yielding 2-5x improvements for pure-ASCII strings.

https://github.com/erlang/otp/pull/10948 – The SWAR technique was also applied to Erlang itself, accelerating binary ASCII traversal using 56-bit SWAR. Improvements range from 0x to 2x depending on the operation.

https://www.linkedin.com/posts/jskalec_phoenix-liveview-has-one-massive-dx-feature-share-7459520758126473216-glO8 – The creator of the live_vue project shares a tip for enabling state-preserving hot reloads in Phoenix LiveView.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky

Message the show - X

Message the show on Fediverse - @ThinkingElixir@genserver.social

Email the show - show@thinkingelixir.com

Mark Ericksen on X - @brainlid

Mark Ericksen on Bluesky - @brainlid.bsky.social

Mark Ericksen on Fediverse - @brainlid@genserver.social

David Bernheisel on Bluesky - @david.bernheisel.com

David Bernheisel on Fediverse - @dbern@genserver.social

News includes the Erlang Ecosystem Foundation publishing its 2026 board election candidates with voting now open, a new GitHub organization called Elixir-Vibe launching with tools to detect and fix AI-generated Elixir “slop” — including ExSlop and the related semantic linter Credence, erlang_python 3.0.0 arriving with true parallelism by embedding CPython into the BEAM as a first-class citizen, ElixirConf EU 2026 videos beginning to drop including keynotes from José Valim and Chris McCord, and more!

Show Notes online - http://podcast.thinkingelixir.com/303

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.

https://erlef.org/blog/eef/election-2026-candidates – Candidates for the Erlang Ecosystem Foundation 2026 board election have been published. Candidates include David Bernheisel, Jon Carstens, Francesco Cesarini (incumbent), Nathan Hessler, Amos King (incumbent), Greg Mefford, Duane Strikwerda, and Alistair Woodman (incumbent). Voting opens May 8th at 16:00 UTC and closes May 15th at 23:59 UTC.

https://x.com/dan_note/status/2050239025458409646 – DanNote on GitHub created a new GitHub organization called "Elixir-Vibe" — a home for Elixir-native tooling for AI-assisted coding, AST analysis, structural code search, code quality, architecture analysis, and BEAM-native coding agents.

https://github.com/elixir-vibe – The Elixir-Vibe GitHub organization housing libraries for fixing, reviewing, and spotting "slop" in AI-generated Elixir code.

https://github.com/elixir-vibe/ex_slop – ExSlop is a library under Elixir-Vibe — Credo checks that catch AI-generated Elixir code slop.

https://x.com/kamilskowron/status/2051778642053628125 – Announcement of Credence, a semantic linter for LLM-generated Elixir code that catches patterns that compile and pass tests but are non-idiomatic, inefficient, or ported from Python/JavaScript conventions that don't belong in Elixir.

https://hex.pm/packages/credence – Credence on Hex.pm — a semantic linter for LLM-generated Elixir code.

https://github.com/Cinderella-Man/credence – Credence on GitHub — complements the compiler and Credo by checking semantics of LLM-generated Elixir code.

https://x.com/benoitc/status/2050939005395505185 – Benoit announced erlang_python 3.0.0, which embeds CPython into the BEAM with true parallelism via Python 3.14 OWN_GIL subinterpreters or free-threaded 3.13t, async/await, bidirectional Erlang↔Python callbacks, and stable thread affinity for numpy/torch.

https://github.com/benoitc/erlang-python/releases/tag/3.0.0 – Release notes for erlang_python 3.0.0.

https://github.com/benoitc/erlang-python – The erlang-python GitHub repo — combines Python's ML/AI ecosystem with Erlang's concurrency, making Python a first-class BEAM citizen rather than a simple guest like pythonx.

https://www.youtube.com/playlist?list=PLvL2NEhYV4ZsIgecSexrk26--PBWiEyUy – Playlist of ElixirConf EU 2026 videos, which have started publishing. Includes keynotes from José Valim on type system design, Chris McCord on DurableServer, and more.

https://x.com/josevalim/status/2052090411607286087 – José Valim announced Tidewave updates including a minimap on large file diffs, pin-point agent feedback, smoother onboarding for Tidewave Teams, and updates to OpenCode, Claude Code & Codex.

https://open-design.ai/ – Open-source alternative to Claude Design. Turns your existing coding agent (Claude, Codex, Cursor, Gemini, OpenCode, Qwen) into a design engine driven by 31 composable skills and 72 brand-grade design systems. Available on Mac and Windows.

https://github.com/nexu-io/open-design – GitHub repo for open-design, the open-source design engine for coding agents.

https://x.com/bcardarella/status/2050578567897985072 – Brian Carderella posted about open-design saying "OpenDesign is fantastic. Within 10 minutes it's already replaced Claude Design for me."

https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html – AWS Mantle - an OpenAI compatible API to many different LLM models

https://docs.aws.amazon.com/bedrock/ – AWS Bedrock - The hosting of many different LLM models

https://hexdocs.pm/langchain/LangChain.ChatModels.ChatAwsMantle.html – Elixir LangChain support for AWS Mantle using ChatAwsMantle

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky

Message the show - X

Message the show on Fediverse - @ThinkingElixir@genserver.social

Email the show - show@thinkingelixir.com

Mark Ericksen on X - @brainlid

Mark Ericksen on Bluesky - @brainlid.bsky.social

Mark Ericksen on Fediverse - @brainlid@genserver.social

David Bernheisel on Bluesky - @david.bernheisel.com

David Bernheisel on Fediverse - @dbern@genserver.social