2026-08-14 –, Room 1
Tracking active security advisories (like CVEs) is a critical requirement for many orgs to use and deploy code... but it can't work without the advisories themselves! The new SecurityAdvisories.jl database enables exactly that for Julia packages and their upstream artifacts (like JLLs). Building such a system in a manner that is both sustainable and manageable for thousands of packages is not trivial; I'll be discussing key factors in how it works and how package maintainers and users alike can make use of it.
The security advisory landscape is messy, complicated, and difficult to understand. Yet maintaining an ecosystem database in accordance with industry best practice is fundamental to powering security scanners. This talk will dive into the design, creation, data, automations, and work that powers SecurityAdvisories.jl at a level that is approachable to all Julia programmers.
Like a CVE, the new JLSEC advisory is a mechanism to assign a unique identifier to a vulnerability in a Julia package — or relay information about an upstream vulnerability in one of its artifacts (commonly a JLL). There are many challenges with such a database, and this talk will discuss them.
Key points to be covered will include:
* The format and best ways to author a JLSEC advisory
* How JLSEC advisories relate to CVEs and GitHub advisories
* How artifacts and JLLs are linked with upstream projects and their published CVEs (and the myriad challenges therein)
* How to get involved
Matt has been a part of the Julia community for over a decade and is the Director of Sales Engineering at JuliaHub.