Hex Security Upgrade: Gleam's Authentication Overhaul Enhances Package Management Safety

The Gleam programming language has reached a significant milestone with the release of version 1.15.0, bringing substantial improvements to security, developer experience, and tooling. This update represents a major step forward in making Gleam more robust and user-friendly for both newcomers and experienced developers working with the Erlang virtual machine and JavaScript runtimes.

Hex Authentication Gets a Security Overhaul

The most notable change in this release centers around Hex package manager authentication. Gleam has transitioned exclusively to OAuth2-based authentication, replacing the previous system that relied on exchanging usernames and passwords for long-lived tokens. This shift brings multiple security advantages that address modern authentication best practices.

Under the new system, multi-factor authentication is now mandatory for all endpoints requiring write permissions. This means that even if an attacker obtains stolen credentials or tokens, they cannot perform sensitive actions without the additional authentication factor. The system also ensures that Gleam clients never see your password directly, significantly reducing the risk of credential harvesting if an attacker gains access to your workstation.

Another crucial improvement is the implementation of short-lived access tokens. If a token is compromised, the window of opportunity for an attacker to use it is dramatically reduced compared to the previous long-lived tokens. Additionally, Hex can now integrate with various OAuth providers, allowing companies to leverage their existing identity management and audit systems for securing their Hex usage.

Existing legacy tokens stored locally by Gleam will be automatically revoked when users first run the new version with Hex. While the legacy system will eventually be disabled for Gleam packages, this transition period ensures a smooth migration path for existing users. The update also enforces a minimum password length of eight characters for encrypting local Hex tokens, adding another layer of protection.

This work was done in collaboration with and sponsored by The Erlang Ecosystem Foundation, highlighting the importance of community-driven infrastructure improvements. The foundation's support demonstrates how critical security enhancements benefit the entire ecosystem rather than just individual projects.

Enhanced Error Messages Improve Developer Experience

Beyond security improvements, Gleam 1.15.0 addresses one of the most common pain points for developers: confusing error messages. When Hex operations fail—such as depending on a non-existent package or attempting to publish a package without proper maintainer permissions—the raw error messages from the Hex API were often difficult to interpret.

Ameen Radwan and vyacheslavhere have implemented custom error messages for these scenarios, making it immediately clear what went wrong and how to proceed. This improvement aligns with Gleam's philosophy of providing helpful, actionable feedback to developers, reducing frustration and accelerating the development process.

Guard Clause Ergonomics Get a Boost

Adi Salimgereyev has introduced two significant improvements to guard expressions in case statements. First, the string concatenation operator can now be used within guards, enabling more expressive pattern matching. For example, developers can now write patterns like action if version <> ":" <> action == "v1:delete" to handle specific command formats elegantly.

Second, when using integer and float binary operators incorrectly in case expression guards, the compiler now provides helpful custom error messages. These improvements make guard clauses more powerful and user-friendly, reducing the cognitive load when writing complex pattern matching logic.

The language server has also been enhanced to support renaming, go-to-definition, hover, and finding references from expressions within case clause guards. This functionality, contributed by Surya Rose, makes working with guard clauses more intuitive and efficient.

Internal Types Get Better Treatment

Gleam's internal publicity level allows definitions to be technically importable but not part of the public API. This feature is useful for creating escape hatch APIs or sharing functionality between modules owned by the same maintainer. However, previous inconsistencies in how internal definitions were handled could make it unclear whether a definition was truly internal.

Giacomo Cavalieri has addressed these inconsistencies comprehensively. The "Add missing patterns" code action now inserts catch-all patterns for internal types, the language server no longer shows completions for internal type fields, and the compiler no longer displays internal type structures when showing "Inexhaustive patterns" errors. These changes make the internal/public distinction more explicit and prevent accidental usage of internal APIs.

JavaScript FFI Improvements

For developers using Gleam's JavaScript compilation target, this release brings several enhancements to the Foreign Function Interface (FFI). The compiler now provides an API for each type in a Gleam codebase, enabling JavaScript code to construct and work with Gleam data structures effectively.

New functions like BitArray$isBitArray and BitArray$BitArray$data have been added, allowing JavaScript to consume Gleam's prelude bit-array type. TypeScript types are also generated for this API, with functions that check type membership now returning value is TypeName types. This enables TypeScript's type checker to understand whether a value is the expected Gleam type, providing better type safety when working across the JavaScript boundary.

Package Quality Controls

To maintain high standards in the Hex package repository, Gleam has introduced new publish checks. The build tool now refuses to publish packages that use the default README generated by the gleam new command or are missing a README altogether. This ensures that every published package has proper documentation serving as its homepage.

These quality controls reflect the project's commitment to maintaining Hex as a repository for high-quality, production-ready code rather than a place for prototypes or name-squatting. The community actively monitors packages for undesirable trends and introduces checks to discourage them, ensuring the ecosystem remains healthy and valuable for all users.

Language Server Enhancements

The language server has received numerous improvements that collectively enhance the development experience significantly. Support for textDocument/foldingRange enables folding for contiguous import blocks and multi-line top-level definitions, making code navigation more manageable in larger files.

CLI documentation has been substantially improved, with commands like gleam help add, gleam help deps, and gleam help docs now providing much more detailed output. This reduces the need to interrupt development flow by searching for documentation online, keeping developers focused and productive.

Configuration consistency has been addressed by standardizing on snake_case for all keys in the gleam.toml file, with the previously inconsistent dev-dependencies and tag-prefix now using the canonical format. While the old format continues to be supported for backward compatibility, this change eliminates a source of confusion for new users.

Code Action Improvements

Several code actions have been enhanced to make refactoring more powerful and intuitive. The Extract function action now has special handling for anonymous functions, using the function body as the new extracted function's body. This makes it easier to refactor code without losing context or requiring manual restructuring.

Module usage renaming has been improved to work when hovering on module names rather than just imports. This allows developers to rename modules more naturally within their code, with the renaming action correctly updating all relevant references.

The "Add missing type parameter" code action now handles cases where custom type definitions use type parameters in variants that haven't been declared in the header, automatically adding the necessary declarations.

String prefix patterns now support finding references and renaming variables, making pattern matching more flexible and powerful. The language server also provides more precise completion instructions to editors, preventing issues like incorrect code generation when accepting completions.

Signature Help and Quality-of-Life Improvements

Signature help now shows the original names used for type parameters, helping developers understand what each parameter represents. This small but significant improvement makes function signatures more informative and easier to use correctly.

The language server now suggests completions for keywords that are expressions, such as echo, panic, and todo. The "Fill labels" code action uses variables from scope when they match label names and expected types, reducing the need for manual placeholder replacement.

Other improvements include allowing the "Interpolate String" code action to cut out any portion of a string regardless of whether it's a valid Gleam identifier, best-effort zero value generation for decode.failure, and support for Nil when using the generate dynamic decoder code action.

Custom type definitions and variants now show their documentation on hover, making it easier to understand their purpose and usage without navigating away from the current context.

Community and Support

Gleam remains a community-driven project without corporate ownership, relying on sponsorships for sustainability. Most sponsors contribute between $5 and $20 USD per month, and Gleam serves as the sole income source for its maintainers. The project has made significant progress toward its goal of appropriately paying core team members, but continued support is needed.

The release acknowledges the contributions of numerous community members who have implemented bug fixes, experience improvements, and new features. This collaborative approach ensures that Gleam continues to evolve in ways that benefit the entire community rather than being driven by a single entity's priorities.

For developers interested in trying Gleam, the project provides comprehensive documentation and tooling to get started. The combination of improved security, enhanced developer experience, and strong community support makes Gleam an increasingly attractive option for building scalable, type-safe applications on the BEAM platform.

This release demonstrates how thoughtful attention to both security and developer experience can create a more robust and enjoyable programming environment. By addressing pain points that developers encounter daily while simultaneously strengthening the foundation's security posture, Gleam 1.15.0 sets a high standard for what a modern programming language ecosystem should provide.