RepoJournal
Elixir & Phoenix

Elixir & Phoenix

Elixir, Phoenix, LiveView, and Ecto - the BEAM web stack

Pick a date

The Wire · Showcase

ELIXIR TIGHTENS ATOM SAFETY WITH NEW VALIDATION FUNCTIONS

By RepoJournal · Filed · About Elixir & Phoenix

Elixir core shipped three complementary functions that finally give you safe, typed ways to convert strings and lists to atoms without opening yourself to DoS attacks.

The biggest story across the stack is the soft-deprecation of String.to_atom/1 and the arrival of three new functions designed to close the atom safety hole [1] [2]. String.to_existing_atom/2 validates against a list of allowed atoms and compiles down to pattern matching when that list is static, making it faster than the old unsafe path [2]. List.to_existing_atom/2 does the same for lists [3], and to_unsafe_atom/1 replaces the dangerous old to_atom/1 when you genuinely need it [1]. The type system now narrows return types properly, so you get `:foo | :bar` instead of `:atom`, which catches more bugs at compile time. This is production-ready and you should audit your codebase for to_atom/1 calls immediately. On the Phoenix side, LiveView v1.2.3 shipped a quick fix for TypeScript declaration files being in the wrong folder [4] [5], and the core team documented module requirements for custom JSON libraries [6]. Ecto added configurable warnings and exceptions for writes to non-writable fields [7], letting you catch silent failures that masquerade as successful updates. Dependencies are stable: Babel bumped to 7.29.6 [8] and markdown-it to 14.2.0 [9].

Action items

References

  1. [1] Add to_unsafe_atom/1 and soft-deprecate to_atom/1 ↗ elixir-lang/elixir
  2. [2] Add String.to_existing_atom/2 to validate against a list of allowed atoms ↗ elixir-lang/elixir
  3. [3] Add List.to_existing_atom/2 to validate against a list of allowed atoms ↗ elixir-lang/elixir
  4. [4] v1.2.3 ↗ phoenixframework/phoenix_live_view
  5. [5] fix typescript declaration file path phoenixframework/phoenix_live_view
  6. [6] Document module requirements for json_library() (see PR #6481) ↗ phoenixframework/phoenix
  7. [7] Add ability to configure the behavior of writing to a non-writable field ↗ elixir-ecto/ecto
  8. [8] Bump @babel/core from 7.27.4 to 7.29.6 ↗ phoenixframework/phoenix_live_view
  9. [9] Bump markdown-it from 14.1.1 to 14.2.0 ↗ phoenixframework/phoenix_live_view

FAQ

What changed in Elixir & Phoenix on June 17, 2026?
Elixir core shipped three complementary functions that finally give you safe, typed ways to convert strings and lists to atoms without opening yourself to DoS attacks.
What should Elixir & Phoenix teams do about it?
Review your codebase for String.to_atom/1 calls and replace with String.to_existing_atom/2 before next deploy • Update phoenix_live_view to v1.2.3 if using TypeScript • Configure Ecto non-writable field behavior in your repos to catch silent failures
Which Elixir & Phoenix repositories shipped on June 17, 2026?
elixir-lang/elixir, phoenixframework/phoenix_live_view, phoenixframework/phoenix, elixir-ecto/ecto

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.