If your organization is looking for "the language ecosystem that never has any security vulnerabilities", pack it in and close up shop because you're not going to find one. How many, how often, and how they are handled is far more important.

While the Erlang/Elixir ecosystem won't stop you from writing a network server that takes in a string and just blithely passes it along to a shell without analysis, overall the Erlang/Elixir ecosystem is very strong and lacks most of the footguns like an "eval" statement that get people. Though I will ding it a point for the most obvious way to run a shell command [1] taking just a string that goes to a shell rather than an array of parameters to a shell command.

It is on the higher end of secure languages to write a network server in.

> overall the Erlang/Elixir ecosystem is very strong and lacks most of the footguns like an "eval" statement that get people

Erlang has erl_eval [1] if you're looking for more ability to shoot yourself in the foot. You can call that from Elixir, but I guess that'd be weird; I'm not an Elixir person, but I'd bet you can shoot yourself in the foot if you try!

There's always fun with dist and proc_lib:spawn(Node, Fun) [2], which you can put in a list comprehension with erlang:nodes() [3] if you want to shot yourself in many feet rapidly ;)

[1] https://www.erlang.org/doc/apps/stdlib/erl_eval.html

[2] https://www.erlang.org/doc/apps/stdlib/proc_lib.html#spawn/2

[3] https://www.erlang.org/doc/apps/erts/erlang.html#nodes/0

There absolutely is an eval function in the Elixir standard library:

https://hexdocs.pm/elixir/1.18.3/Code.html#eval_string/3

I’ve seen more horrendous code using macros in elixir even despite by brief foray than I have seen ever in decades of working in languages with eval. Like using them when normal functions would suffice.

> most obvious way to run a shell command [1]

I think you forgot a link to your [1] reference.

Just create your own.