Security advisories
Security advisories are a means to report information about security vulnerabilities. Pub uses the GitHub Advisory Database for publishing security advisories for Dart and Flutter packages.
To create an advisory in your GitHub repository, use GitHub's security advisory reporting mechanism as explained in GitHub's docs on Creating a repository security advisory. First you create a draft security advisory, which will then be reviewed by GitHub and ingested into the central advisory database.
Security advisories in the pub client
#The pub client surfaces security advisories at dependency resolution.
For instance, when running dart pub get
you will get the following output:
$ dart pub get
Resolving dependencies...
http 0.13.0 (affected by advisory: [^0], 1.2.0 available)
Got dependencies!
Dependencies are affected by security advisories:
[^0]: https://github.com/advisories/GHSA-4rgh-jx4f-qfcq
If resolution identifies an advisory, the Dart team recommends you visit the link and review the advisory. If you assess that the vulnerability affects your package, you should strongly consider upgrading to a non-affected version of the dependency.
Ignoring security advisories
#If a security advisory is not relevant for your application,
you can suppress the warning by adding the advisory identifier to
the ignored_advisories
list in the pubspec.yaml
of your package.
For example, the following ignores the advisory
with the GHSA identifier GHSA-4rgh-jx4f-qfcq
:
name: myapp
dependencies:
foo: ^1.0.0
ignored_advisories:
- GHSA-4rgh-jx4f-qfcq
除非另有说明,文档之所提及适用于 Dart 3.5.4 版本,本页面最后更新时间: 2024-02-20。 查看文档源码 或者 报告页面问题。