Security advisories

Security advisories are a means to report information about security vulnerabilities. Pub uses the GitHub Advisory Database for publishing security advisories for Dart and Flutter packages.

To create an advisory in your GitHub repository, use GitHub's security advisory reporting mechanism as explained in GitHub's docs on Creating a repository security advisory. First you create a draft security advisory, which will then be reviewed by GitHub and ingested into the central advisory database.

The pub client surfaces security advisories at dependency resolution. For instance, when running dart pub get you will get the following output:

$ dart pub get
Resolving dependencies...
http 0.13.0 (affected by advisory: [^0], 1.2.0 available)
Got dependencies!
Dependencies are affected by security advisories:
  [^0]: https://github.com/advisories/GHSA-4rgh-jx4f-qfcq

If resolution identifies an advisory, the Dart team recommends you visit the link and review the advisory. If you assess that the vulnerability affects your package, you should strongly consider upgrading to a non-affected version of the dependency.

If a security advisory is not relevant for your application, you can suppress the warning by adding the advisory identifier to the ignored_advisories list in the pubspec.yaml of your package. For example, the following ignores the advisory with the GHSA identifier GHSA-4rgh-jx4f-qfcq:

name: myapp
dependencies:
  foo: ^1.0.0
ignored_advisories:
 - GHSA-4rgh-jx4f-qfcq

除非另有说明，文档之所提及适用于 Dart 3.5.3 版本，本页面最后更新时间: 2024-02-20。 查看文档源码 或者 报告页面问题。