From 1c8ae8ed8b20954c6dfff94c6eeea0f6c1342356 Mon Sep 17 00:00:00 2001 From: Sarah Zakarias Date: Wed, 24 Jan 2024 18:36:41 +0100 Subject: [PATCH] Add documentation about security advisories (#5480) Co-authored-by: Jonas Finnemann Jensen Co-authored-by: Marya <111139605+MaryaBelanger@users.noreply.github.com> --- src/_data/side-nav.yml | 2 ++ src/tools/pub/security-advisories.md | 54 ++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 src/tools/pub/security-advisories.md diff --git a/src/_data/side-nav.yml b/src/_data/side-nav.yml index 513a3e155d..c0a3bea10d 100644 --- a/src/_data/side-nav.yml +++ b/src/_data/side-nav.yml @@ -190,6 +190,8 @@ permalink: /tools/pub/troubleshoot - title: Verified publishers permalink: /tools/pub/verified-publishers + - title: Security advisories + permalink: /tools/pub/security-advisories - title: Versioning permalink: /tools/pub/versioning diff --git a/src/tools/pub/security-advisories.md b/src/tools/pub/security-advisories.md new file mode 100644 index 0000000000..2c84bd98ce --- /dev/null +++ b/src/tools/pub/security-advisories.md @@ -0,0 +1,54 @@ +--- +title: Security advisories +description: Use security advisories to inform and be informed about security vulnerabilities. +--- + +Security advisories are a means to report information about security +vulnerabilities. Pub uses the [Github Advisory Database][] +for publishing security advisories for Dart and Flutter packages. + +To create an advisory in your Github repository, use Github's security advisory +reporting mechanism as explained [here][]. +First you create a draft security advisory, which will then be reviewed by +Github and ingested into the central database. + + +## Security advisories in the pub client + +The pub client surfaces security advisories at dependency resolution. +For instance, when running `dart pub get` you will get the following output: + +```terminal +$ dart pub get +Resolving dependencies... +http 0.13.0 (affected by advisory: [^0], 1.2.0 available) +Got dependencies! +Dependencies are affected by security advisories: + [^0]: https://github.com/advisories/GHSA-4rgh-jx4f-qfcq +``` + +In such a case we recommend you follow the link and review the advisory. After +reviewing, if you asses that this vulnerability is affecting your package, you +should strongly consider upgrading to another version of your dependency. + + +### Ignoring security advisories + +If a security advisory is not relevant for your application, you can suppress the +warning by adding the advisory to the list of `ignored_advisories` in the +`pubspec.yaml` of your package. For example: + +```yaml +name: myapp +dependencies: + foo: ^1.0.0 +ignored_advisories: + - GHSA-4rgh-jx4f-qfcq +``` + +The list of `ignored_advisories` only affects the root package. Ignored +advisories in your dependencies will have no effect on your resolution. + +[Github Advisory Database]: https://github.com/advisories +[here]: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory +