Fail retrieving vulnerable dependencies unless overriden #4333
Comments
This is not clear to me. A vulnerability might not affect a given consumer of a package.
If you are making a package for others to consume, you cannot easily specify which version of your dependencies they will end up consuming - only what range of versions. It is up to them to avoid the vulnerabilities in their pubspec.lock. Committing a pubspec.lock file with the package would not help much. A workaround if you want to not run CI with a dependency with a vulnerability, would be to have your github action detect "Dependencies are affected by security advisories" in the output from @szakarias and @jonasfj might have more to say. |
|
Hi @sigurdm thanks for the reply.
I was referring to the fact that I think that depending on a vulnerable version should be avoided at all costs. It is true that you can depend on a dependency that is tagged as vulnerable but not be vulnerable (for example, depending on vulnerable Archive version but not using symlinks), however I believe such practice is like walking on a tight rope because there is no automated mechanism in place that ensures you won't be using such vulnerable functionalities in the future.
You're completely right. However, if I'm maintaining a package and I get dependencies I will not like to get a vulnerable version installed in my system. Instead, I would like to be made aware that I'm about to install a vulnerable dependency, and then decide if I want to abort or continue.
That would be nice and it would move the tooling closer to the ideal solution (i.e. give me the option before installing a vulnerable version locally). However, I would rather not have to string match the output of the command but instead pass a flag to avoid it being fragile to changes in the output formatting for example. |
Description
As a developer, I would like the
dart pub getto fail when retrieving vulnerable versions unless I explicitly provide a flag to override it.Context
When a Dart package has a dependency on a vulnerable package (those with an an entry on the OSV database) the
dart pub getcommand already reports the affected dependencies.For example:
The above succeeds, instead I would like it to fail and only succeed when providing a flag to override it if needed (for example,
--accept-vulnerabilities).Use-cases
Most Dart developers are already running
dart pub geton their CIs, if the CI fails on thedart pub getstage due to a vulnerability it will block them until it gets resolved, hence avoiding vulnerabilities to creep in. Most developers only check if their CI is passing or not, hence they might completely miss the message.In addition, this also accommodates for the limitations the OSV Scanner has, these are:
pubspec.lockto exist, however the Dart team recommends to ignore comiting thepubspec.lockfile for packages (What not to commit, Dart Documentation).Dart can also install executables to be run locally as a CLI (for example, with:
dart pub global activate). When activating the executable the dependencies are fetched. If getting dependencies fails it would protect the user from having vulnerabilities. Only if the user explicitly wants to by-pass and accept the consequences of having a vulnerability the local CLI should be installed (a similar experience to what the browser does when trying to access a non-secure website).We should never depend on vulnerable dependencies. Making the
getfail by default would raise awareness that Dart dependencies can also be vulnerable and the community will soon know which are those and how to prevent new vulnerabilities.P.S.: If the feature is not possible for whatever reason, having a flag (for example,
--no-vulnerabilities) that could be provided to fail when vulnerable dependencies are detected could be considered instead.The text was updated successfully, but these errors were encountered: