Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation about security advisories #5480

Merged
merged 15 commits into from
Jan 24, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/_data/side-nav.yml
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,8 @@
permalink: /tools/pub/troubleshoot
- title: Verified publishers
permalink: /tools/pub/verified-publishers
- title: Security advisories
permalink: /tools/pub/security-advisories
- title: Versioning
permalink: /tools/pub/versioning

Expand Down
50 changes: 50 additions & 0 deletions src/tools/pub/security-advisories.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: Security advisories
description: Use security advisories to inform and be informed about security vulnerabilities.
---

Security advisories are a means to report information about security
vulnerabilities. Pub uses the [Github Advisory
Database][https://github.com/advisories] for publishing security advisories for
Dart and Flutter packages.
szakarias marked this conversation as resolved.
Show resolved Hide resolved

To create an advisory in your Github repo use Github's security advisory
szakarias marked this conversation as resolved.
Show resolved Hide resolved
reporting mechanism as explained
[here][https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory].
First you create a draft security advisory, which will then be reviewed by
Github and ingested into the central database.


## Security advisories in the pub client
szakarias marked this conversation as resolved.
Show resolved Hide resolved
The pub client surfaces security advisories at dependency resolution. For
instance when running `dart pub get` you will get the following output:
szakarias marked this conversation as resolved.
Show resolved Hide resolved

```terminal
$ dart pub get
Resolving dependencies...
http 0.13.0 (affected by advisory: [^0], 1.2.0 available)
Got dependencies!
Dependencies are affected by security advisories:
[^0]: https://github.com/advisories/GHSA-4rgh-jx4f-qfcq
```

In such a case we recommend you follow the link and review the advisory. After
reviewing, if you asses that this vulnerability is affecting your package, you
should strongly consider upgrading to another version of your dependency.


### Ignoring security advisories
szakarias marked this conversation as resolved.
Show resolved Hide resolved
If a security advisory is not relevant for your package, you can suppress the
szakarias marked this conversation as resolved.
Show resolved Hide resolved
warning by adding the advisory to the list of `ignored_advisories` in the
`pubspec.yaml` of your package. For example:

```
szakarias marked this conversation as resolved.
Show resolved Hide resolved
name: myapp
dependencies:
foo: ^1.0.0
ignored_advisories:
- GHSA-4rgh-jx4f-qfcq
```

The list of `ignored_advisories` only affects the root package. I.e, ignored
szakarias marked this conversation as resolved.
Show resolved Hide resolved
advisories in your dependencies will have no effect on your resolution.
szakarias marked this conversation as resolved.
Show resolved Hide resolved
Loading