Partnering with GitHub on supply chain security for Dart packages

Starting today, GitHub supports Dart in its Advisory Database, dependency graph, and Dependabot. This means GitHub now offers comprehensive support for supply chain security for Dart and Flutter apps.

To learn about these new capabilities, check out the GitHub blog post. To learn what this means to you as a Dart developer, keep reading.

“With Dart now in our supply chain security ecosystem, GitHub extends its support for a fast-growing segment of the open source community,” Courtney Claessens, Senior Product Manager for GitHub, said. “And by moving security left, we help not only developers, but the millions of users who rely on apps developed in Dart.”

Imagine you’re building a fantastic new Flutter app. You’re using lots of really good packages in your pubspec (such as something like this) and shipping your app to multiple stores. What would happen if one of them had an important update to fix a security vulnerability? How would you find out about that? You can’t, short of manually checking theCHANGELOG for each of the tens of packages on a regular basis. This is a real challenge.

This is where Dependabot comes in. If you manage your source code in GitHub repository, the dependency graph and Dependabot monitor your pubspec dependencies and lets you know if you’re missing an update. The Dependabot submits a pull request to update pubspec.yaml to the latest version of the package on your behalf. This all comes about through new Dart-specific improvements in GitHub.

This scenario relies on a high quality, open database of security advisories that lists known vulnerabilities in Dart packages. For this feature, we partnered with GitHub to add Dart support to their popular GitHub Advisory Database. This database already contains thousands of advisories for other ecosystems like npm, NuGet, and Maven.

Starting today, you can now select the Pub ecosystem when creating advisories for published Dart packages.

If you publish packages on pub.dev, we recommend two new best practices.

1. Use GitHub’s security advisory feature to create new advisories in your GitHub repo. GitHub ingests these advisories into the central GitHub Advisory database.

2. Configure your security policy including detailing how users can report vulnerabilities.

The new security features are available today. If your source code resides in a public repository, Dependabot has started monitoring for security issues. If your source lives in a private GitHub repo, you need a bit more configuration to enable this feature.