The pubspec file
- Supported fields
Every pub package needs some metadata so it can specify its dependencies. Pub packages that are shared with others also need to provide some other information so users can discover them. All of this metadata goes in the package's pubspec: a file named
pubspec.yaml that's written in the YAML language.
A pubspec can have the following fields:
- Required for every package. Learn more.
- Required for packages that are hosted on the pub.dev site. Learn more.
- Required for packages that are hosted on the pub.dev site. Learn more.
- Optional. URL pointing to the package's homepage (or source code repository). Learn more.
- Optional. URL pointing to the package's source code repository. Learn more.
- Optional. URL pointing to an issue tracker for the package. Learn more.
- Optional. URL pointing to documentation for the package. Learn more.
- Can be omitted if your package has no dependencies. Learn more.
- Can be omitted if your package has no dev dependencies. Learn more.
- Can be omitted if you do not need to override any dependencies. Learn more.
- Required as of Dart 2. Learn more.
- Optional. Used to put a package's executables on your PATH. Learn more.
- Optional. Used to explicitly declare supported platforms on the pub.dev site. Learn more.
- Optional. Specify where to publish a package. Learn more.
- Optional. List of URLs where users can sponsor development of the package. Learn more.
- Optional. Specify files to ignore when conducting a pre-publishing search for potential leaks of secrets. Learn more.
- Optional. Specify a list of screenshot files to display on the pub.dev site. Learn more.
- Optional. List of topics for the package. Learn more.
- Optional. List of ignored security advisories. Learn more.
Pub ignores all other fields.
If you add a custom field, give it a unique name that won't clash with future pubspec fields. For example, instead of adding
bugs, you might add a field named
A simple but complete pubspec looks something like the following:
Have you been turned into a newt? Would you like to be?
This package can help. It has all of the
newt-transmogrification functionality you have been looking
sdk: '>=2.12.0 <3.0.0'
test: '>=1.15.0 <2.0.0'
This section has more information about each of the pubspec fields.
Every package needs a name. It's how other packages refer to yours, and how it appears to the world, should you publish it.
The name should be all lowercase, with underscores to separate words,
just_like_this. Use only basic Latin letters and Arabic digits:
[a-z0-9_]. Also, make sure the name is a valid Dart identifier—that it doesn't start with digits and isn't a reserved word.
Try to pick a name that is clear, terse, and not already in use. A quick search of packages on the pub.dev site to make sure that nothing else is using your name is recommended.
Every package has a version. A version number is required to host your package on the pub.dev site, but can be omitted for local-only packages. If you omit it, your package is implicitly versioned
Versioning is necessary for reusing code while letting it evolve quickly. A version number is three numbers separated by dots, like
0.2.43. It can also optionally have a build (
+hotfix.oopsie) or prerelease (
Each time you publish your package, you publish it at a specific version. Once that's been done, consider it hermetically sealed: you can't touch it anymore. To make more changes, you'll need a new version.
When you select a version, follow semantic versioning.
This is optional for your own personal packages, but if you intend to publish your package you must provide a description, which should be in English. The description should be relatively short—60 to 180 characters—and tell a casual reader what they might want to know about your package.
Think of the description as the sales pitch for your package. Users see it when they browse for packages. The description is plain text: no markdown or HTML.
This should be a URL pointing to the website for your package. For hosted packages, this URL is linked from the package's page. While providing a
homepage is optional, please provide it or
repository (or both). It helps users understand where your package is coming from.
repository field should contain the URL for your package's source code repository—for example,
https://github.com/<user>/<repository>. If you publish your package to the pub.dev site, then your package's page displays the repository URL. While providing a
repository is optional, please provide it or
homepage (or both). It helps users understand where your package is coming from.
issue_tracker field should contain a URL for the package's issue tracker, where existing bugs can be viewed and new bugs can be filed. The pub.dev site attempts to display a link to each package's issue tracker, using the value of this field. If
issue_tracker is missing but
repository is present and points to GitHub, then the pub.dev site uses the default issue tracker (
Some packages have a site that hosts documentation, separate from the main homepage and from the Pub-generated API reference. If your package has additional documentation, add a
documentation: field with that URL; pub shows a link to this documentation on your package's page.
Dependencies are the pubspec's raison d'être. In this section you list each package that your package needs in order to work.
Dependencies fall into one of two types. Regular dependencies are listed under
dependencies:—these are packages that anyone using your package will also need. Dependencies that are only needed in the development phase of the package itself are listed under
During the development process, you might need to temporarily override a dependency. You can do so using
For more information, see Package dependencies.
A package may expose one or more of its scripts as executables that can be run directly from the command line. To make a script publicly available, list it under the
executables field. Entries are listed as key/value pairs:
For example, the following pubspec entry lists two scripts:
Once the package is activated using
dart pub global activate, typing
bin/fvm.dart. If you don't specify the value, it is inferred from the key.
For more information, see pub global.
When you publish a package, pub.dev automatically detects the platforms that the package supports. If this platform-support list is incorrect, use
platforms to explicitly declare which platforms your package supports.
For example, the following
platforms entry causes pub.dev to list the package as supporting Android, iOS, Linux, macOS, Web, and Windows:
# This package supports all platforms listed below.
Here is an example of declaring that the package supports only Linux and macOS (and not, for example, Windows):
# This package supports only Linux and macOS.
Package authors can use the
funding property to specify a list of URLs that provide information on how users can help fund the development of the package. For example:
If published to pub.dev the links are displayed on the package page. This aims to help users fund the development of their dependencies.
When you try to publish a package, pub conducts a search for potential leaks of secret credentials, API keys, or cryptographic keys. If pub detects a potential leak in a file that would be published, then pub warns you and refuses to publish the package.
Leak detection isn't perfect. To avoid false positives, you can tell pub not to search for leaks in certain files, by creating an allowlist using
gitignore patterns under
false_secrets in the pubspec.
For example, the following entry causes pub not to look for leaks in the file
lib/src/hardcoded_api_key.dart and in all
.pem files in the
gitignore pattern with slash (
/) ensures that the pattern is considered relative to the package's root directory.
Packages can showcase their widgets or other visual elements using screenshots displayed on their pub.dev page. To specify screenshots for the package to display, use the
A package can list up to 10 screenshots under the
screenshots field. Don't include logos or other branding imagery in this section. Each screenshot includes one
description and one
description explains what the screenshot depicts in no more than 160 characters. For example:
- description: 'This screenshot shows the transformation of a number of bytes
to a human-readable expression.'
- description: 'This screenshot shows a stack trace returning a human-readable
Pub.dev limits screenshots to the following specifications:
- File size: max 4 MB per image.
- File types:
- Static and animated images are both allowed.
Keep screenshot files small. Each download of the package includes all screenshot files.
Pub.dev generates the package's thumbnail image from the first screenshot. If this screenshot uses animation, pub.dev uses its first frame.
Package authors can use the
topics field to categorize their package. Topics can be used to assist discoverability during search with filters on pub.dev. Pub.dev displays the topics on the package page as well as in the search results.
The field consists of a list of names. For example:
Pub.dev requires topics to follow these specifications:
- Tag each package with at most 5 topics.
- Write the topic name following these requirements:
- Use between 2 and 32 characters.
- Use only lowercase alphanumeric characters or hyphens (
- Don't use two consecutive hyphens (
- Start the name with lowercase alphabet characters (
- End with alphanumeric characters (
When choosing topics, consider if existing topics are relevant. Tagging with existing topics helps users discover your package.
If a package has a dependency that is affected by a security advisory, pub warns about the advisory during dependency resolution. Package authors can use the
ignored_advisories field as an allowlist of triggered advisories that are not relevant for the package.
To suppress the warning about an advisory, add the advisory identifier to the
ignored_advisories list. For example:
For more information, check out Security advisories.
A package can indicate which versions of its dependencies it supports, but packages have another implicit dependency: the Dart platform itself. The Dart platform evolves over time, and a package might only work with certain versions of the platform.
A package can specify those versions using an SDK constraint. This constraint goes inside a separate top-level
environment field in the pubspec and uses the same version constraint syntax as dependencies.
For example, the following constraint says that this package works with any Dart SDK that's version 3.0.0 or higher:
Pub tries to find the latest version of a package whose SDK constraint works with the version of the Dart SDK that you have installed.
Omitting the SDK constraint is an error. When the pubspec has no SDK constraint,
dart pub get fails with a message like the following:
pubspec.yaml has no lower-bound SDK constraint.
You should edit pubspec.yaml to contain an SDK constraint:
Flutter SDK constraints#
Pub supports specifying Flutter SDK constraints under the
sdk: '>=1.19.0 <3.0.0'
A Flutter SDK constraint is satisfied only if pub is running in the context of the
flutter executable, and the Flutter SDK's
version file meets the version constraint's lower bound. Otherwise, the package won't be selected.
To publish a package with a Flutter SDK constraint, you must specify a Dart SDK constraint with a minimum version of at least 1.19.0, to ensure that older versions of pub won't accidentally install packages that need Flutter.