Security advisories are a means to report information about security vulnerabilities. Pub uses the GitHub Advisory Database for publishing security advisories for Dart and Flutter packages.
To create an advisory in your GitHub repository, use GitHub's security advisory reporting mechanism as explained in GitHub's docs on Creating a repository security advisory. First you create a draft security advisory, which will then be reviewed by GitHub and ingested into the central advisory database.
Security advisories in the pub client#
The pub client surfaces security advisories at dependency resolution. For instance, when running
dart pub get you will get the following output:
$ dart pub get
http 0.13.0 (affected by advisory: [^0], 1.2.0 available)
Dependencies are affected by security advisories:
If resolution identifies an advisory, the Dart team recommends you visit the link and review the advisory. If you assess that the vulnerability affects your package, you should strongly consider upgrading to a non-affected version of the dependency.
Ignoring security advisories#
If a security advisory is not relevant for your application, you can suppress the warning by adding the advisory identifier to the
ignored_advisories list in the
pubspec.yaml of your package. For example, the following ignores the advisory with the GHSA identifier
ignored_advisories list only affects the root package. Ignored advisories in your dependencies will have no effect on package resolution for your own package.