At the beginning of this year, we released the Flutter 2022 product roadmap , which mentioned in the "Infrastructure Construction" section: In 2022, the Flutter team will increase investment in supply chain security in order to meet the requirements described in Infrastructure SLSA Level 4. .
Supply Chain Security
Most open source projects rely on hundreds of open source dependencies [[1]]( https://go2.gdsub.com/ospd "GitHub Documentation - Supply Chain Security: Most open source projects rely on hundreds of open source dependencies" ) , as more open source projects are used more widely, these dependencies pose security risks to their users: what if the dependencies of the open source projects we use are attacked and broken? This exposes your direct users (the end users of the software) to the risk of supply chain attacks.
Supply Chain Attacks are an emerging security threat targeting software developers and vendors [[2]]( https://go2.gdsub.com/scad "Microsoft Documentation - Supply Chain Attacks: Supply Chain Attacks are a Emerging Security Threats Targeting Software Developers and Vendors") , attackers look for security holes in insecure network protocols, unprotected servers, and insecure code and change the code so that programs that use it Hidden malicious code is added during the build and update process.
To ensure the security of the dependency supply chain, developers need to ensure that all dependencies and tools are regularly updated to the latest stable versions, as these new versions often contain the latest features and security fixes for known vulnerabilities. Dependencies include dependent code, used binaries, used tools, and other components, etc. [[3]]( https://docs.microsoft.com/en-us/nuget/concepts/security-best-practices#dependency -versions "Microsoft Documentation - Best Practices Regarding Secure Software Supply Chain") . Open source code hosted on GitHub can use the code scanning capabilities provided by GitHub to find security vulnerabilities and bugs in the project, and use Dependabot to maintain the project's dependencies to ensure that the project is automatically updated to the latest version of the dependencies.
Enable package version detection
The support for Dart package can be traced back to the beginning of April 2019, when Flutter was just released to the v1.2 stable version ; in May of the same year, Dependabot was acquired by GitHub and provided services to developers for free. A community member raised a question in the dependabot-core#2166 issue, asking Dependabot to add support for Flutter/Dart. Through the joint efforts of Dependabot and the Dart team, including adding some functions such as package version detection to the Flutter command line tool, the closed test was finally opened on March 22 this year, and the public beta test was conducted on April 5.
Currently, Dependabot version update support for the pub package ecosystem has entered the testing phase, and developers can use Dependabot to add package update detection to their Flutter or Dart projects. Only packages published on the pub.dev website are currently supported.
If you want to test Dependabot version update detection in your own Dart or Flutter repository, you need to create a .github/dependabot.yml file and add the following content:
version: 2
enable-beta-ecosystems: true
updates:
- package-ecosystem: "pub"
directory: "/"
schedule:
interval: "weekly" Make sure these two parameters are set: package-ecosystem: "pub" and enable-beta-ecosystems: true .
Known Limitations
The current pub package version detection support is still in beta and contains some known limitations, such as Dependabot security updates not yet supported, and will be added in future releases.
Other known limitations:
- Updating git-referenced dependencies is not supported
- If you configure ignore new version detection in dependabot, no updates will be made
- Does not support detection of private and custom pub-published packages
Developers can make suggestions or vote +1 in the official GitHub feedback discussion , or submit issues in the dependabot-core repository to help the team troubleshoot problems.
Thanks
- Source: GitHub Blog -pub beta support for Dependabot version updates
- Editors: Alex, Luke, CFUG Localization Team
- Graphics: Lynn
flutter
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。