How to improve the security of your Dart and Flutter projects on GitHub

Enabling supply chain security features for Dart and Flutter projects on GitHub

On October 6, 2022, GitHub announced the availability of supply chain security features for the Dart developer ecosystem. This post will review the available options and how to enable these features for your projects.

Note: This article was originally posted on my personal blog — kazlauskas.dev. To get the fresh content first, please consider subscribing to my blog email list.

What is supply chain security?

GitHub is used daily by hundreds of thousand Dart and Flutter developers building multi-platform apps. By collaborating with GitHub to add Dart to their supply chain security features, Dart developers now have new ways to find and fix issues before they impact their customers.

- Michael Thomsen, Group Product Manager at Google

Supply chain security is a set of features that help you identify and mitigate security risks in your software supply chain:

  • Security advisories — an open database of security advisories that lists known vulnerabilities in packages.
Check the GitHub Advisory Database for the current list of security advisories for packages published on pub.dev.
  • Dependency graph — in short, a list of all the dependencies and their versions used in your project. For Dart and Flutter projects, pubspec.yaml and pubspec.lock files are used to generate the dependency graph.
For your Dart and Flutter projects on GitHub, you could check the dependency graph under “Insights -> Dependency graph”.
  • Dependabot alerts and security updates — an automated way to alert about security vulnerabilities in the repository and to keep the dependencies up-to-date by creating a pull-request with the latest version of the dependency.

Enabling supply chain security features on GitHub

If your Dart or Flutter project source code resides in a public GitHub repository, you are already (kinda) secured — Dependabot has started monitoring for security issues already.

However, for private repositories, you need to enable the security features manually. To do so, go to “Settings -> Code security and analysis” and enable whatever features you need:

Enabling Dependabot version updates

To enable Dependabot version updates for your Dart and Flutter projects, you need to create a dependabot.yml file in your repository. The file should contain the following:

version: 2
updates:
- package-ecosystem: "pub"
directory: "/"
schedule:
interval: "weekly"
  • version: 2 - specifies the version of the configuration file format.
  • package-ecosystem: "pub" - specifies the package manager to use. For your Dart and Flutter projects, this should be pub.
  • directory: "/" - specifies the directory to look for the pubspec.yaml file.
  • interval: "weekly" - specifies the interval to check for updates. You can use daily, weekly, or monthly.

Then, once Dependabot finds a new version of a dependency, it will create a pull-request with the updated version. You can then review the changes and merge the pull-request:

Summary

If you thought that the only free cheese is in the mousetrap, you were wrong. GitHub, in a collaboration with the Dart team at Google, has made it possible to improve the security of your Dart and Flutter projects for free. As you may notice, most of the features come out of the box. What’s your excuse now not to use them?

Check the official blog post by Google for more details: Partnering with GitHub on supply chain security for Dart packages.

Note: This article was originally posted on my personal blog — kazlauskas.dev. To get the fresh content first, please consider subscribing to my blog email list.

Your contribution

👏 Press the clap button below to show your support and motivate me to write better!
💬 Leave a response to this article by providing your insights, comments or requests for future articles.
✍️ Visit my personal blog and consider subscribing to the email list.
📢 Share this article with your friends, and colleagues on social media.
➕ Follow me on Medium and check other articles.
🍿 Subscribe to my YouTube channel — more content is coming soon!
✉️ Do not hesitate to DM me on Twitter and share your opinion about… anything!

Save trees. Stay SOLID. Thank you!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store