Skip to main content

How to improve the security of your Dart and Flutter projects on GitHub

ยท 3 min read
Mangirdas Kazlauskas

Enabling supply chain security features for Dart and Flutter projects on GitHub

Header image

On October 6, 2022, GitHub announced the availability of supply chain security features for the Dart developer ecosystem. This post will review the available options and how to enable these features for your projects.

What is supply chain security?โ€‹

GitHub is used daily by hundreds of thousand Dart and Flutter developers building multi-platform apps. By collaborating with GitHub to add Dart to their supply chain security features, Dart developers now have new ways to find and fix issues before they impact their customers.

- Michael Thomsen, Group Product Manager at Google

Supply chain security is a set of features that help you identify and mitigate security risks in your software supply chain:

  • Security advisories - an open database of security advisories that lists known vulnerabilities in packages.

GitHub Advisory Database

info

Check the GitHub Advisory Database for the current list of security advisories for packages published on pub.dev.

  • Dependency graph - in short, a list of all the dependencies and their versions used in your project. For Dart and Flutter projects, pubspec.yaml and pubspec.lock files are used to generate the dependency graph.

Dependency graph

info

For your Dart and Flutter projects on GitHub, you could check the dependency graph under "Insights -> Dependency graph".

  • Dependabot alerts and security updates - an automated way to alert about security vulnerabilities in the repository and to keep the dependencies up-to-date by creating a pull-request with the latest version of the dependency.

Dependabot alerts

Enabling supply chain security features on GitHubโ€‹

If your Dart or Flutter project source code resides in a public GitHub repository, you are already (kinda) secured - Dependabot has started monitoring for security issues already.

However, for private repositories, you need to enable the security features manually. To do so, go to "Settings -> Code security and analysis" and enable whatever features you need:

Code security and analysis

Enabling Dependabot version updatesโ€‹

To enable Dependabot version updates for your Dart and Flutter projects, you need to create a dependabot.yml file in your repository. The file should contain the following:

dependabot.yml
version: 2
updates:
  - package-ecosystem: "pub"
    directory: "/"
    schedule:
      interval: "weekly"
  • version: 2 - specifies the version of the configuration file format.
  • package-ecosystem: "pub" - specifies the package manager to use. For your Dart and Flutter projects, this should be pub.
  • directory: "/" - specifies the directory to look for the pubspec.yaml file.
  • interval: "weekly" - specifies the interval to check for updates. You can use daily, weekly, or monthly.

Then, once Dependabot finds a new version of a dependency, it will create a pull-request with the updated version. You can then review the changes and merge the pull-request:

Dependabot pull-request

Summaryโ€‹

If you thought that the only free cheese is in the mousetrap, you were wrong. GitHub, in a collaboration with the Dart team at Google, has made it possible to improve the security of your Dart and Flutter projects for free. As you may notice, most of the features come out of the box. What's your excuse now not to use them?

info

Check the official blog post by Google for more details: Partnering with GitHub on supply chain security for Dart packages.

Save trees. Stay SOLID. Thanks for reading.

Don't miss my next article!

Subscribe to get the latest content by email.

    No spam. Unsubscribe at any time.

    Don't miss my next article - subscribe!