Closed stuartmorgan closed 4 years ago
@stuartmorgan: thanks for reporting.
I thought that we have blocked the upload of packages with git dependencies, but apparently we are missing something. For our own reference here are the pointers for pub and pana that should be handling this:
@stuartmorgan: while the package's git repository contains a pubspec.yaml
that has a git dependency, the uploaded package archive has it commented out:
dependencies:
flutter:
sdk: flutter
file_picker: ^1.5.0+2
image_picker: ^0.6.3+4
# file_chooser:
# git:
# url: https://github.com/google/flutter-desktop-embedding
# path: plugins/file_chooser
Ah, I didn't think to check the archive's pubspec. Sorry for the false alarm!
The package https://pub.dev/packages/file_access has, as of the current published version at least, a
git:
dependency in itspubspec.yaml
. Issues:pana
isn't flagging this; the package Health is 99 and Maintenance is 100, even though this seems like an obviously dangerous pattern.I would expect that this would prevent publishing given the first bullet point, but if it's allowed on purpose it seems like it should be flagged at least per the other two bullet points.