Packages can be published with git: dependencies

[stuartmorgan]

The package https://pub.dev/packages/file_access has, as of the current published version at least, a git: dependency in its pubspec.yaml. Issues:

• It's not part of the archive. If that git repository went away, all users of all versions of this package would be retroactively broken AFAICT, even if they did version pinning.
• It's not listed as a dependency in the pub.dev UI in any way, so this is invisible. I would expect that if this is allowed intentionally, it should at least be surfaced and flagged as dangerous in the dependencies section.
• pana isn't flagging this; the package Health is 99 and Maintenance is 100, even though this seems like an obviously dangerous pattern.

I would expect that this would prevent publishing given the first bullet point, but if it's allowed on purpose it seems like it should be flagged at least per the other two bullet points.

[isoos]

@stuartmorgan: thanks for reporting.

I thought that we have blocked the upload of packages with git dependencies, but apparently we are missing something. For our own reference here are the pointers for pub and pana that should be handling this:

• https://github.com/dart-lang/pub-dev/blob/master/pkg/pub_package_reader/lib/pub_package_reader.dart#L240-L246
• https://github.com/dart-lang/pana/blob/master/lib/src/maintenance.dart#L321-L329

[isoos]

@stuartmorgan: while the package's git repository contains a pubspec.yaml that has a git dependency, the uploaded package archive has it commented out:

dependencies:
  flutter:
    sdk: flutter
  file_picker: ^1.5.0+2
  image_picker: ^0.6.3+4
  # file_chooser:
  #   git:
  #     url: https://github.com/google/flutter-desktop-embedding
  #     path: plugins/file_chooser

[stuartmorgan]

Ah, I didn't think to check the archive's pubspec. Sorry for the false alarm!