Skip to content

Commit e72b9e2

Browse files
parloughparlough
authored
Minor fixes and cleanup for security advisories page (#5485)
Follow-up to #5480 Fixes #5458 A few things: - Adjusts the placeholder redirect to point to the new page - Add a cross-link from the pubspec reference page - Fixes a few typos - Use descriptive link text instead of "Here" - Remove `/en` from the GitHub link, so it's more likely redirect to the desired language of the user - In the "Ignoring security advisories" section, if putting the pubspec field `ignored_advisories` in code font, it's not really "a list of `ignored_advisories`, but rather a list itself. - Uses proper capitalization for "GitHub" - Use "the Dart team" instead of "we" for the recommendation - Some other minor wording adjustments _(please take a look :])_
1 parent 7b832ca commit e72b9e2

File tree

3 files changed

+27
-18
lines changed

3 files changed

+27
-18
lines changed

firebase.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -182,7 +182,7 @@
182182
{ "source": "/go/publishing-with-service-account", "destination": "/tools/pub/automated-publishing#publishing-from-google-cloud-build", "type": 301 },
183183
{ "source": "/go/sdk-constraint", "destination": "/tools/pub/pubspec#sdk-constraints", "type": 301 },
184184
{ "source": "/go/sdk-version-pinning", "destination": "https://github.com/dart-lang/sdk/wiki/Flutter-Pinned-Packages", "type": 301 },
185-
{ "source": "/go/pub-security-advisories", "destination": "https://github.com/dart-lang/site-www/issues/5458", "type": 301 },
185+
{ "source": "/go/pub-security-advisories", "destination": "/tools/pub/security-advisories", "type": 301 },
186186
{ "source": "/go/test-docs/:page*", "destination": "https://github.com/dart-lang/test/blob/master/pkgs/test/doc/:page*", "type": 301 },
187187
{ "source": "/go/unsound-null-safety", "destination": "/null-safety/unsound-null-safety", "type": 301 },
188188

src/tools/pub/pubspec.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,10 @@ A pubspec can have the following fields:
9494
: Optional. List of topics for the package.
9595
[_Learn more._](#topics)
9696

97+
`ignored_advisories`
98+
: Optional. List of ignored security advisories.
99+
[_Learn more._](/tools/pub/security-advisories)
100+
97101
Pub ignores all other fields.
98102

99103
{{site.alert.flutter-note}}

src/tools/pub/security-advisories.md

Lines changed: 22 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,22 @@
11
---
22
title: Security advisories
3-
description: Use security advisories to inform and be informed about security vulnerabilities.
3+
description: >-
4+
Use security advisories to inform and be informed
5+
about security vulnerabilities in Dart packages.
46
---
57

68
Security advisories are a means to report information about security
7-
vulnerabilities. Pub uses the [Github Advisory Database][]
9+
vulnerabilities. Pub uses the [GitHub Advisory Database][]
810
for publishing security advisories for Dart and Flutter packages.
911

10-
To create an advisory in your Github repository, use Github's security advisory
11-
reporting mechanism as explained [here][].
12+
To create an advisory in your GitHub repository, use
13+
GitHub's security advisory reporting mechanism as
14+
explained in GitHub's docs on [Creating a repository security advisory][].
1215
First you create a draft security advisory, which will then be reviewed by
13-
Github and ingested into the central database.
16+
GitHub and ingested into the central advisory database.
1417

18+
[GitHub Advisory Database]: https://github.com/advisories
19+
[Creating a repository security advisory]: https://docs.github.com/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory
1520

1621
## Security advisories in the pub client
1722

@@ -27,16 +32,19 @@ Dependencies are affected by security advisories:
2732
[^0]: https://github.com/advisories/GHSA-4rgh-jx4f-qfcq
2833
```
2934

30-
In such a case we recommend you follow the link and review the advisory. After
31-
reviewing, if you asses that this vulnerability is affecting your package, you
32-
should strongly consider upgrading to another version of your dependency.
35+
If resolution identifies an advisory, the Dart team recommends you
36+
visit the link and review the advisory.
37+
If you assess that the vulnerability affects your package, you
38+
should strongly consider upgrading to a non-affected version of the dependency.
3339

3440

3541
### Ignoring security advisories
3642

37-
If a security advisory is not relevant for your application, you can suppress the
38-
warning by adding the advisory to the list of `ignored_advisories` in the
39-
`pubspec.yaml` of your package. For example:
43+
If a security advisory is not relevant for your application,
44+
you can suppress the warning by adding the advisory identifier to
45+
the `ignored_advisories` list in the `pubspec.yaml` of your package.
46+
For example, the following ignores the advisory
47+
with the CVE identifier `GHSA-4rgh-jx4f-qfcq`:
4048

4149
```yaml
4250
name: myapp
@@ -46,9 +54,6 @@ ignored_advisories:
4654
- GHSA-4rgh-jx4f-qfcq
4755
```
4856
49-
The list of `ignored_advisories` only affects the root package. Ignored
50-
advisories in your dependencies will have no effect on your resolution.
51-
52-
[Github Advisory Database]: https://github.com/advisories
53-
[here]: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory
54-
57+
The `ignored_advisories` list only affects the root package. Ignored
58+
advisories in your dependencies will have no effect on package resolution
59+
for your own packages.

0 commit comments

Comments
 (0)