You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
As sshnoports and sshnp_flutter are not published packages we include pubspec.lock in this repo, which reflects a snapshot in time for the transitive dependencies.
Dependabot should alert us to any security vulnerabilities for specific versions in pubspec.lock, but will not propose changes to pubspec.yaml where we use ^ (which we do a lot).
This became problematic (#1246) with pinenacl 0.5.1 not working with Dart 3.5.0. The unit tests against noports_core were fixed with an upstream bump (atsign-foundation/dartssh2#3) to 0.6.0 but there were residual problems with pubspec.lock in sshnoports remaining pinned to 0.5.1
Describe the solution you'd like
Bump pubspec.lock files with dart pub upgrade and introduce a process to periodically review and test changes to transitive dependencies.
Describe alternatives you've considered
If we stop using ^ in the pubspec.yaml then we'll get much more frequent bumps to that, which will result in a progressive march of changes to pubspec.lock
Additional context
#1254 attempted to solve an instance of problems related to this by introducing additional dependency overrides to pubspec.yaml
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
As sshnoports and sshnp_flutter are not published packages we include
pubspec.lock
in this repo, which reflects a snapshot in time for the transitive dependencies.Dependabot should alert us to any security vulnerabilities for specific versions in
pubspec.lock
, but will not propose changes topubspec.yaml
where we use^
(which we do a lot).This became problematic (#1246) with pinenacl 0.5.1 not working with Dart 3.5.0. The unit tests against noports_core were fixed with an upstream bump (atsign-foundation/dartssh2#3) to 0.6.0 but there were residual problems with
pubspec.lock
in sshnoports remaining pinned to 0.5.1Describe the solution you'd like
Bump
pubspec.lock
files withdart pub upgrade
and introduce a process to periodically review and test changes to transitive dependencies.Describe alternatives you've considered
If we stop using
^
in thepubspec.yaml
then we'll get much more frequent bumps to that, which will result in a progressive march of changes topubspec.lock
Additional context
#1254 attempted to solve an instance of problems related to this by introducing additional dependency overrides to
pubspec.yaml
The text was updated successfully, but these errors were encountered: