Dependabot-core: Support for Dart language

@privettoli thanks for the suggestion! Up for supporting this but we'll have to hold off until we get some more capacity on the team. Hopefully happening in the next few months 🙌

I work on pub.dev (package manager for Dart / Flutter), and at the moment we don't any registry of vulnerable packages, but we do hope to develop a vulnerability reporting process and a manner to flag packages. When this happens, we'll probably also expose this data through an API.

The work can be tracked in https://github.com/dart-lang/pub-dev/issues/2160.

If you get around to working on this and is blocked by us, please ping me :)

Awesome, thanks @jonasfj. We'd love to have Dart / Flutter support, and I'm happy to work with anyone who wants to work on it in Dependabot Core. The Dependabot team is a little swamped with new volume right now, but we're working as hard as we can 😄

Hello @jonasfj and @feelepxyz. We are working on an HIPAA compliant consumer application for heathcare providers and patients. Since HIPAA does require a risk analysis which, effectively, requires covered entities to test their security controls. This includes pentest and vulnerability scanning/management. In order to get a good idea of where we stand, is there any update to this issue?

@fuhaka,
I doubt you should be blocking on this.
For security I would recommend staying up-to-date with your dependencies and tracking their CHANGELOG whenever a new release is published.

You can automate this with pub upgrade -n.

Note. I'm not familiar with HIPAA, and I can't advice you on compliance.

@jonasfj Thank you for the quick response. I appreciate and will review the possibility of safely using pub upgrade -n option in the mean time. Definitely much more interested in the Dependabot support for dart and a vulnerability database.

Can we get some help from Google to help expedite this? I'm sure they'd be interested adding this important capability to their flutter/dart ecosystem.

Adding a +1 for wanting support for Flutter/Dart in Dependabot :)

Question for @feelepxyz : Would you be ok with a 2 phase approach?
1) Add Dart support that just updates dependencies
2) Improve Dart support to take into account whatever vulnerability tracking https://github.com/dart-lang/pub-dev/issues/2160 provides

I can answer for @feelepxyz on that one: absolutely, yes. 😄

Same here. Phased approach will be great!

Anyone interested in working on this I'd be happy to answer any pub related questions.

To check for updates you can probably just run pub upgrade and compare changes in the pubspec.lock to see compatible updates.
Then use the raw version listing API to get list of package versions to find updates.

Some one just came up with a similiar tool: https://github.com/vrtdev/dep_check

Would you take some inspiration?

FYI Dart 2.8 now includes a pub outdated command which might be helpful in implementing dependabot support https://medium.com/dartlang/announcing-dart-2-8-7750918db0a

FYI Dart 2.8 now includes a pub outdated command which might be helpful in implementing dependabot support https://medium.com/dartlang/announcing-dart-2-8-7750918db0a

I want to add to this: pub outdated --json returns an easily parsable JSON tree with the information.