GitHub’s supply chain security features now support Dart
Cross-platform apps built with the popular Flutter toolkit can now benefit from Dependabot alerts.
What do applications like Google Ads, eBay Motors, and Alibaba Xianyu have in common? In addition to millions of monthly users, each was built with the popular Flutter framework that is powered by Dart. Given its rapid growth and broad adoption – and thanks to a collaboration with the Dart team at Google – GitHub supply chain security features now support the Dart developer ecosystem. This makes it easier for developers and security teams to visualize, maintain, and secure the dependencies in the Dart software supply chain.
GitHub is used daily by hundreds of thousand Dart and Flutter developers building multi-platform apps. By collaborating with GitHub to add Dart to their supply chain security features, Dart developers now have new ways to find and fix issues before they impact their customers.
We’re grateful to the folks at Google for their contributions here! To learn more about what this means to you as a developer, see Google’s blog post.
About supply chain security
If you’re new to supply chain security, read on for an overview of capabilities now available for Dart. GitHub also maintains documentation for those ready for a deeper dive.
Advisories
The GitHub Advisory Database is an open database of security advisories focused on high quality, actionable vulnerability information for developers. If you’re a Dart package maintainer, you can now use GitHub Security Advisories to collaborate with vulnerability reporters to privately discuss and fix vulnerabilities before announcing them publicly. Additionally, if you find a Dart vulnerability with a CVE that isn’t in the GitHub Advisory Database, you can report it through a community contribution.

Dependency graph
The dependency graph analyzes a repository’s pubspec.yaml and pubspec.lock files to determine the dependencies being used in your project. This serves as a backbone for Dependabot, which alerts you when there is a known vulnerability and creates pull requests to update the affected dependency. To view a repository’s detected dependencies, select the repository’s Insights tab, then select Dependency graph from the sidebar on the left.

The dependency graph is enabled by default for public repositories, but you must enable it for private repositories.
You can prevent Dart vulnerabilities from being introduced in the first place with the dependency review GitHub Action. This action scans pull requests for changes in your Dart dependencies and will raise an error for known vulnerabilities so you can keep them out of your code.
Dependabot alerts and security updates
Dependabot alerts notify you when new vulnerabilities are discovered in Dart packages you’re already using, and Dependabot security updates will create pull requests that automatically upgrade your vulnerable Dart packages to a version without the vulnerability. You can configure both Dependabot alerts and Dependabot security updates so you’re just getting the notifications and pull requests you want for your repository.

Secure your Dart repository
There’s a lot of functionality here! You can get started by securing your Dart repository, or learn more about each of GitHub’s supply chain security features:
- Security advisories
- Dependency graph
- Dependency review
- Dependabot alerts
- Dependabot security updates
Tags:
Written by
Related posts
How GitHub used secret scanning to reach inbox zero
GitHub had 20,000+ secret scanning alerts across 15,000 repositories. Here’s how we separated signal from noise, built remediation workflows, and reached inbox zero in nine months.
6 security settings every GitHub maintainer should enable this week
These six free settings will not make your project unhackable. Nothing will. What they will do is close the easy doors. Turn these on, and your project will be meaningfully harder to attack than it was before.
Inside the Advisory Database and what happens when vulnerability volume breaks records
The GitHub Advisory Database is processing more vulnerability reports than ever before. Here’s what’s driving the surge, how we’re responding, and how the community can help.