Merge branch 'main' into feat/eleventy-migration

parlough · parlough · commit 518f98ef3846 · 2024-01-24T12:56:01.000-06:00
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -41,7 +41,7 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
         with:
           name: SARIF file
           path: results.sarif
diff --git a/firebase.json b/firebase.json
@@ -182,7 +182,7 @@
       { "source": "/go/publishing-with-service-account", "destination": "/tools/pub/automated-publishing#publishing-from-google-cloud-build", "type": 301 },
       { "source": "/go/sdk-constraint", "destination": "/tools/pub/pubspec#sdk-constraints", "type": 301 },
       { "source": "/go/sdk-version-pinning", "destination": "https://github.com/dart-lang/sdk/wiki/Flutter-Pinned-Packages", "type": 301 },
-      { "source": "/go/pub-security-advisories", "destination": "https://github.com/dart-lang/site-www/issues/5458", "type": 301 },
+      { "source": "/go/pub-security-advisories", "destination": "/tools/pub/security-advisories", "type": 301 },
       { "source": "/go/test-docs/:page*", "destination": "https://github.com/dart-lang/test/blob/master/pkgs/test/doc/:page*", "type": 301 },
       { "source": "/go/unsound-null-safety", "destination": "/null-safety/unsound-null-safety", "type": 301 },
 
diff --git a/src/_data/side-nav.yml b/src/_data/side-nav.yml
@@ -190,6 +190,8 @@
           permalink: /tools/pub/troubleshoot
         - title: Verified publishers
           permalink: /tools/pub/verified-publishers
+        - title: Security advisories
+          permalink: /tools/pub/security-advisories
         - title: Versioning
           permalink: /tools/pub/versioning
 
diff --git a/src/content/index.html b/src/content/index.html
@@ -16,7 +16,7 @@
                     type='video/webm;codecs="vp8, vorbis"' />
             <source src="assets/dash/video/hotreload.mp4"
                     type='video/mp4;codecs="avc1.42E01E, mp4a.40.2"' />
-            <img src=assets/dash/2x/paint-your-ui.png alt="Paint your UI" />
+            <img src="assets/dash/2x/paint-your-ui.png" alt="Paint your UI" />
         </video>
     </section>
 </div>
diff --git a/src/content/tools/pub/pubspec.md b/src/content/tools/pub/pubspec.md
@@ -94,6 +94,10 @@ A pubspec can have the following fields:
 : Optional. List of topics for the package.
   [_Learn more._](#topics)
 
+`ignored_advisories`
+: Optional. List of ignored security advisories.
+  [_Learn more._](/tools/pub/security-advisories)
+
 Pub ignores all other fields.
 
 :::flutter-note
diff --git a/src/content/tools/pub/security-advisories.md b/src/content/tools/pub/security-advisories.md
@@ -0,0 +1,59 @@
+---
+title: Security advisories
+description: >-
+  Use security advisories to inform and be informed
+  about security vulnerabilities in Dart packages.
+---
+
+Security advisories are a means to report information about security
+vulnerabilities. Pub uses the [GitHub Advisory Database][]
+for publishing security advisories for Dart and Flutter packages. 
+
+To create an advisory in your GitHub repository, use
+GitHub's security advisory reporting mechanism as
+explained in GitHub's docs on [Creating a repository security advisory][].
+First you create a draft security advisory, which will then be reviewed by
+GitHub and ingested into the central advisory database.
+
+[GitHub Advisory Database]: https://github.com/advisories
+[Creating a repository security advisory]: https://docs.github.com/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory
+
+## Security advisories in the pub client
+
+The pub client surfaces security advisories at dependency resolution.
+For instance, when running `dart pub get` you will get the following output:
+
+```terminal
+$ dart pub get
+Resolving dependencies...
+http 0.13.0 (affected by advisory: [^0], 1.2.0 available)
+Got dependencies!
+Dependencies are affected by security advisories:
+  [^0]: https://github.com/advisories/GHSA-4rgh-jx4f-qfcq
+```
+
+If resolution identifies an advisory, the Dart team recommends you
+visit the link and review the advisory.
+If you assess that the vulnerability affects your package, you
+should strongly consider upgrading to a non-affected version of the dependency.
+
+
+### Ignoring security advisories
+
+If a security advisory is not relevant for your application,
+you can suppress the warning by adding the advisory identifier to
+the `ignored_advisories` list in the `pubspec.yaml` of your package.
+For example, the following ignores the advisory
+with the CVE identifier `GHSA-4rgh-jx4f-qfcq`:
+
+```yaml
+name: myapp
+dependencies:
+  foo: ^1.0.0
+ignored_advisories:
+ - GHSA-4rgh-jx4f-qfcq
+```
+
+The `ignored_advisories` list only affects the root package. Ignored
+advisories in your dependencies will have no effect on package resolution
+for your own packages.
