Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add reference documentation for 'ignored_advisories' in the pubspec #5487

Merged
merged 5 commits into from
Jan 26, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion src/tools/pub/pubspec.md
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ A pubspec can have the following fields:

`ignored_advisories`
: Optional. List of ignored security advisories.
[_Learn more._](/tools/pub/security-advisories)
[_Learn more._](#ignored_advisories)

Pub ignores all other fields.

Expand Down Expand Up @@ -449,6 +449,28 @@ Pub.dev requires topics to follow these specifications:
When choosing topics, consider if [existing topics]({{site.pub}}/topics)
are relevant. Tagging with existing topics helps users discover your package.

### Ignored_advisories

If a package has a dependency that is affected by a security advisory,
pub warns about the advisory during dependency resolution.
Package authors can use the `ignored_advisories` field as an allowlist
of triggered advisories that are not relevant for the package.

To suppress the warning about an advisory,
add the advisory identifier to the `ignored_advisories` list.
For example:

```yaml
name: myapp
dependencies:
foo: ^1.0.0
ignored_advisories:
- GHSA-4rgh-jx4f-qfcq
```

For more information, check out
[Security advisories](/tools/pub/security-advisories).

### SDK constraints

A package can indicate which versions of its dependencies it supports, but
Expand Down