Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add reference documentation for 'ignored_advisories' in the pubspec #5487

Merged
merged 5 commits into from
Jan 26, 2024
Merged
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion src/tools/pub/pubspec.md
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ A pubspec can have the following fields:

`ignored_advisories`
: Optional. List of ignored security advisories.
[_Learn more._](/tools/pub/security-advisories)
[_Learn more._](#ignored_advisories)

Pub ignores all other fields.

Expand Down Expand Up @@ -449,6 +449,24 @@ Pub.dev requires topics to follow these specifications:
When choosing topics, consider if [existing topics]({{site.pub}}/topics)
are relevant. Tagging with existing topics helps users discover your package.

### Ignored_advisories

If a package has a dependency which is affected by a security advisory, the pub
client will warn about the advisory at dependency resolution. Package authors
can use the 'ignored_advisories' property to allowlist an advisory that is not
relevant for the package. To suppress the warning about an advisory, add the
advisory identifier to the 'ignored_advisories' list. For example:

```yaml
name: myapp
dependencies:
foo: ^1.0.0
ignored_advisories:
- GHSA-4rgh-jx4f-qfcq
```

For more information, see [Security advisories](/tools/pub/security-advisories).

### SDK constraints

A package can indicate which versions of its dependencies it supports, but
Expand Down