chore: check in pubspec.lock for supply chain security#350
Merged
marandaneto merged 4 commits intomainfrom Mar 31, 2026
Merged
Conversation
…security - Remove pubspec.lock from .gitignore - The lock file includes sha256 content hashes (Dart 2.19+) which pub verifies on every resolve, catching tampered packages - CI now uses pinned transitive deps instead of resolving fresh each run - To update dependencies, run 'flutter pub upgrade' and commit the diff
Consumers should resolve their own dependency versions, not use ours. The lock file stays in the repo for CI reproducibility and hash verification.
Pin CocoaPods transitive dependencies for CI reproducibility. The example is an app (not a library), so lock files should be tracked.
Contributor
|
macOS lockfile stale? CI is failing |
Member
Author
prob, have to check, works on my machine :D |
Member
Author
done |
dustinbyrne
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
💡 Motivation and Context
Without lock files checked in, every CI run resolves fresh dependencies. If a transitive dependency gets compromised between runs, CI silently pulls the malicious version with no diff to review.
While the Dart convention recommends not checking in lock files for libraries (to test compatibility breadth), this trades security for flexibility. We can have both by:
pubspec.lockfrom the published package via.pubignoreso consumers resolve their own versionsflutter pub upgrade/pod updateto test newer versions explicitlyWhat this gives us
flutter pub get, catching tampered packages (Dart 2.19+)Podfile.lockpins native iOS/macOS transitive deps for the example app.pubignoreensures the lock file is excluded from the published package💚 How did you test it?
flutter pub get— resolves successfully with the checked-in lock filepubspec.lockcontains sha256 hashes for all hosted packagesPodfile.lockfiles contain pinned versions and checksums📝 Checklist
Changes
pubspec.lockfrom.gitignore(was listed twice, both removed)Podfile.lockfrom.gitignorepubspec.lockto source control (Dart/Flutter dependencies)example/ios/Podfile.lockto source control (iOS CocoaPods dependencies)example/macos/Podfile.lockto source control (macOS CocoaPods dependencies)posthog_flutter/.pubignoreto exclude lock file from published package