Dart ecosystem uses pub package manager to manage shared packages and libraries. Packages can be sourced from registry, git repository, or from local file system.
Find file named pubspec.yaml.
We attempt to perform all of the strategies below, we select the result of succeeded strategies which has the highest preference.
| Preference | Strategy | Direct Deps | Transitive Deps | Edges | Container Scanning |
|---|---|---|---|---|---|
| Highest | 1. pubspec.yaml and pubspec.lock are discovered, and flutter pub deps -s compact can be executed |
✅ | ✅ | ✅ | ❌ |
2. pubspec.yaml and pubspec.lock are discovered, and dart pub deps -s compact can be executed |
✅ | ✅ | ✅ | ❌ | |
3. pubspec.yaml and pubspec.lock are discovered, and pub deps -s compact can be executed |
✅ | ✅ | ✅ | ❌ | |
4. pubspec.yaml and pubspec.lock are discovered |
✅ | ✅ | ❌ | ✅ | |
| Lowest | 5. Only pubspec.yaml is discovered |
✅ | ❌ | ❌ | ✅ |
Where,
- ✔️ - Supported in all projects
- ❌ - Not Supported
It is recommended that, pub deps get is executed prior to analyzing dart project. This ensures dependencies are retrieved, so pub deps -s compact command can produce edges between direct, and transitive dependencies.
- Path dependencies are not reported, and will be ignored in analyses. All descendant dependencies of the path dependency will be promoted to the ancestor of the path dependency.
- Sdk dependencies are not reported, and will be ignored in analyses. All descendant dependencies of the sdk dependency will be promoted to the ancestor of the sdk dependency.
Create new dart project by creating pubspec.yaml file.
name: some_example
description: some example description
version: 1.0.0+1
environment:
sdk: ">=2.0.0 <3.0.0"
dependencies:
path: ">= 1.2.0 <3.0.0"
encrypt:
git: https://github.com/leocavalcante/encrypt.git
flutter:
sdk: flutter
provider: ^5.0.0
quiver: any
flutter:
uses-material-design: trueExecute dart pub get to retrieve packages from the spec file. When performed, it will create pubspec.lock file.
# Generated by pub
# See https://dart.dev/tools/pub/glossary#lockfile
packages:
args:
dependency: transitive
description:
name: args
url: "https://pub.dartlang.org"
source: hosted
version: "2.2.0"
asn1lib:
dependency: transitive
description:
name: asn1lib
url: "https://pub.dartlang.org"
source: hosted
version: "1.0.2"
characters:
dependency: transitive
description:
name: characters
url: "https://pub.dartlang.org"
source: hosted
version: "1.1.0"
clock:
dependency: transitive
description:
name: clock
url: "https://pub.dartlang.org"
source: hosted
version: "1.1.0"
collection:
dependency: transitive
description:
name: collection
url: "https://pub.dartlang.org"
source: hosted
version: "1.15.0"
convert:
dependency: transitive
description:
name: convert
url: "https://pub.dartlang.org"
source: hosted
version: "3.0.1"
crypto:
dependency: transitive
description:
name: crypto
url: "https://pub.dartlang.org"
source: hosted
version: "3.0.1"
encrypt:
dependency: "direct main"
description:
path: "."
ref: HEAD
resolved-ref: bc2a3f44339574edb5c374b991b6386c495a1bbb
url: "https://github.com/leocavalcante/encrypt.git"
source: git
version: "5.0.1"
flutter:
dependency: "direct main"
description: flutter
source: sdk
version: "0.0.0"
js:
dependency: transitive
description:
name: js
url: "https://pub.dartlang.org"
source: hosted
version: "0.6.3"
matcher:
dependency: transitive
description:
name: matcher
url: "https://pub.dartlang.org"
source: hosted
version: "0.12.11"
meta:
dependency: transitive
description:
name: meta
url: "https://pub.dartlang.org"
source: hosted
version: "1.7.0"
nested:
dependency: transitive
description:
name: nested
url: "https://pub.dartlang.org"
source: hosted
version: "1.0.0"
path:
dependency: "direct main"
description:
name: path
url: "https://pub.dartlang.org"
source: hosted
version: "1.8.0"
pointycastle:
dependency: transitive
description:
name: pointycastle
url: "https://pub.dartlang.org"
source: hosted
version: "3.3.0"
provider:
dependency: "direct main"
description:
name: provider
url: "https://pub.dartlang.org"
source: hosted
version: "5.0.0"
quiver:
dependency: "direct main"
description:
name: quiver
url: "https://pub.dartlang.org"
source: hosted
version: "3.0.1"
sky_engine:
dependency: transitive
description: flutter
source: sdk
version: "0.0.99"
stack_trace:
dependency: transitive
description:
name: stack_trace
url: "https://pub.dartlang.org"
source: hosted
version: "1.10.0"
typed_data:
dependency: transitive
description:
name: typed_data
url: "https://pub.dartlang.org"
source: hosted
version: "1.3.0"
vector_math:
dependency: transitive
description:
name: vector_math
url: "https://pub.dartlang.org"
source: hosted
version: "2.1.0"
sdks:
dart: ">=2.12.0 <3.0.0"
flutter: ">=1.16.0"
Dependencies can be inspected using dart pub deps -s compact:
Dart SDK 2.14.0-301.0.dev
Flutter SDK 2.4.0-4.0.pre
some_example 1.0.0+1
dependencies:
- encrypt 5.0.1 [args asn1lib clock collection crypto pointycastle]
- flutter 0.0.0 [characters collection meta typed_data vector_math sky_engine]
- path 1.8.0
- provider 5.0.0 [collection flutter nested]
- quiver 3.0.1 [matcher]
transitive dependencies:
- args 2.2.0
- asn1lib 1.0.2
- characters 1.1.0
- clock 1.1.0
- collection 1.15.0
- convert 3.0.1 [typed_data]
- crypto 3.0.1 [collection typed_data]
- js 0.6.3
- matcher 0.12.11 [stack_trace]
- meta 1.7.0
- nested 1.0.0 [flutter]
- pointycastle 3.3.0 [collection convert js]
- sky_engine 0.0.99
- stack_trace 1.10.0 [path]
- typed_data 1.3.0 [collection]
- vector_math 2.1.0
When pub deps command is successfully executed, and lockfile id discovered (strategy 1, 2, or 3) analyses would yield following dependency graph:
Note: Dependencies in yellow boxes are direct dependencies, rest are transitive dependencies. All descendent dependencies of sdk dependencies are promoted to their ancestor - e.g. characters, collection, meta, typed_data, and vector_math.
If pub deps command is not successfully executed:
You can explicitly specify analyses target in .fossa.yml file.
Example below, will exclude all analyses targets except pub.
# .fossa.yml
version: 3
targets:
only:
- type: pub