Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fetch Dart package versions from sdk entries #3572

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: fetch Dart package versions from sdk entries #3572

wants to merge 3 commits into from

Conversation

sgreg
Copy link

@sgreg sgreg commented Jan 9, 2025

Description

Packages that are provided by an SDK, mainly Flutter, will have their version set to 0.0.0 in Dart's pubspec.lock file. Their actual version is linked to that SDK, which is defined either as a version range or a minimum supported version, rather than an explicit, single version.

The pubspec.lock file has a dedicated section to define those SDK version range constraints, which is already stored internally when parsing the file itself. The solution now is to look up such a package's SDK name, retrieve the defined version range / lower version boundary, and set the minimum supported version as the package's new version.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@sgreg
fix: fetch Dart package versions from sdk entries
e4bf412 
Packages that are provided by an SDK, mainly Flutter, will have their
version set to 0.0.0 in Dart's pubspec.lock file. Their actual version
is linked to that SDK, which is defined either as a version range or a
minimum supported version, rather than an explicit, single version.

The pubspec.lock file has a dedicated section to define those SDK
version range constraints, which is already stored internally when
parsing the file itself. The solution now is to look up such a package's
SDK name, retrieve the defined version range / lower version boundary,
and set the minimum supported version as the package's new version.

Signed-off-by: Sven Gregori <[email protected]>
sgreg and others added 2 commits January 17, 2025 02:05
@wagoodman wagoodman enabled auto-merge (squash) January 22, 2025 15:54
@derbauer97
Copy link

Hello,

We are very interested in the fix you have proposed as it will benefit our users. Could you please let us know when you plan to release it? We already tested it against one of our applications and the flutter version is now recognized correctly :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies
3 participants
@sgreg @derbauer97 @wagoodman