3. Dependencies & Third-Party Libraries

Dependency Health Overview

Up-to-date Dependencies35 / 100
Vulnerability Scanning0 / 100
License Compliance25 / 100

3.1 Dependency Versions & Updates

Status: ⚠️Warning

Findings:

  • Multiple dependencies use Git branches (ref: stable) instead of version tags, which is better than fixed commits but still less ideal than semantic versioning
  • Git dependencies use stable branch references from custom Git server (git.mybns.com):
    • markedeer_entity_api uses ref: stable
    • markedeer_oauth uses ref: stable
    • flutter_markedeer_mobile_content uses ref: stable
    • markedeer_markup_widget uses ref: stable
  • markedeer_dynamic_form_builder uses local path dependency (../flutter-markedeer-dynamic-form-builder)
  • Using branch references is better than fixed commits but still prevents precise version control
  • Project pins Flutter to version 3.24.3 via .fvmrc (FVM - Flutter Version Management)
  • intl: ^0.19.0 dependency constraint, but overridden to ^0.18.1 in dependency_overrides

Evidence:

  • pubspec.yaml lines 70-94: Git dependencies with ref: stable instead of version tags
  • pubspec.yaml line 86: markedeer_dynamic_form_builder uses local path dependency
  • codemagic.yaml: Uses FVM for Flutter version management
  • .fvmrc: Defines Flutter 3.24.3 for the project
  • Flutter SDK constraint: >=3.0.0 <4.0.0 (compatible with 3.24.3)
  • pubspec.yaml line 23: intl: ^0.19.0 but overridden to ^0.18.1 (line 109)
  • Dependency overrides section (lines 106-109) indicates version conflicts

Risk Level: Medium Risk

Recommendation:

  • Replace Git branch dependencies with versioned releases where possible
  • For custom forks, create proper version tags and use semantic versioning
  • Establish upgrade path for dependencies currently using stable branches
  • Plan Flutter upgrade strategy to latest stable version
  • Set up dependency update automation and monitoring
  • Resolve intl version conflict (remove override or update constraint)
  • Document rationale for any dependencies that must remain on Git branches or local paths

3.2 Known Vulnerabilities

Status: ⚠️Warning

Findings:

  • No automated vulnerability scanning: No evidence of vulnerability scanning tools or processes in place
  • Git branch dependencies may miss security updates: Dependencies using stable branches may not receive immediate security patches if not actively monitored
  • Beta packages with potential vulnerabilities:
    • flutter_html: ^3.0.0-beta.2 - Beta version, may contain security issues
    • flutter_html_iframe: ^3.0.0-beta.2 - Beta version
  • Deprecated packages: package_info: ^2.0.2 is deprecated and may have known vulnerabilities that won't be patched
  • No dependency vulnerability monitoring: No evidence of tools like dart pub outdated --security or Snyk/Dependabot integration
  • Custom Git dependencies: Four custom Git dependencies from git.mybns.com may not receive upstream security updates if not actively maintained
  • Flutter version: Pinned to 3.24.3, may miss security patches in newer Flutter versions
  • Dependency overrides: Multiple dependency overrides may mask security vulnerabilities in transitive dependencies

Evidence:

  • No vulnerability scanning tools configured (no Snyk, Dependabot, or similar)
  • pubspec.yaml: Git branch dependencies (lines 70-94) may not track security fixes immediately
  • pubspec.yaml: Beta versions flutter_html: ^3.0.0-beta.2 (line 25), flutter_html_iframe: ^3.0.0-beta.2 (line 97)
  • pubspec.yaml: Deprecated package package_info: ^2.0.2 (line 35)
  • No .github/dependabot.yml or similar security scanning configuration
  • No evidence of regular security audits or vulnerability assessments
  • Dependency overrides section (lines 106-109) may hide transitive dependency vulnerabilities

Risk Level: Medium Risk

Recommendation:

  • Immediate actions:
  • Set up automated vulnerability scanning (Dependabot, Snyk, or dart pub outdated --security)
  • Run flutter pub outdated and dart pub outdated --security to identify known vulnerabilities
  • Migrate package_info to package_info_plus (deprecated package)
  • Move from beta to stable versions of flutter_html and flutter_html_iframe
  • Document security update process for Git branch dependencies
  • Monitor custom Git dependencies for security updates
  • Short-term:
  • Migrate deprecated packages to maintained alternatives (addresses security update gap)
  • Replace Git branch dependencies with versioned releases where possible
  • Set up automated dependency update checks in CI/CD pipeline
  • Create security update schedule and process
  • Review and minimize dependency overrides

3.3 License Compliance

Status: ⚠️Warning

Findings:

  • No license documentation: No LICENSE file in project root or license compliance documentation
  • No license audit: No evidence of license compliance review or tracking of third-party licenses
  • Mixed license types: Dependencies likely use various licenses (MIT, Apache, BSD, GPL, etc.) without documented review
  • Custom Git dependency licenses: Four custom Git dependencies from git.mybns.com - license terms may differ from upstream or may not be documented
  • Local path dependency: markedeer_dynamic_form_builder uses local path - license terms need to be verified
  • No license attribution: No evidence of license attribution or compliance documentation
  • Potential license conflicts: No review process to identify incompatible licenses (e.g., GPL with proprietary code)
  • No license compliance process: No documented process for reviewing and approving new dependencies

Evidence:

  • No LICENSE file in project root
  • No license documentation in README.md or project documentation
  • No license compliance tracking or audit files
  • pubspec.yaml: Custom Git dependencies (lines 70-94) may have different license terms
  • pubspec.yaml: Local path dependency (line 86) needs license verification
  • No evidence of license review process in codebase
  • Multiple dependencies from pub.dev with various licenses (not documented)
  • No license attribution file or NOTICES file

Risk Level: Medium Risk

Recommendation:

  • Immediate actions:
  • Document all third-party licenses and their requirements
  • Review licenses of custom Git fork dependencies
  • Verify license of local path dependency (markedeer_dynamic_form_builder)
  • Short-term:
  • Add in-app screen to display third-party licenses
  • Create license compliance checklist for new dependencies
  • Set up automated license checking in CI/CD pipeline

3.4 Outdated Packages

Status: Fail

Findings:

  • Critical: Many dependencies are constrained to versions older than resolvable versions
  • Multiple deprecated packages identified requiring migration
  • Major version updates available for many critical packages:
    • Firebase packages: firebase_core (3.15.2 → 4.2.1), firebase_crashlytics (4.3.10 → 5.0.5), firebase_messaging (15.2.10 → 16.0.4), firebase_analytics (11.6.0 → 12.0.4), firebase_performance (0.10.1+10 → 0.11.1+2)
    • camera (0.11.0+2 → 0.11.3), drift (2.23.1 → 2.29.0), geolocator (13.0.4 → 14.0.2)
    • geocoding (3.0.0 → 4.0.0), google_fonts (6.3.0 → 6.3.2), google_sign_in (6.2.2 → 7.2.0)
    • sign_in_with_apple (6.1.4 → 7.0.1), connectivity_plus (6.1.5 → 7.0.0)
    • device_info_plus (11.3.0 → 12.2.0), flutter_keyboard_visibility (5.4.1 → 6.0.0)
  • Deprecated packages requiring migration:
    • package_info: ^2.0.2 → should migrate to package_info_plus (latest: 9.0.0 available)
  • Beta packages:
    • flutter_html: ^3.0.0-beta.2 → stable 3.0.0 is available
    • flutter_html_iframe: ^3.0.0-beta.2 → stable 3.0.0 is available
  • Dependency overrides indicate version conflicts:
    • Multiple dependency overrides (lines 106-109) suggest compatibility issues
    • geolocator_android: 4.6.1 overridden (latest 5.0.2 available)
    • flutter_calendar_carousel: 2.4.4 overridden (latest 2.5.4 available)
    • intl: ^0.18.1 overridden (conflicts with intl: ^0.19.0 in dependencies, latest 0.20.2 available)
  • Minor updates available:
    • collection: ^1.18.0 → latest is 1.19.1
    • path: ^1.9.0 → latest is 1.9.1
    • url_launcher: ^6.3.1 → latest is 6.3.2
    • video_player: ^2.9.5 → latest is 2.10.1
    • youtube_player_flutter: 9.1.1 → latest is 9.1.3
    • google_fonts: ^6.3.0 → latest is 6.3.2
    • font_awesome_flutter: ^10.9.0 → latest is 10.12.0
    • flutter_svg: ^2.1.0 → latest is 2.2.3
    • google_maps_flutter: ^2.10.1 → latest is 2.14.0
    • retrofit: ^4.5.0 → latest is 4.9.1
  • Dev dependencies outdated:
    • build_runner: ^2.4.13 → latest is 2.10.4
    • drift_dev: ^2.23.1 → latest is 2.29.0
    • retrofit_generator: ^9.1.5 → latest is 10.2.0

Evidence:

  • flutter pub outdated output shows many dependencies constrained to older versions
  • pubspec.yaml line 35: package_info: ^2.0.2 (deprecated, package_info_plus 9.0.0 available)
  • pubspec.yaml line 25: flutter_html: ^3.0.0-beta.2 (stable 3.0.0 available)
  • pubspec.yaml line 97: flutter_html_iframe: ^3.0.0-beta.2 (stable 3.0.0 available)
  • pubspec.yaml line 23: intl: ^0.19.0 but overridden to ^0.18.1 (line 109), latest 0.20.2
  • pubspec.yaml lines 70-94: Git dependencies using ref: stable
  • pubspec.yaml lines 106-109: Dependency overrides section
  • pubspec.yaml line 18: drift: ^2.11.2 (upgradeable to 2.29.0)
  • pubspec.yaml line 86: markedeer_dynamic_form_builder uses local path dependency

Risk Level: High Risk

Recommendation:

  • Immediate actions:
  • Migrate package_infopackage_info_plus (latest 9.0.0 available)
  • Move from flutter_html and flutter_html_iframe beta to stable 3.0.0 releases
  • Plan major version upgrades for Firebase packages (breaking changes expected)
  • Resolve intl version conflict (remove override or update to latest compatible version)
  • Short-term:
  • Upgrade minor version updates (collection, path, url_launcher, video_player, etc.)
  • Plan upgrade path for major version updates (Firebase, camera, drift, geolocator, geocoding, etc.)
  • Review and minimize dependency overrides
  • Update dev dependencies (build_runner, drift_dev, retrofit_generator)