3. Dependencies & Third-Party Libraries

Dependency Health Overview

3.1 Dependency Versions & Updates

Status: ⚠️Warning

Findings:

• Multiple dependencies use Git branches (ref: stable) instead of version tags, which is better than fixed commits but still less ideal than semantic versioning
• Git dependencies use stable branch references:
  • markedeer_entity_api uses ref: stable
  • markedeer_oauth uses ref: stable
  • flutter_markedeer_mobile_content uses ref: stable
  • markedeer_dynamic_form_builder uses ref: stable
• Using branch references is better than fixed commits but still prevents precise version control
• Project pins Flutter to version 3.24.5 via .fvmrc (FVM - Flutter Version Management)
• intl: any dependency constraint is too permissive and can lead to unexpected breaking changes

Evidence:

• pubspec.yaml lines 69-88: Git dependencies with ref: stable instead of version tags
• codemagic.yaml line 16, 149: Uses FVM for Flutter version management
• .fvmrc: Defines Flutter 3.24.5 for the project
• Flutter SDK constraint: >=3.0.0 <4.0.0 (compatible with 3.24.5)
• pubspec.yaml line 23: intl: any - too permissive version constraint
• Dependency overrides section (lines 101-112) indicates version conflicts

Risk Level: Medium Risk

Recommendation:

• Replace Git branch dependencies with versioned releases where possible
• For custom forks, create proper version tags and use semantic versioning
• Establish upgrade path for dependencies currently using stable branches
• Plan Flutter upgrade strategy to latest stable version
• Set up dependency update automation and monitoring
• Change intl: any to a specific version constraint (e.g., ^0.18.1)
• Document rationale for any dependencies that must remain on Git branches

---

3.2 Known Vulnerabilities

Status: ⚠️Warning

Findings:

• No automated vulnerability scanning: No evidence of vulnerability scanning tools or processes in place
• Git branch dependencies may miss security updates: Dependencies using stable branches may not receive immediate security patches if not actively monitored
• Old packages with potential vulnerabilities:
  • collection: ^1.15.0-nullsafety.4 - Very old nullsafety version, may have unpatched vulnerabilities
  • flutter_html: ^3.0.0-beta.2 - Beta version, may contain security issues
• Deprecated packages: Multiple deprecated packages (package_info, share) may have known vulnerabilities that won't be patched
• No dependency vulnerability monitoring: No evidence of tools like dart pub outdated --security or Snyk/Dependabot integration
• Custom Git dependencies: Four custom Git dependencies from Pubmarket-org may not receive upstream security updates if not actively maintained
• Flutter version: Pinned to 3.24.5, may miss security patches in newer Flutter versions
• Dependency overrides: Multiple dependency overrides may mask security vulnerabilities in transitive dependencies

Evidence:

• No vulnerability scanning tools configured (no Snyk, Dependabot, or similar)
• pubspec.yaml: Git branch dependencies (lines 69-88) may not track security fixes immediately
• pubspec.yaml: Old packages like collection: ^1.15.0-nullsafety.4 (line 99)
• pubspec.yaml: Beta version flutter_html: ^3.0.0-beta.2 (line 25)
• pubspec.yaml: Deprecated packages package_info: ^2.0.2 (line 38), share: ^2.0.4 (line 55)
• No .github/dependabot.yml or similar security scanning configuration
• No evidence of regular security audits or vulnerability assessments
• Dependency overrides section (lines 101-112) may hide transitive dependency vulnerabilities
• pubspec.yaml line 98: TODO comment indicates known issue with collection override

Risk Level: Medium Risk

Recommendation:

• Immediate actions:
• Set up automated vulnerability scanning (Dependabot, Snyk, or dart pub outdated --security)
• Run flutter pub outdated and dart pub outdated --security to identify known vulnerabilities
• Review and update old packages (collection) to latest versions
• Document security update process for Git branch dependencies
• Monitor custom Git dependencies for security updates
• Short-term:
• Migrate deprecated packages to maintained alternatives (addresses security update gap)
• Replace Git branch dependencies with versioned releases where possible
• Set up automated dependency update checks in CI/CD pipeline
• Create security update schedule and process
• Review and minimize dependency overrides

---

3.3 License Compliance

Status: ⚠️Warning

Findings:

• No license documentation: No LICENSE file in project root or license compliance documentation
• No license audit: No evidence of license compliance review or tracking of third-party licenses
• Mixed license types: Dependencies likely use various licenses (MIT, Apache, BSD, GPL, etc.) without documented review
• Custom Git dependency licenses: Four custom Git dependencies from Pubmarket-org - license terms may differ from upstream or may not be documented
• No license attribution: No evidence of license attribution or compliance documentation
• Potential license conflicts: No review process to identify incompatible licenses (e.g., GPL with proprietary code)
• No license compliance process: No documented process for reviewing and approving new dependencies

Evidence:

• No LICENSE file in project root
• No license documentation in README.md or project documentation
• No license compliance tracking or audit files
• pubspec.yaml: Custom Git dependencies (lines 69-88) may have different license terms
• No evidence of license review process in codebase
• Multiple dependencies from pub.dev with various licenses (not documented)
• No license attribution file or NOTICES file

Risk Level: Medium Risk

Recommendation:

• Immediate actions:
• Document all third-party licenses and their requirements
• Review licenses of custom Git fork dependencies
• Short-term:
• Add in-app screen to display third-party licenses
• Create license compliance checklist for new dependencies
• Set up automated license checking in CI/CD pipeline

---

3.4 Outdated Packages

Status: ❌Fail

Findings:

• Critical: 39 dependencies are constrained to versions older than resolvable versions
• 10 upgradable dependencies are locked to older versions in pubspec.lock
• Multiple deprecated packages identified requiring migration
• Discontinued packages in dependency tree: js, build_resolvers, build_runner_core, macros
• Major version updates available for many critical packages:
  • Firebase packages: firebase_core (2.32.0 → 4.2.1), firebase_crashlytics (3.5.7 → 5.0.5), firebase_messaging (14.7.10 → 16.0.4), firebase_analytics (10.10.7 → 12.0.4), firebase_remote_config (4.4.7 → 6.1.2)
  • camera (0.10.6 → 0.11.3), drift (2.22.1 → 2.29.0), geolocator (10.0.1 → 14.0.2)
  • geocoding (2.2.2 → 4.0.0), google_fonts (4.0.5 → 6.3.2), lottie (2.7.0 → 3.3.2)
• Deprecated packages requiring migration:
  • package_info: ^2.0.2 → should migrate to package_info_plus (latest: 9.0.0 available)
  • share: ^2.0.4 → should migrate to share_plus
• Critical null safety issue: flutter_markedeer_mobile_content internal package's main branch is not null safety compliant, blocking upgrades
• Potentially outdated/problematic packages:
  • collection: ^1.18.0 → current version, but latest is 1.19.1 (minor update available)
  • flutter_html: ^3.0.0-beta.2 → using beta version, stable 3.0.0 is available
  • intl: ^0.18.1 (overridden) → latest is 0.20.2, but constrained by override
  • another_flushbar: ^1.12.30 → check if maintained, consider alternatives
• Dependency overrides indicate version conflicts:
  • Multiple dependency overrides (lines 101-112) suggest compatibility issues
  • analyzer: ">=2.1.0" overridden (current 6.7.0, latest 9.0.0 available)
  • intl: ^0.18.1 overridden (conflicts with intl: any in dependencies)
  • Multiple Android platform-specific packages overridden
  • TODO comment indicates known issue with collection override due to flutter_html compatibility

Evidence:

• flutter pub outdated output shows 39 dependencies constrained to older versions
• pubspec.yaml line 38: package_info: ^2.0.2 (deprecated, package_info_plus 9.0.0 available)
• pubspec.yaml line 55: share: ^2.0.4 (deprecated)
• pubspec.yaml line 99: collection: ^1.18.0 (minor update to 1.19.1 available)
• pubspec.yaml line 25: flutter_html: ^3.0.0-beta.2 (stable 3.0.0 available)
• pubspec.yaml line 23: intl: any (too permissive, overridden to 0.18.1, latest 0.20.2)
• pubspec.yaml lines 69-88: Git dependencies using ref: stable
• pubspec.yaml lines 101-112: Dependency overrides section
• pubspec.yaml lines 94-98: TODO comment about removing collection override once flutter_html issue is fixed
• pubspec.yaml line 18: drift: ^2.22.1 (upgradeable to 2.29.0)
• Internal package flutter_markedeer_mobile_content main branch not null safety compliant

Risk Level: High Risk

Recommendation:

• Immediate actions:
• Migrate package_info → package_info_plus (latest 9.0.0 available)
• Migrate share → share_plus
• Update flutter_markedeer_mobile_content internal package to null safety compliant version or migrate to null safety
• Plan major version upgrades for Firebase packages (breaking changes expected)
• Address discontinued packages (js, build_resolvers, build_runner_core, macros)
• Short-term:
• Upgrade collection to 1.19.1 (minor update)
• Move from flutter_html beta to stable 3.0.0 release (will allow removal of collection override)
• Plan upgrade path for major version updates (Firebase, camera, drift, geolocator, etc.)
• Review and minimize dependency overrides
• Update intl override to latest compatible version (0.20.2)
• Evaluate and update another_flushbar or replace if unmaintained
• Continue using drift but plan upgrade to 2.29.0
• Long-term:
• Establish regular dependency update schedule
• Set up automated dependency update checks in CI/CD
• Create upgrade plan for major version updates with testing strategy

---