3. Dependencies & Third-Party Libraries

Dependency Health Overview

Up-to-date Dependencies40 / 100
Vulnerability Scanning0 / 100
License Compliance25 / 100

3.1 Dependency Versions & Updates

Status: ⚠️Warning

Findings:

  • Multiple dependencies use fixed Git commit hashes instead of version tags, making updates difficult and risky
  • universal_html uses fixed commit: ceb15dc63f653c4c75b64b8a091b908d0c5496c5 from custom fork
  • flutter_markedeer_mobile_content uses fixed commit: 5a49c5d818f625c40fb9edeee3c85189a0ee4482
  • Fixed commits prevent automatic security updates and bug fixes
  • No clear upgrade path for dependencies pinned to specific commits
  • Project pins Flutter to version 3.24.3 via .fvmrc (already ~1 year old)

Evidence:

  • pubspec.yaml lines 90-93: universal_html with fixed commit hash
  • pubspec.yaml lines 119-122: flutter_markedeer_mobile_content with fixed commit hash
  • codemagic.yaml line 59: Uses FVM for Flutter version management
  • .fvmrc (Flutter Version Management) defines Flutter 3.24.3 for the project
  • Flutter SDK constraint: >=3.0.0 <4.0.0 (compatible with 3.24.3 but upgrade path needed)

Risk Level: Medium Risk

Recommendation:

  • Replace fixed commit dependencies with versioned releases where possible
  • For custom forks, create proper version tags and use semantic versioning
  • Establish upgrade path for dependencies currently pinned to commits
  • Plan Flutter upgrade strategy to latest stable version
  • Set up dependency update automation and monitoring
  • Document rationale for any dependencies that must remain on fixed commits

3.2 Known Vulnerabilities

Status: ⚠️Warning

Findings:

  • No automated vulnerability scanning: No evidence of vulnerability scanning tools or processes in place
  • Fixed commit dependencies prevent security updates: Dependencies pinned to specific commits cannot receive automatic security patches
  • Old packages with potential vulnerabilities:
  • collection: ^1.15.0-nullsafety.4 - Very old nullsafety version, may have unpatched vulnerabilities
  • csslib: 0.17.3 - Old version, may contain security issues
  • moor: ^4.6.1+1 - Deprecated package, no longer maintained, won't receive security updates
  • Deprecated packages: Multiple deprecated packages (device_info, package_info, share, moor) may have known vulnerabilities that won't be patched
  • No dependency vulnerability monitoring: No evidence of tools like dart pub outdated --security or Snyk/Dependabot integration
  • Custom forks: universal_html and flutter_markedeer_mobile_content from custom forks may not receive upstream security updates
  • Flutter version: Pinned to 3.24.3, may miss security patches in newer Flutter versions

Evidence:

  • No vulnerability scanning tools configured (no Snyk, Dependabot, or similar)
  • pubspec.yaml: Fixed commit dependencies (lines 90-93, 119-122) prevent automatic updates
  • pubspec.yaml: Old packages like collection: ^1.15.0-nullsafety.4 (line 123) and csslib: 0.17.3 (line 84)
  • pubspec.yaml: Deprecated packages that won't receive security updates
  • No .github/dependabot.yml or similar security scanning configuration
  • No evidence of regular security audits or vulnerability assessments
  • Custom Git dependencies may not track upstream security fixes

Risk Level: Medium Risk

Recommendation:

  • Immediate actions:
  • Set up automated vulnerability scanning (Dependabot, Snyk, or dart pub outdated --security)
  • Run flutter pub outdated and dart pub outdated --security to identify known vulnerabilities
  • Review and update old packages (collection, csslib) to latest versions
  • Document security update process for fixed commit dependencies
  • Short-term:
  • Migrate deprecated packages to maintained alternatives (addresses security update gap)
  • Replace fixed commit dependencies with versioned releases where possible
  • Set up automated dependency update checks in CI/CD pipeline
  • Create security update schedule and process

3.3 License Compliance

Status: ⚠️Warning

Findings:

  • No license documentation: No LICENSE file in project root or license compliance documentation
  • No license audit: No evidence of license compliance review or tracking of third-party licenses
  • Mixed license types: Dependencies likely use various licenses (MIT, Apache, BSD, GPL, etc.) without documented review
  • Custom fork licenses: universal_html and flutter_markedeer_mobile_content from custom forks - license terms may differ from upstream
  • No license attribution: No evidence of license attribution or compliance documentation
  • Potential license conflicts: No review process to identify incompatible licenses (e.g., GPL with proprietary code)
  • No license compliance process: No documented process for reviewing and approving new dependencies

Evidence:

  • No LICENSE file in project root
  • No license documentation in README.md or project documentation
  • No license compliance tracking or audit files
  • pubspec.yaml: Custom Git dependencies (lines 90-93, 119-122) may have different license terms
  • No evidence of license review process in codebase
  • Multiple dependencies from pub.dev with various licenses (not documented)
  • No license attribution file or NOTICES file

Risk Level: Medium Risk

Recommendation:

  • Immediate actions:
  • Document all third-party licenses and their requirements
  • Review licenses of custom fork dependencies
  • Short-term:
  • In app screen to display third-party licenses

3.4 Outdated Packages

Status: ⚠️Warning

Findings:

  • Multiple deprecated packages identified with migration comments in pubspec.yaml
  • Deprecated packages requiring migration:
  • device_info: ^2.0.3 → should migrate to device_info_plus
  • package_info: ^2.0.2 → should migrate to package_info_plus
  • share: ^2.0.4 → should migrate to share_plus
  • moor: ^4.6.1+1 → deprecated, should migrate to drift (successor)
  • Potentially outdated/problematic packages:
  • collection: ^1.15.0-nullsafety.4 → very old nullsafety version, should upgrade
  • flutter_html: ^3.0.0-beta.2 → using beta version, should use stable release
  • csslib: 0.17.3 → old version, may have security issues
  • datetime_picker_formfield: ^2.0.1 → may be deprecated, check for alternatives
  • jiffy: ^6.3.2 → consider migrating to intl package for date handling
  • another_flushbar: ^1.12.30 → check if maintained, consider alternatives
  • Dependency overrides indicate version conflicts:
  • flutter_svg: ^1.0.0 overridden (suggests compatibility issues)
  • pointer_interceptor: ^0.10.1+1 overridden
  • Staging build relies on deprecated libraries with workarounds

Evidence:

  • pubspec.yaml lines 50-51: Comments indicating need to migrate device_info and package_info
  • pubspec.yaml line 63: Comment indicating need to migrate share
  • pubspec.yaml line 45: moor package (deprecated, drift is successor)
  • pubspec.yaml line 123: collection: ^1.15.0-nullsafety.4 (very old)
  • pubspec.yaml line 85: flutter_html: ^3.0.0-beta.2 (beta version)
  • pubspec.yaml lines 125-128: Dependency overrides section
  • lib/widgets/flatbutton_migration.dart: Custom migration widget suggests deprecated Flutter APIs in use

Risk Level: Medium Risk

Recommendation:

  • Immediate actions:
  • Migrate device_infodevice_info_plus
  • Migrate package_infopackage_info_plus
  • Migrate shareshare_plus
  • Plan migration from moor to drift (breaking change, requires database migration)
  • Short-term:
  • Upgrade collection to latest version
  • Move from flutter_html beta to stable release
  • Evaluate and update csslib or find alternative
  • Review and update datetime_picker_formfield or replace