Only the latest patch release of each supported minor version receives security updates.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please report security concerns privately:

1. Email: Send a detailed report to the maintainers via the contact information listed on the pub.dev package page.
2. GitHub Private Reporting: Use GitHub's private vulnerability reporting feature on this repository (if enabled).

• Description of the vulnerability.
• Steps to reproduce.
• Potential impact assessment.
• Suggested fix (if any).
• Your contact information for follow-up.

davianspace_dependencyinjection is a dependency injection container with the following security properties:

This package does not make any network calls. All operations are in-process.

Service instances are created via registered factories or constructors — no arbitrary deserialization or dynamic code loading occurs.

• DisposalTracker.track() throws a StateError (not just an assert) if called after disposal, ensuring production code fails fast.
• Scoped providers throw StateError on all resolution calls after disposal, preventing use-after-free patterns.

The container detects circular dependencies at both build time (via DependencyGraph) and runtime (via ResolutionChain), preventing infinite recursion that could cause stack overflows.

Service factory lambdas receive a ServiceProviderBase (not the concrete ServiceProvider), limiting the API surface available inside factories to the minimum necessary for resolution.