| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0.0 | ❌ |
If you discover a security vulnerability in this package, please report it privately — do not open a public GitHub issue.
Email: developers@davian.space
Include:
- A clear description of the vulnerability.
- Steps to reproduce (minimal code sample preferred).
- Potential impact and affected versions.
- Any suggested remediation, if applicable.
| Step | Target |
|---|---|
| Acknowledgement | Within 48 hours of report |
| Triage & severity assessment | Within 7 business days |
| Fix developed & tested | Within 30 calendar days |
| Public disclosure | After the fix is published to pub.dev |
We follow coordinated disclosure. A CVE identifier will be requested for confirmed vulnerabilities with significant impact.
This package provides Flutter widget-tree integration for the DavianSpace hosting runtime. Its security surface is limited to:
| Area | Concern |
|---|---|
ServiceProviderScope |
Ensures only one provider root exists per widget subtree; misconfiguration throws a FlutterError rather than silently returning null. |
HostProvider lifecycle |
Host is stopped and disposed on widget removal and AppLifecycleState.detached — prevents resource leaks that could leave open connections or uncleared caches. |
BuildContext extensions |
Delegate directly to ServiceProviderBase; no additional state is held. |
Security-sensitive behaviour such as service lifetime management, scoped disposal, and configuration secret handling is implemented by the underlying packages:
| Package | Security Role |
|---|---|
davianspace_dependencyinjection |
Service registration, scoped lifetimes, disposal |
davianspace_hosting |
Host lifecycle, graceful shutdown |
davianspace_configuration |
Layered configuration, secret providers |
If the vulnerability relates to one of those packages specifically, please report it against that package instead.
ServiceProviderScope.of(context) gives full access to every service
registered in the root DI container. Applications should:
- Avoid registering services that contain raw secrets (API keys, tokens) as
singletons when those secrets should be short-lived. Use scoped lifetimes
or
davianspace_configurationsecret providers instead. - Avoid exposing the raw
ServiceProviderto untrusted widgets or isolates.
HostProvider and _HostLifecycleObserver both perform fire-and-forget
async disposal in dispose(). If an exception occurs during shutdown, it is
swallowed silently by the Flutter framework (standard State.dispose
behaviour). Applications with strict audit requirements should register a
HostedService that performs explicit cleanup logging.
This package depends exclusively on:
- First-party
davianspace_*packages maintained by DavianSpace. - Flutter SDK (
flutter/widgets.dart,flutter/material.dart). - flutter_lints (dev-only, no runtime impact).
No third-party runtime dependencies are used.
Email: developers@davian.space