This comment was originally written by Erik.Gri...@gmail.com

Taking this a step further, as a package maintainer I'd like to use the same mechanism to notify consumers of my package that a critical issue exists.

This comment was originally written by @butlermatt

While I like the idea, I'd prefer if it was an on demand feature rather than pushed at me. If I'm finishing up a project with a specific dependency version I might want a notice of a security update but I don't want to be constantly nagged that foo now has feature x and y.

Removed Type-Defect label.
Added Type-Enhancement, Area-Pub, Triaged labels.

I don't think we're likely to do this in pub itself. It would be nice to add RSS feeds to the package page so people can subscribe to pull notifications of new versions, though.

Removed Area-Pub label.
Added Area-PubSite label.

I like the idea of RSS feeds for package pages.

Email notification could be cool, but my hunch is that it's a bit out of scope for what we're focused on on the core pub.dartlang.org site. That seems like something that could be handled by a different system. It would add a lot of complexity because we'd need things like real user accounts and stuff to track who gets notified for what.

I do think it would be nice to surface this information in pub too. I'm not sure if pub should do it proactively. My belief is that for most apps not upgrading is a perfectly fine thing to do. Once the entire ecosystem is a little more stable, I think most apps will be in "if it ain't broke, don't fix it" mode.

But it would be nice if you could ask pub to tell you which things could be upgraded. The easiest way I can think to do this is to just add "--dry-run" to pub upgrade. It will run a solve and tell you the versions it would have picked, but not actually touch your lock file.

Filed a more specific bug for that: https://code.google.com/p/dart/issues/detail?id=15243

This comment was originally written by Erik.G...@gmail.com

• RSS feeds for package pages would be awesome.
• I'm mostly interested in surfacing and monitoring vulnerabilities in packages and when their fixes land. Putting my security hat on, I assume an app is broken from the moment a vulnerability is found in one of its dependencies until proven otherwise. I have to fix it or at least prove it's not an issue for that app. The more applications and dependencies you have, the more you need to monitor and the larger the issue becomes. I'm not sure if this is a problem for pub per se, but it's one that's on my mind and seems to fit into building a great package ecosystem for dart.
• pub --dry-run would be a great addition

This comment was originally written by @butlermatt

Possible dup of Issue #6401 ?

This issue has been moved to Github as part of a migration. Please use the Issue on Github going forward: https://github.com/dart-lang/pub-dartlang/issues

Added MovedToGithub label.

This issue has been moved to dart-archive/pub-dartlang#336.