How to Use Pub Repositories in Artifactory
By
9 min read
If you’re one of the growing number of client app developers embracing the Dart programming language and Flutter and AngularDart toolkits, we’ve got some exciting news for you!
JFrog can now welcome Dart developers to the empowerment of Artifactory’s robust binaries management and the ways that it contributes to continuous integration. We’ve added Pub, the package manager for Dart, to the long list of package types Artifactory supports for both local, remote, and virtual repositories.
As the variety of mobile and web platforms grows, more and more client app developers have embraced Dart, Flutter, and AngularDart as a more optimized and versatile alternative to JavaScript for platform-independent coding.
What has Dart got that GitHub ranked it #1 as the fastest growing language in 2019, after a year’s 532% usage increase? And how can you use Pub repositories in Artifactory to accelerate your software development lifecycle?
Why Dart and Pub?
Developed by Google, the Dart programming language is an alternative to JavaScript that is optimized for client development such as web and mobile apps. It’s the basis of the open source Flutter toolkit and framework for UI, as well as Angular, which enable developing applications for a variety of platforms (such as Android, iOs, Linux, and Windows) from a single codebase.
The public Pub repository is the official package repository for Flutter, Angular, and many other open source packages written for Dart.
Dart has been gaining greater adoption by developers, and rose into the top 10 ranking in Stack Overflow’s 2021 developer survey of most loved technologies. GitHub has ranked it as one of the 10 high-demand languages for 2022. Flutter has grown significantly since its introduction, with a notable contributor increase in 2021.
With its standards governed by ECMA International, Dart offers these benefits for client-based applications:
- Native or web: Dart code can be compiled for the runtime target, or converted to JavaScript that can be run in any of the major browsers.
- Fast startup: Dart programs compiled into snapshot files that contain pre-parsed code and dependencies that are ready to execute.
- Concurrency: Dart apps run in one or more isolates, where tasks run in independent environments with their own memory.
When combined with Flutter and/or Angular, Dart enables developers to quickly and reliably produce UI-based apps that can operate across many mobile and web-based platforms.
Remote Pub Repositories
As a Dart developer, you’ll rely on the growing pub.dev package repository for Flutter, Angular, and many other core services.
To help assure uninterrupted speed and consistency of your Dart builds and Flutter or Angular apps across teams, use an Artifactory remote repository to proxy pub.dev.
A remote repository in Artifactory serves as a read-only caching proxy for a repository or registry managed at a remote URL. There will be no difference between the contents of the remote repo and the native source.
When you put this best DevOps practice to work, you and your team gain:
- Locality for speed — The proxy pulls and keeps the packages you use frequently into the compute environment where your builds happen, whether in the cloud or on-prem, minimizing network latency and bypassing throttling limits.
- Connection protection — Your pub.dev proxy remains available even when the pub.dev server isn’t due to a poor or interrupted connection, or if the remote server itself suffers an outage.
- Immutability enforcement — Once a package version is in the proxy, it’s unchanging and the same in every build that uses it. This guards against anything sneaking into your builds through an improper forced push into or malicious supply chain attack on the public repo.
It’s easy to set up a remote repository proxy for pub.dev:
- Create a new Pub remote repository in Artifactory
- Name the remote repository and assign the URL for pub.dev
- For Dart to access your repository from your workstation, you will need to generate an access token to authenticate your Artifactory user account.Use “Set Me Up” in the Artifact Browser to obtain the correct URL for your remote Pub repository, and follow the instructions to add your access token to the pub tool (using the
dart pub token addcommand), and redirect resolution of hosted dependencies to the Artifactory remote repo through the Pub environment variable.$ dart pub token add https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_remote Enter secret token: <Type token on stdin> Requests to "https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_remote" will now be authenticated using the secret token. $ export PUB_HOSTED_URL="https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_remote"
Following this successful setup, all of your Dart dependencies will be resolved from your proxy in Artifactory instead of directly from pub.dev. (See the section below on virtual repositories for an alternative configuration.)
Local Pub Repositories
For the private Dart packages that you will create and share only within your team or department, you should maintain local Pub repositories in Artifactory. You can create as many as you need, and specify their URLs in your pubspec file for your dependencies.
For example, a team working on “Project X” might set up and use a local Pub repo:
- Create the local Pub repository in Artifactory named “pub-local-projectx”
- Use the
dart pub token addcommand to add your Artifactory access token to the pub tool.$ dart pub token add https://JFROG_PLATFORM_URL/artifactory/api/pub/pub-local-projectx Enter secret token: <Type token on stdin> Requests to "https://JFROG_PLATFORM_URL/artifactory/api/pub/pub-local-projectx" will now be authenticated using the secret token. - In the
pubspec.yamlfile of your private package, use thepublish_toproperty to specify the private repo in Artifactory. Then run thedart pub publishcommand to publish your Dart package to Artifactory.name: bandersnatch version: 1.0.0 # Ensures the package is published to Artifactory publish_to: https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_local_projectx - To use the package that is now in the Artifactory private repo as a dependency in your Project X application source code, use the
hostedkeyword where you specify the dependency source in the application’spubspec.yamlfile.environment: sdk: >=2.15.0 < 3.0.0 dependencies: bandersnatch: hosted: https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_local_projectx version: ^1.0.0
The
publish_to and hosted properties are not required if you are publishing to a virtual repository that is used as your PUB_HOSTED_URL. See below for more info.Virtual Pub Repositories
With Artifactory, you can combine any set of local and/or remote repositories into a virtual repository that acts as a single, logical repository that can be accessed through a common URL.
For example, you can maintain separate repositories for Project X, Project Y, and Project Z, but create a virtual repository that can conveniently access all three repos through a single, secure URL. You can also balance convenience with security by creating a virtual repo that includes Projects X and Y, another virtual repo that includes Projects X and Z, and use Artifactory’s fine-grained permissions to control who can access them and how.
You can also combine into a virtual repo any or all of your private Pub repositories with your remote repository for pub.dev, to create a single-access URL for all hosted dependencies. In this case, you would set the PUB_HOSTED_URL environment variable to the virtual Pub repo’s URL to make it the default for resolving Dart dependencies.
Since the virtual repo is a distinct URL, you will also need to add your Artifactory access token to the pub tool using dart pub token add for that URL.
For example, to use a pub_virtual virtual repository that combines your pub_local_projectx and pub_remote repositories to resolve all hosted dependencies:
$ dart pub token add https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_virtual
Enter secret token: <Type token on stdin>
Requests to "https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_virtual" will now be
authenticated using the secret token.
# List the credentials for all our repos
$ dart pub token list
You have secret tokens for 3 package repositories:
https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_local_projectx
https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_remote
https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_virtual
# Resolve all dependencies to the Pub virtual repo
$ export PUB_HOSTED_URL="https://JFROG_PLATFORM_URL/artifactory/api/pub/pub_virtual"
If all dependencies will be resolved from the virtual repo, then only the access token for
pub_virtual_repo is needed. However, registering the credential for the local and remote repos as well will enable you to declare a dependency must be drawn from a specific Artifactory repo using the hosted property, if that is required by your application. Even though they will all use the same Artifactory user token, it must be added for each repo’s URL.Conclusion
With strategic use of remote, local, and virtual repositories for Pub in Artifactory by Dart developers, you’ll be putting to work some of the most important best practices for your SDLC to enable DevOps success. You can ensure consistency across all your Dart developer teams for dependencies and packages, with native Pub, Flutter, and AngularDart support that doesn’t get in their way. And you can also govern access across teams with Artifactory’s fine-grained permissions system.
Try Artifactory’s Pub repositories for yourself and see! You can start putting these methods into practice with a free JFrog cloud account!
