A library for analyzing Dart packages. It invokes executables from the Dart SDK (or from the Flutter SDK if the package uses Flutter).
- Checks for outdated dependencies (calls
pub upgradeorflutter pub upgrade). - Validates the code using Dart Analyzer.
- Checks code formatting (
dartfmtorflutter format). - Infers supported platforms: Flutter, web, and/or other (e.g console/server).
- Creates suggestions to improve the package.
Used by the Dart Package site.
> pub global activate panaYou can specify either a package (+ version) or a local directory to analyze:
Usage: pana [<options>] <published package name> [<version>]
pana [<options>] --source path <local directory>
Options:
--flutter-sdk The directory of the Flutter SDK.
-j, --json Output log items as JSON.
-s, --source The source where the package is located (hosted on https://pub.dev, or local directory path).
[hosted (default), path]
--hosted-url The server that hosts <package>.
(defaults to "https://pub.dev")
-l, --line-length The line length to use with dartfmt.
--verbosity Configure the details in the output.
[compact, normal (default), verbose]
--[no-]scores Include scores in the output JSON.
--[no-]warning Shows the warning message before potentially destructive operation.
(defaults to on)
A package gets 0.0 if any major analyzer process fails (e.g. pub upgrade,
dartanalyzer or dartfmt).
Otherwise the score starts with 1.0, and
- analyzer errors reduce it by 25%
- analyzer warnings reduce it by 5%
- analyzer hints reduce it by 0.5%
- platform conflicts reduce it by 0.25 points (absolute reduction)
health = 0.75^errors * 0.95^warnings * 0.995^hints - 0.25*conflicts
Pub site transforms this score into the [0 - 100] range.
A package starts with 100 points, and the following detected issues have point reductions:
- unable to parse
pubspec.yamlwith strict parsing (100 points) - uses
strong-mode: falseinanalysis_options.yaml(-50 points) - SDK constraint is missing from
pubspec.yaml(-50 points) - using
gitdependencies (-100 points, -50 if using commit hashes) - unable to parse markdown content (-50 points)
readme.mdmissing (-30 points)changelog.mdmissing (-20 points)- has platform conflicts (-20 points)
- has unconstrained dependencies (-20 points)
- does not allow latest stable SDK (-20 points)
descriptionis too short (<60 characters) (-20 points)descriptioncontains too many non-ASCII characters (-20 points)homepagepoints to non-existent URL (-20 points)homepageis not helpful (e.g. pointing tohttp://localhost/) (-10 points)homepageis insecure (not usinghttps) (-5 points)documentationpoints to non-existent URL (-10 points)documentationis not helpful (e.g. pointing tohttp://localhost/) (-10 points)documentationis insecure (not usinghttps) (-5 points)repositorypoints to non-existent URL (-10 points)repositoryis not helpful (e.g. pointing tohttp://localhost/) (-10 points)repositoryis insecure (not usinghttps) (-5 points)issue_trackerpoints to non-existent URL (-10 points)issue_trackeris not helpful (e.g. pointing tohttp://localhost/) (-10 points)issue_trackeris insecure (not usinghttps) (-5 points)descriptionis too long (>180 characters) (-10 points)- does not support the latest version of its direct dependencies (-10 points)
- package has no example file (-10 points)
- uses old
.analysis_optionsfile (-10 points) - uses pre-v0.1 release versioning (
0.0.*) (-10 points) - uses pre-release versioning (
*.*.*-beta2) (-5 points) - image links in markdown content are insecure (not using
https) (-2 points per link) - image links in markdown content are broken (unable to parse) (-1 point per link)
changelog.md,readme.mdor example content is too large (-1 point per every 1kb above 128kb).pubspec.yamltoo large (-1 point per every 1kb above 32kb).
On top of that, pub site applies an age restriction:
- outdated packages (age older than two years) are reduced to 0
- old packages (age between 1 and 2 years) get linear reduction (1.5 years old get 50% reduction)