pin third party dependencies in the engine repo

[godofredoc]

For security purposes it is recommended to always pin third party dependencies and also have a dependency update service that validates the pinned dependencies are kept up to date.

Engine has different types of dependencies:

• Git repository dependencies, source that is checked out and integrated at runtime.
• Packages dependencies, binary dependencies downloaded using ad-hoc scripts.
• CIPD dependencies, binary dependencies using the cipd packages services.

We need to pin all these dependencies and also implement a service to keep them up to date.

[zanderso]

Additionally, pins of git repos should use hashes rather than tags, since tags can be shifted around.

As for using a service to keep them up-to-date, that could be difficult since the engine already has a many-to-many relationship between autorollers and dependencies.

[zanderso]

https://dart-review.googlesource.com/c/sdk/+/236040

[godofredoc]

@sealesj this is related to the work you are doing with vulnerability scanning

[ricardoamador]

@godofredoc @sealesj is this done? Feel free to close if this has been completed.

[sealesj]

Yes, I'll close since it has been completed

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.