Forbid git dependencies for new packages.

See: dart-lang/sdk#36765

pkg/pub_package_reader/lib/pub_package_reader.dart

@@ -156,6 +156,7 @@ Future<PackageSummary> summarizePackageArchive(String archivePath) async {
   issues.addAll(validatePackageName(pubspec.name));
   issues.addAll(syntaxCheckHomepageUrl(
       pubspec.homepage ?? pubspec.repository?.toString()));
+  issues.addAll(forbidGitDependencies(pubspec));
 
   return PackageSummary(
     issues: issues,
@@ -227,3 +228,41 @@ Iterable<ArchiveIssue> syntaxCheckHomepageUrl(String url) sync* {
     yield ArchiveIssue('Homepage URL has no valid host: $url');
   }
 }
+
+/// Validate that the package does not have any git dependencies.
+///
+/// This also enforces that `dependencies` are hosted on the default pub server.
+/// It ignores `dev_dependencies` as these are for development only.
+Iterable<ArchiveIssue> forbidGitDependencies(Pubspec pubspec) sync* {
+  for (final entry in pubspec.dependencies.entries) {
+    final name = entry.key;
+
+    if (entry.value is GitDependency) {
+      yield ArchiveIssue(
+        'Package dependency $name is a git dependency, '
+        'this not allowed in published packages',
+      );
+      continue;
+    }
+    if (entry.value is! HostedDependency) {
+      yield ArchiveIssue('Package dependency $name is not hosted on pub.dev');
+      continue;
+    }
+
+    final dep = entry.value as HostedDependency;
+    if (dep.hosted == null) {
+      continue;
+    }
+    if (dep.hosted.url != null) {
+      yield ArchiveIssue(
+        'Package dependency $name must be hosted on the default pub '
+        'repository, and cannot have an explicit "url" specified',
+      );
+    }
+    if (dep.hosted.name != name) {
+      yield ArchiveIssue(
+        'Package dependency $name depends on a package with a different name',
+      );
+    }
+  }
+}

pkg/pub_package_reader/test/package_archive_test.dart

@@ -3,6 +3,7 @@
 // BSD-style license that can be found in the LICENSE file.
 
 import 'package:test/test.dart';
+import 'package:pubspec_parse/pubspec_parse.dart';
 
 import 'package:pub_package_reader/pub_package_reader.dart';
 
@@ -60,4 +61,66 @@ void main() {
       expect(syntaxCheckHomepageUrl('http://.../x/'), isNotEmpty);
     });
   });
+
+  group('forbid git dependencies', () {
+    test('normal dependencies are fine', () {
+      final pubspec = Pubspec.parse('''
+      name: hack
+      version: 1.0.1
+      dependencies:
+        test: ^1.0.0
+      ''');
+      expect(forbidGitDependencies(pubspec).toList(), isEmpty);
+    });
+
+    test('git dependencies are forbidden', () {
+      final pubspec = Pubspec.parse('''
+      name: hack
+      version: 1.0.1
+      dependencies:
+        kittens:
+          git: git://github.com/munificent/kittens.git
+      ''');
+      expect(forbidGitDependencies(pubspec).toList(), isNotEmpty);
+    });
+
+    test('custom hosted dependencies are forbidden', () {
+      final pubspec = Pubspec.parse('''
+      name: hack
+      version: 1.0.1
+      dependencies:
+        kittens:
+          hosted:
+            name: kittens
+            url: 'https://not-the-right-pub.dev'
+          version: ^1.0.0
+      ''');
+      expect(forbidGitDependencies(pubspec).toList(), isNotEmpty);
+    });
+
+    test('renaming hosted dependencies is forbidden', () {
+      final pubspec = Pubspec.parse('''
+      name: hack
+      version: 1.0.1
+      dependencies:
+        kittens:
+          hosted:
+            name: cats
+            url: 'https://not-the-right-pub.dev'
+          version: ^1.0.0
+      ''');
+      expect(forbidGitDependencies(pubspec).toList(), isNotEmpty);
+    });
+
+    test('git dev_dependencies are fine', () {
+      final pubspec = Pubspec.parse('''
+      name: hack
+      version: 1.0.1
+      dev_dependencies:
+        kittens:
+          git: git://github.com/munificent/kittens.git
+      ''');
+      expect(forbidGitDependencies(pubspec).toList(), isEmpty);
+    });
+  });
 }