Problem
flagsmith ^6.1.0 depends on encrypt ^5.0.3, which pins pointycastle ^3.7.3. This blocks any downstream app that depends on pointycastle ^4.0.0:
flagsmith ^6.1.0 -> encrypt ^5.0.3 -> pointycastle ^3.7.3
my app -> pointycastle ^4.0.0 ❌ version solving fails
Why it can't be fixed by bumping encrypt
The leocavalcante/encrypt repository is archived (read-only, no further releases). PR encrypt#343, which would have widened the pointycastle constraint, has been open and unreviewed since February 2025 and can no longer be merged. encrypt 5.0.4 is the final release, and it will permanently pin pointycastle ^3.7.3.
This means anyone consuming flagsmith is permanently locked out of pointycastle 4.x.
Proposal
Drop the encrypt dependency. encrypt is used in exactly one place — lib/src/core/tools/security.dart — and only as a thin wrapper around PointyCastle's Salsa20Engine. We can call PointyCastle directly:
- Remove
encrypt: ^5.0.3 from pubspec.yaml
- Add
pointycastle: ^4.0.0 (also works with ^3.7.3 — the API used here is stable across both)
- Rewrite
StorageSecurity to use pointycastle/stream/salsa20.dart directly. Same algorithm, same key/IV handling, same on-disk encoding — fully backwards-compatible with existing encrypted storage.
Net diff: -1 dependency, +1 dependency (already transitively present), one file rewritten.
Happy to open the PR.
Problem
flagsmith ^6.1.0depends onencrypt ^5.0.3, which pinspointycastle ^3.7.3. This blocks any downstream app that depends onpointycastle ^4.0.0:Why it can't be fixed by bumping
encryptThe
leocavalcante/encryptrepository is archived (read-only, no further releases). PR encrypt#343, which would have widened thepointycastleconstraint, has been open and unreviewed since February 2025 and can no longer be merged.encrypt 5.0.4is the final release, and it will permanently pinpointycastle ^3.7.3.This means anyone consuming
flagsmithis permanently locked out ofpointycastle 4.x.Proposal
Drop the
encryptdependency.encryptis used in exactly one place —lib/src/core/tools/security.dart— and only as a thin wrapper around PointyCastle'sSalsa20Engine. We can call PointyCastle directly:encrypt: ^5.0.3frompubspec.yamlpointycastle: ^4.0.0(also works with^3.7.3— the API used here is stable across both)StorageSecurityto usepointycastle/stream/salsa20.dartdirectly. Same algorithm, same key/IV handling, same on-disk encoding — fully backwards-compatible with existing encrypted storage.Net diff: -1 dependency, +1 dependency (already transitively present), one file rewritten.
Happy to open the PR.