Pin SQLitePCLRaw.lib.e_sqlite3 to fix GHSA-2m69-gcr7-jv3q#116
Merged
Conversation
Microsoft.Data.Sqlite transitively pulls SQLitePCLRaw.lib.e_sqlite3 2.1.11, which carries a known high-severity SQLite vulnerability (GHSA-2m69-gcr7-jv3q) and fails the build under NU1903. Pin the native package to 3.50.3 (bundle dependency range is open-ended [2.1.11, ), so no downgrade/conflict warnings) and add a direct versionless PackageReference in SharpDicom.csproj to apply the pin to the transitive dependency, matching the existing SharpCompress/Snappier pinning pattern in SharpDicom.MongoDB.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #116 +/- ##
==========================================
- Coverage 65.65% 65.64% -0.01%
==========================================
Files 337 337
Lines 30420 30420
Branches 5710 5710
==========================================
- Hits 19971 19970 -1
- Misses 9031 9033 +2
+ Partials 1418 1417 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Microsoft.Data.Sqlitetransitively pulls inSQLitePCLRaw.lib.e_sqlite32.1.11, which carries a known high-severity SQLite vulnerability (GHSA-2m69-gcr7-jv3q). WithTreatWarningsAsErrors, this fails CI viaNU1903.Fix
SQLitePCLRaw.lib.e_sqlite3to 3.50.3 (first non-vulnerable native build) inDirectory.Packages.props.PackageReferenceinSharpDicom.csprojso the CPM pin actually applies to the transitive dependency — matching the existing SharpCompress/Snappier pinning pattern inSharpDicom.MongoDB.Notes
[2.1.11, ), so the bump introduces noNU1605/NU1608downgrade or conflict warnings.dotnet restoreis clean with noNU1903.Summary by cubic
Pins the native SQLite package to a safe version to address GHSA-2m69-gcr7-jv3q and fix CI failures from NU1903. Ensures the pin applies to the transitive dependency pulled by
Microsoft.Data.Sqlite.SQLitePCLRaw.lib.e_sqlite3to 3.50.3 inDirectory.Packages.props.PackageReferencetoSQLitePCLRaw.lib.e_sqlite3inSharpDicom.csprojso the pin applies to the transitive dep fromMicrosoft.Data.Sqlite.Written for commit 388c7b8. Summary will update on new commits.