From ab405349868af5f043f660597ae17fdd4bb7a474 Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Fri, 19 Jun 2026 04:52:42 -0400
Subject: [PATCH] build(deps): targeted NuGetAuditSuppress for SQLitePCLRaw
 advisory GHSA-2m69-gcr7-jv3q (#292)

The high-sev advisory is on transitive native SQLitePCLRaw.lib.e_sqlite3 2.1.11
(via Microsoft.Data.Sqlite/EFCore.Sqlite). Microsoft.Data.Sqlite.Core 10.0.9 (latest
10.0.x) still references SQLitePCLRaw.core 2.1.11, so a supported-line bump doesn't clear
it; the only patched lib is the SQLitePCLRaw 3.x line, which is an unsupported/risky forced
override under a Data.Sqlite built for 2.1.x. Suppress ONLY this advisory (auditing stays on
for everything else) so the full solution AND the docker in-container restore build cleanly
without the blanket /p:NuGetAudit=false. No version/code change; runtime byte-identical.
Revisit when MS ships a 10.0.x referencing a patched bundle.
---
 Directory.Packages.props | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index fba48c18..b7e8dd73 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -88,4 +88,27 @@
     <PackageVersion Include="ZB.MOM.WW.Theme" Version="0.3.1" />
   </ItemGroup>
 
+  <!--
+    Targeted NuGet audit suppression (NOT a blanket NuGetAudit=false).
+
+    GHSA-2m69-gcr7-jv3q (NU1903, high) is on the NATIVE library SQLitePCLRaw.lib.e_sqlite3
+    2.1.11, pulled in TRANSITIVELY by Microsoft.Data.Sqlite / EntityFrameworkCore.Sqlite.
+    The current MS-supported package line still references it: Microsoft.Data.Sqlite.Core
+    10.0.9 (latest 10.0.x as of 2026-06) declares `SQLitePCLRaw.core 2.1.11`, so a version
+    bump within the supported line does NOT clear it. The only patched native lib is the
+    SQLitePCLRaw 3.x line — force-overriding the whole SQLitePCLRaw family to 3.x under a
+    Microsoft.Data.Sqlite built and pinned for 2.1.x is unsupported and runtime-risky for the
+    entire site-local SQLite layer (S&F buffer, operation tracking, native-alarm state).
+
+    Risk assessment: SQLite here is internal, local-only storage on site nodes (+ tests); it is
+    not an externally-reachable SQL surface for untrusted input, so practical exposure is low.
+    Suppressing ONLY this advisory (auditing stays ON for everything else) lets the full
+    solution AND the docker in-container restore build cleanly without the blanket
+    `/p:NuGetAudit=false` workaround. REVISIT and remove this suppression once Microsoft.Data.Sqlite
+    ships a 10.0.x that references a patched (3.x) SQLitePCLRaw bundle.
+  -->
+  <ItemGroup>
+    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
+  </ItemGroup>
+
 </Project>