fix(deps): clear CVE-2025-6965 — pin SQLitePCLRaw bundle to 2.1.12, drop audit suppression
The patched native SQLite bundle shipped: SQLitePCLRaw.bundle_e_sqlite3 2.1.12 is the first version outside the CVE-2025-6965 / GHSA-2m69-gcr7-jv3q vulnerable range (<= 2.1.11), embedding the SQLite 3.50.2+ fix. - Bump Microsoft.Data.Sqlite 9.0.0 -> 10.0.7 (aligns with the EF Core 10.0.7 family). This alone still pulls the native bundle 2.1.11, so: - Add a surgical direct pin of SQLitePCLRaw.bundle_e_sqlite3 2.1.12 in Core.AlarmHistorian (the sole consumer), overriding the transitive 2.1.11 without enabling CentralPackageTransitivePinningEnabled (which breaks the Roslyn 5.0/4.12 split). - Remove the temporary NuGetAuditSuppress from Directory.Build.props. Verified: dotnet restore/build clean with audit active (no GHSA-2m69), every in-solution project resolves lib.e_sqlite3 2.1.12, AlarmHistorian tests 29/29 green against the real native bundle. Closes #458
This commit is contained in:
@@ -51,7 +51,7 @@
|
||||
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Scripting" Version="4.12.0" />
|
||||
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="5.0.0" />
|
||||
<PackageVersion Include="Microsoft.Data.SqlClient" Version="6.1.1" />
|
||||
<PackageVersion Include="Microsoft.Data.Sqlite" Version="9.0.0" />
|
||||
<PackageVersion Include="Microsoft.Data.Sqlite" Version="10.0.7" />
|
||||
<PackageVersion Include="Microsoft.EntityFrameworkCore" Version="10.0.7" />
|
||||
<PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.7" />
|
||||
<PackageVersion Include="Microsoft.EntityFrameworkCore.InMemory" Version="10.0.7" />
|
||||
@@ -95,6 +95,14 @@
|
||||
<PackageVersion Include="Serilog.Sinks.Console" Version="6.0.0" />
|
||||
<PackageVersion Include="Serilog.Sinks.File" Version="7.0.0" />
|
||||
<PackageVersion Include="Shouldly" Version="4.3.0" />
|
||||
<!--
|
||||
Surgical transitive pin: Microsoft.Data.Sqlite pulls SQLitePCLRaw.bundle_e_sqlite3 2.1.11
|
||||
(native lib.e_sqlite3 2.1.11 — the top of the CVE-2025-6965 / GHSA-2m69-gcr7-jv3q vulnerable
|
||||
range, <= 2.1.11). 2.1.12 is the first fixed native bundle (embeds the SQLite 3.50.2+ patch).
|
||||
A direct PackageReference in Core.AlarmHistorian promotes this to the resolved version,
|
||||
clearing the advisory without CentralPackageTransitivePinningEnabled (which breaks the Roslyn split).
|
||||
-->
|
||||
<PackageVersion Include="SQLitePCLRaw.bundle_e_sqlite3" Version="2.1.12" />
|
||||
<PackageVersion Include="System.CommandLine" Version="2.0.5" />
|
||||
<PackageVersion Include="System.Data.SqlClient" Version="4.9.0" />
|
||||
<PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.11.0" />
|
||||
|
||||
Reference in New Issue
Block a user