Remove NuGetAuditSuppress for CVE-2025-6965 once a patched SQLitePCLRaw bundle ships #458

Closed
opened 2026-07-15 08:01:43 -04:00 by dohertj2 · 0 comments
Owner

Status: upstream-gated cleanup. Directory.Build.props carries a temporary <NuGetAuditSuppress> for CVE-2025-6965 / GHSA-2m69-gcr7-jv3q — the transitive native SQLitePCLRaw.lib.e_sqlite3 bundle, which has no upstream fix yet. Restore/build not flagging it is expected while the suppression is in place.

Acceptance:

  • When a patched SQLitePCLRaw bundle ships, bump the dependency and remove the <NuGetAuditSuppress> entry from Directory.Build.props.
  • Verify dotnet restore/build is clean without the suppression (audit no longer flags GHSA-2m69-gcr7-jv3q).
**Status:** upstream-gated cleanup. `Directory.Build.props` carries a temporary `<NuGetAuditSuppress>` for **CVE-2025-6965 / GHSA-2m69-gcr7-jv3q** — the transitive native `SQLitePCLRaw.lib.e_sqlite3` bundle, which has no upstream fix yet. Restore/build not flagging it is expected while the suppression is in place. **Acceptance:** - [ ] When a patched `SQLitePCLRaw` bundle ships, bump the dependency and **remove** the `<NuGetAuditSuppress>` entry from `Directory.Build.props`. - [ ] Verify `dotnet restore`/`build` is clean without the suppression (audit no longer flags GHSA-2m69-gcr7-jv3q).
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dohertj2/lmxopcua#458