fix(security): stop suppressing GHSA-2m69-gcr7-jv3q, pin the patched native lib
ci / windows-x86 (push) Successful in 1m13s
ci / nightly-windev (push) Has been skipped
ci / java (push) Successful in 2m6s
ci / portable (push) Successful in 7m43s

The suppression's own comment said 'Remove once an upstream fix ships'. It has:
SQLitePCLRaw.lib.e_sqlite3 2.1.12 patches this advisory within the 2.1.x line, so
the premise that no patched release existed is no longer true.

The Server project already resolved 2.1.12, but only incidentally - transitively via
ZB.MOM.WW.Auth.ApiKeys. An explicit PackageReference makes that floor intentional, so
a change to the Auth dependency graph cannot silently regress to the vulnerable 2.1.11.
Removing the suppression restores auditing for exactly that case.

Verified: forced restore of the NonWindows solution reports no NU1903; build is
0 warnings / 0 errors; test results unchanged from baseline (781 passed, 44 failed -
all 44 pre-existing macOS Unix-domain-socket path-length failures in the fake-worker
harness, identical count before and after).
This commit is contained in:
Joseph Doherty
2026-07-18 05:32:28 -04:00
parent b021e292ee
commit 2f0cfe33bf
2 changed files with 15 additions and 6 deletions
+12 -6
View File
@@ -34,10 +34,16 @@
</PropertyGroup>
</Target>
<!-- SQLitePCLRaw.lib.e_sqlite3 2.1.11 (transitive via Microsoft.Data.Sqlite) carries GHSA-2m69-gcr7-jv3q,
which surfaces as NU1903 (warning-as-error). No patched e_sqlite3 release exists yet (2.1.11 is latest),
so this targeted suppression keeps every OTHER transitive package audited. Remove once an upstream fix ships. -->
<ItemGroup>
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
</ItemGroup>
<!-- GHSA-2m69-gcr7-jv3q (NU1903, high) on the native SQLitePCLRaw.lib.e_sqlite3, pulled in
transitively by Microsoft.Data.Sqlite.
The suppression that used to live here said "No patched e_sqlite3 release exists yet
(2.1.11 is latest) ... Remove once an upstream fix ships." That fix HAS shipped: 2.1.12
patches this advisory within the 2.1.x line. Suppression removed 2026-07-18, so the
advisory is audited again instead of silenced.
The Server project already resolved 2.1.12, but only incidentally — transitively via
ZB.MOM.WW.Auth.ApiKeys. The pin in that project makes the floor intentional, so a change
to the Auth dependency graph cannot silently drop it back to the vulnerable 2.1.11.
Verified: forced restore with no suppression reports no NU1903. -->
</Project>
@@ -25,6 +25,9 @@
<PackageReference Include="Serilog.Sinks.File" Version="7.0.0" />
<PackageReference Include="Microsoft.AspNetCore.SignalR.Client" Version="10.0.0" />
<PackageReference Include="Microsoft.Data.Sqlite" Version="10.0.7" />
<!-- Security pin: GHSA-2m69-gcr7-jv3q. Microsoft.Data.Sqlite pulls the vulnerable
native 2.1.11; 2.1.12 patches it. Bumping Sqlite does not clear it. -->
<PackageReference Include="SQLitePCLRaw.lib.e_sqlite3" Version="2.1.12" />
<PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.2" />
<PackageReference Include="Polly.Core" Version="8.6.6" />
</ItemGroup>