fix(security): stop suppressing GHSA-2m69-gcr7-jv3q, pin the patched native lib
The suppression's own comment said 'Remove once an upstream fix ships'. It has: SQLitePCLRaw.lib.e_sqlite3 2.1.12 patches this advisory within the 2.1.x line, so the premise that no patched release existed is no longer true. The Server project already resolved 2.1.12, but only incidentally - transitively via ZB.MOM.WW.Auth.ApiKeys. An explicit PackageReference makes that floor intentional, so a change to the Auth dependency graph cannot silently regress to the vulnerable 2.1.11. Removing the suppression restores auditing for exactly that case. Verified: forced restore of the NonWindows solution reports no NU1903; build is 0 warnings / 0 errors; test results unchanged from baseline (781 passed, 44 failed - all 44 pre-existing macOS Unix-domain-socket path-length failures in the fake-worker harness, identical count before and after).
This commit is contained in:
@@ -34,10 +34,16 @@
|
||||
</PropertyGroup>
|
||||
</Target>
|
||||
|
||||
<!-- SQLitePCLRaw.lib.e_sqlite3 2.1.11 (transitive via Microsoft.Data.Sqlite) carries GHSA-2m69-gcr7-jv3q,
|
||||
which surfaces as NU1903 (warning-as-error). No patched e_sqlite3 release exists yet (2.1.11 is latest),
|
||||
so this targeted suppression keeps every OTHER transitive package audited. Remove once an upstream fix ships. -->
|
||||
<ItemGroup>
|
||||
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
|
||||
</ItemGroup>
|
||||
<!-- GHSA-2m69-gcr7-jv3q (NU1903, high) on the native SQLitePCLRaw.lib.e_sqlite3, pulled in
|
||||
transitively by Microsoft.Data.Sqlite.
|
||||
|
||||
The suppression that used to live here said "No patched e_sqlite3 release exists yet
|
||||
(2.1.11 is latest) ... Remove once an upstream fix ships." That fix HAS shipped: 2.1.12
|
||||
patches this advisory within the 2.1.x line. Suppression removed 2026-07-18, so the
|
||||
advisory is audited again instead of silenced.
|
||||
|
||||
The Server project already resolved 2.1.12, but only incidentally — transitively via
|
||||
ZB.MOM.WW.Auth.ApiKeys. The pin in that project makes the floor intentional, so a change
|
||||
to the Auth dependency graph cannot silently drop it back to the vulnerable 2.1.11.
|
||||
Verified: forced restore with no suppression reports no NU1903. -->
|
||||
</Project>
|
||||
|
||||
@@ -25,6 +25,9 @@
|
||||
<PackageReference Include="Serilog.Sinks.File" Version="7.0.0" />
|
||||
<PackageReference Include="Microsoft.AspNetCore.SignalR.Client" Version="10.0.0" />
|
||||
<PackageReference Include="Microsoft.Data.Sqlite" Version="10.0.7" />
|
||||
<!-- Security pin: GHSA-2m69-gcr7-jv3q. Microsoft.Data.Sqlite pulls the vulnerable
|
||||
native 2.1.11; 2.1.12 patches it. Bumping Sqlite does not clear it. -->
|
||||
<PackageReference Include="SQLitePCLRaw.lib.e_sqlite3" Version="2.1.12" />
|
||||
<PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.2" />
|
||||
<PackageReference Include="Polly.Core" Version="8.6.6" />
|
||||
</ItemGroup>
|
||||
|
||||
Reference in New Issue
Block a user