Skip to content

fix(efcore): pin SQLitePCLRaw.lib.e_sqlite3 3.50.3 (GHSA-2m69-gcr7-jv3q)#13

Merged
GioAbq merged 1 commit into
developfrom
bugfix/sqlite-cve-pin
Jun 19, 2026
Merged

fix(efcore): pin SQLitePCLRaw.lib.e_sqlite3 3.50.3 (GHSA-2m69-gcr7-jv3q)#13
GioAbq merged 1 commit into
developfrom
bugfix/sqlite-cve-pin

Conversation

@GioAbq

@GioAbq GioAbq commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Why

GitHub advisory GHSA-2m69-gcr7-jv3q was updated on 2026-06-18 to flag SQLitePCLRaw.lib.e_sqlite3 <= 2.1.11 (HIGH, no managed-side patched version). Microsoft.EntityFrameworkCore.Sqlite 10.0.9 pulls lib.e_sqlite3 2.1.11 transitively, so the zero-warning policy (TreatWarningsAsErrors -> NU1903) now breaks the build for every FEx consumer (surfaced via BudgetBuddy CI).

Fix

Direct security pin of SQLitePCLRaw.lib.e_sqlite3 to 3.50.3:

  • Outside the vulnerable range (3.50.3 > 2.1.11) -> NuGetAudit stops reporting NU1903.
  • Native engine is now versioned by SQLite version (3.50.3); the package has no managed dependencies, so it is ABI-stable and independent of SQLitePCLRaw.core/provider (2.1.x).
  • Not a suppression - the vulnerable native SQLite is actually replaced.

Remove once EntityFrameworkCore.Sqlite ships a non-vulnerable bundle.

Verified

Local dotnet build FEx.EFCore -c Release across all TFMs: 0 warnings, 0 errors, NU1903 gone.

…-gcr7-jv3q

EntityFrameworkCore.Sqlite transitively pulls the bundled native
SQLitePCLRaw.lib.e_sqlite3 2.1.11, which the advisory flags (vulnerable
range <= 2.1.11, no managed-side patched version). 3.50.3 versions the
native engine by SQLite version, is outside the vulnerable range, and has
no managed deps (ABI-stable, independent of core/provider). Unblocks the
zero-warning (TreatWarningsAsErrors -> NU1903) build for all FEx consumers.
@GioAbq GioAbq merged commit b9b8cf5 into develop Jun 19, 2026
3 checks passed
@GioAbq GioAbq deleted the bugfix/sqlite-cve-pin branch June 19, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant