fix: resolve NU1903 for SQLitePCLRaw.lib.e_sqlite3 by pinning SQLitePCLRaw 3.x#498
Conversation
…CLRaw 3.x (CommunityToolkit#492) Microsoft.EntityFrameworkCore.Sqlite floats a transitive dependency on SQLitePCLRaw.bundle_e_sqlite3 2.1.11, which pulls in the deprecated SQLitePCLRaw.lib.e_sqlite3 2.1.11 and triggers NU1903 (GHSA-2m69-gcr7-jv3q / CVE-2025-6965 - SQLite versions before 3.50.2 have a memory corruption issue). The advisory says no patched version exists for lib.e_sqlite3, but the SQLitePCLRaw 3.x line (released after the advisory) drops lib.e_sqlite3 entirely and depends on SourceGear.sqlite3 3.50.4.5 instead (SQLite 3.50.4, above the fix line), with full runtime asset coverage for android, ios, maccatalyst, browser-wasm, linux (incl. musl), osx, and win RIDs. - Pin SQLitePCLRaw.bundle_e_sqlite3 to 3.0.3 in the root Directory.Packages.props. CentralPackageTransitivePinningEnabled propagates this into src/CommunityToolkit.Datasync.Client, tests/CommunityToolkit.Datasync.TestCommon, tests/CommunityToolkit.Datasync.TestService, and tests/CommunityToolkit.Datasync.Client.Test without needing an explicit PackageReference, mirroring the Microsoft.OpenApi NU1903 fix from CommunityToolkit#489. - This does not affect the main packages' own published dependency floor, so every sample that consumes CommunityToolkit.Datasync.Client via NuGet PackageReference still floats the vulnerable version on its own. Added the same explicit override to the 7 affected samples: TodoApp.Avalonia, TodoApp.MAUI, TodoApp.WPF, TodoApp.WinUI3, TodoApp.Uno (via its own local Directory.Packages.props), todoapp-tutorial/ClientApp, and todoapp-blazor-wasm/TodoApp.BlazorWasm.Client. - TodoApp.Avalonia.Desktop needs no change; it inherits the pin transitively via its ProjectReference to TodoApp.Avalonia (verified via restore). Verified: dotnet restore/build/test on Datasync.Toolkit.sln (2280 tests passing across all 12 suites, 0 warnings on build). Confirmed every restored project.assets.json in src/tests now resolves SQLitePCLRaw.bundle_e_sqlite3/3.0.3 with zero occurrences of sqlitepclraw.lib.e_sqlite3 anywhere in the graph. Also verified restore (and build where the target platform doesn't require a missing workload) for TodoApp.Avalonia, TodoApp.Avalonia.Desktop, TodoApp.BlazorWasm.Client, todoapp-tutorial/ClientApp, TodoApp.WPF, and TodoApp.WinUI3 -- all clean, no NU1903, SQLitePCLRaw resolves to 3.0.3. TodoApp.MAUI (net10.0-android) and TodoApp.Uno's mobile TFMs could not be restored in this environment due to missing Android/iOS workloads, the same limitation noted in CommunityToolkit#493; the package-version pin is applied identically and is expected to resolve cleanly once those workloads are available, same as every other affected project. Fixes CommunityToolkit#492
…n title - Add a note under 'Creating an offline-capable DbContext' in docs/in-depth/client/index.md pointing consumers at the SQLitePCLRaw.bundle_e_sqlite3 3.0.3 override from CommunityToolkit#492/CommunityToolkit#498 if they hit the NU1903 audit warning in their own application. - Fix the 'Blazor WASM and Blazor Hybrid' admonition above that section: it used an unquoted, bold (**...**) title (!!! note **Blazor WASM and Blazor Hybrid**), which the admonition markdown extension's title regex does not accept -- the whole block silently failed to parse as an admonition and rendered as a plain paragraph with literal '!!! note' text. Quoting the title (!!! note "Blazor WASM and Blazor Hybrid") fixes it. Verified against python-markdown + pymdownx.superfences (the extensions configured in mkdocs.shared.yml) that both admonitions now render as proper admonition blocks, including the nested fenced xml code sample.
|
Pushed a follow-up commit documenting this fix in
Also filed #499 for a separate, unrelated |
!!! warning DO NOT USE THE SAME ENTITY TYPE FOR BOTH SERVICE AND CLIENT used an unquoted, all-caps multi-word title. The admonition extension's title regex swallows unquoted words into the block's CSS class list instead of using them as the title, so this rendered with the generic 'Warning' title (its intended custom title was silently dropped) and polluted the div's class attribute with lowercased title words. Quoting the title fixes both problems. Verified against python-markdown + pymdownx.superfences (the extensions configured in mkdocs.shared.yml): now renders as <div class="admonition warning"> with the correct custom title.
|
Pushed one more fix: the second broken admonition I flagged earlier. `!!! warning DO NOT USE THE SAME ENTITY TYPE FOR BOTH SERVICE AND CLIENT` used an unquoted, all-caps multi-word title. Unlike the first admonition (which failed to parse as a block at all), this one does render as an admonition, but the title parser swallows the unquoted words into the block's CSS class list instead of using them as the title — so it silently fell back to the generic "Warning" title (losing the intended custom title) and polluted the Fixed by quoting the title: |
Documents how to build/serve the MkDocs site locally (python venv, mkdocs + mkdocs-mermaid2-plugin, mkdocs serve on localhost:7000, and mkdocs build for a static site). Also add .venv-*/ to .gitignore so a local docs venv isn't accidentally committed.
|
Pushed one more commit: added a "Building the documentation site" section to README.md documenting the |
Summary
Closes #492 (the remaining half of #489's NU1903 triage).
Microsoft.EntityFrameworkCore.Sqlitefloats a transitive dependency onSQLitePCLRaw.bundle_e_sqlite32.1.11, which pulls in the deprecatedSQLitePCLRaw.lib.e_sqlite32.1.11 and triggers:The issue (and the advisory itself) says no patched version of
lib.e_sqlite3exists — but that's now out of date. TheSQLitePCLRaw3.x line (released after the advisory) dropslib.e_sqlite3entirely and depends onSourceGear.sqlite33.50.4.5 instead (SQLite 3.50.4, above the advisory's 3.50.2 fix line), with full nativeruntimes/asset coverage forandroid-*,ios*,maccatalyst*,browser-wasm,linux-*(incl. musl),osx-*, andwin-*RIDs. This is exactly Option 1 from the issue's own comment thread — no code changes required, just a version pin.Is this ALSO a problem with the main packages?
Yes (per the open question in the issue thread): it affects both the main library/test build and every downstream consumer, for two different reasons:
src/CommunityToolkit.Datasync.Client,tests/CommunityToolkit.Datasync.TestCommon,tests/CommunityToolkit.Datasync.TestService) restore under central package management. Adding<PackageVersion Include="SQLitePCLRaw.bundle_e_sqlite3" Version="3.0.3" />to the rootDirectory.Packages.propsand lettingCentralPackageTransitivePinningEnableddo its job resolves it everywhere in the main solution — mirrors theMicrosoft.OpenApiNU1903 fix from Audit sample projects for stale/inconsistent NuGet package pins and NU1903 vulnerability warnings #489/fix: resolve remaining sample package drift and Microsoft.OpenApi NU1903 #493 exactly (noPackageReferenceneeded anywhere for either package).CommunityToolkit.Datasync.Client's published nuspec, so every sample that consumes it viaPackageReference(rather thanProjectReference) still floats the vulnerable version on its own. Added the identical explicitSQLitePCLRaw.bundle_e_sqlite3override to the 7 affected samples:TodoApp.Avalonia,TodoApp.MAUI,TodoApp.WPF,TodoApp.WinUI3,TodoApp.Uno(via its own localDirectory.Packages.props),todoapp-tutorial/ClientApp, andtodoapp-blazor-wasm/TodoApp.BlazorWasm.Client.TodoApp.Avalonia.Desktopneeded no change — it inherits the pin transitively via itsProjectReferencetoTodoApp.Avalonia(verified via restore).Changes
Directory.Packages.props: pinSQLitePCLRaw.bundle_e_sqlite3to3.0.3, with an explanatory comment (same style as the existingMicrosoft.OpenApipin)..csproj/Directory.Packages.propsfiles: add the same explicitSQLitePCLRaw.bundle_e_sqlite3override.No source code changes.
Verification
dotnet restore/dotnet build/dotnet testonDatasync.Toolkit.sln: clean restore (no NU1903), build succeeds with 0 warnings/0 errors, and all 12 test assemblies reportTest Run Successful(2280 unique tests passing, 465 skipped as expected for live-service tests).project.assets.jsonundersrc//tests/now resolvessqlitepclraw.bundle_e_sqlite3/3.0.3(config/core/providerat3.0.3too), with zero occurrences ofsqlitepclraw.lib.e_sqlite3anywhere in the graph.TodoApp.Avalonia,TodoApp.Avalonia.Desktop,TodoApp.BlazorWasm.Client,todoapp-tutorial/ClientApp,TodoApp.WPF, andTodoApp.WinUI3— all clean, no NU1903,SQLitePCLRawresolves to3.0.3. The Blazor WASM build even confirms a nativebrowser-wasmasset (e_sqlite3.a) is present inSourceGear.sqlite3.TodoApp.MAUI(net10.0-android) andTodoApp.Uno's mobile TFMs could not be restored in this environment due to missing Android/iOS workloads — the same limitation already noted in fix: resolve remaining sample package drift and Microsoft.OpenApi NU1903 #493's PR description. The pin is applied identically to these projects and is expected to resolve the same way once those workloads are available, consistent with every other affected project in this PR.Follow-up
None identified. The unrelated
NU1903warning forTmds.DBus(.Protocol)surfaced while restoringTodoApp.Avalonia.Desktop/TodoApp.Unois out of scope for this issue and not touched here.