Fix NU1903 vulnerability warning for transitive SQLitePCLRaw dependency#84
Fix NU1903 vulnerability warning for transitive SQLitePCLRaw dependency#84hahn-kev-bot wants to merge 1 commit into
Conversation
EF Core 10.0.7 (and all current 10.x releases) pull in SQLitePCLRaw 2.1.11 transitively, which has a known high severity vulnerability (GHSA-2m69-gcr7-jv3q). Enable central transitive pinning and pin the SQLitePCLRaw bundle to the patched 2.1.12 release. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 11 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
What changed
CentralPackageTransitivePinningEnabledinDirectory.Packages.props.SQLitePCLRaw.bundle_e_sqlite3to the patched2.1.12release.Why
The build emitted
NU1903: Package 'SQLitePCLRaw.lib.e_sqlite3' 2.1.11 has a known high severity vulnerability(GHSA-2m69-gcr7-jv3q) across all four SQLite-using projects.SQLitePCLRaw.*is a transitive dependency pulled in byMicrosoft.EntityFrameworkCore.Sqlite. Bumping EF Core does not resolve it — even the latest 10.0.10 still depends on SQLitePCLRaw 2.1.11. Central transitive pinning lets us override the transitive version to the patched 2.1.12 without changing the EF Core version.Notes for reviewers
dotnet build harmony.slnsucceeds with 0 errors and the NU1903 warning cleared;dotnet list package --include-transitiveconfirms the wholeSQLitePCLRaw.*set now resolves to 2.1.12.CS0618,xUnit1051) are pre-existing and unrelated to this change.