Skip to content

Fix NU1903 vulnerability warning for transitive SQLitePCLRaw dependency#84

Open
hahn-kev-bot wants to merge 1 commit into
mainfrom
claude/build-dependency-warning-b8ace8
Open

Fix NU1903 vulnerability warning for transitive SQLitePCLRaw dependency#84
hahn-kev-bot wants to merge 1 commit into
mainfrom
claude/build-dependency-warning-b8ace8

Conversation

@hahn-kev-bot

Copy link
Copy Markdown
Collaborator

What changed

  • Enabled CentralPackageTransitivePinningEnabled in Directory.Packages.props.
  • Pinned SQLitePCLRaw.bundle_e_sqlite3 to the patched 2.1.12 release.

Why

The build emitted NU1903: Package 'SQLitePCLRaw.lib.e_sqlite3' 2.1.11 has a known high severity vulnerability (GHSA-2m69-gcr7-jv3q) across all four SQLite-using projects.

SQLitePCLRaw.* is a transitive dependency pulled in by Microsoft.EntityFrameworkCore.Sqlite. Bumping EF Core does not resolve it — even the latest 10.0.10 still depends on SQLitePCLRaw 2.1.11. Central transitive pinning lets us override the transitive version to the patched 2.1.12 without changing the EF Core version.

Notes for reviewers

  • This pin is temporary: once a future EF Core release moves to SQLitePCLRaw ≥ 2.1.12, it can be removed. A code comment documents this.
  • After the fix, dotnet build harmony.sln succeeds with 0 errors and the NU1903 warning cleared; dotnet list package --include-transitive confirms the whole SQLitePCLRaw.* set now resolves to 2.1.12.
  • Remaining build warnings (CS0618, xUnit1051) are pre-existing and unrelated to this change.

EF Core 10.0.7 (and all current 10.x releases) pull in SQLitePCLRaw
2.1.11 transitively, which has a known high severity vulnerability
(GHSA-2m69-gcr7-jv3q). Enable central transitive pinning and pin the
SQLitePCLRaw bundle to the patched 2.1.12 release.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@hahn-kev-bot, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 11 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6fe1ec10-0304-4b5e-8b57-f8c5efb67a7f

📥 Commits

Reviewing files that changed from the base of the PR and between 01efe25 and 3324f83.

📒 Files selected for processing (1)
  • Directory.Packages.props
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/build-dependency-warning-b8ace8

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants