From a5e45b74e9ab2c9bf0d036f8078a225f46556f61 Mon Sep 17 00:00:00 2001
From: JerrettDavis <mxjerrett@gmail.com>
Date: Mon, 22 Jun 2026 13:17:52 -0500
Subject: [PATCH] [QuickApiMapper] Pin SQLitePCLRaw.lib.e_sqlite3 to 3.50.3 to
 clear GHSA-2m69-gcr7-jv3q

Microsoft.EntityFrameworkCore.Sqlite 10.0.9 transitively pulls in
SQLitePCLRaw.bundle_e_sqlite3 2.1.11 which pins lib.e_sqlite3 to 2.1.11.
GHSA-2m69-gcr7-jv3q marks all lib.e_sqlite3 <= 2.1.11 as high severity,
with no patched 2.x version available.

Fix: add SQLitePCLRaw.lib.e_sqlite3 3.50.3 to Directory.Packages.props
and explicit PackageReferences in the two projects that directly pull
in the SQLite stack (Persistence.SQLite, Management.Api). This forces
NuGet to resolve the native binary to the secure 3.50.3 release.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 Directory.Packages.props                                     | 5 +++++
 .../QuickApiMapper.Management.Api.csproj                     | 3 +++
 .../QuickApiMapper.Persistence.SQLite.csproj                 | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index fd05faa..733fa3d 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -50,6 +50,11 @@
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.9" />
     <PackageVersion Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.2" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.9" />
+    <!-- SQLitePCLRaw native binary override — pins transitive lib.e_sqlite3 to 3.50.3
+         to clear GHSA-2m69-gcr7-jv3q (high severity vuln in 2.1.11 native binary).
+         Microsoft.EntityFrameworkCore.Sqlite 10.0.9 pulls in SQLitePCLRaw.bundle_e_sqlite3 2.1.11
+         which pins lib.e_sqlite3 to 2.1.11; this entry raises the floor to the patched version. -->
+    <PackageVersion Include="SQLitePCLRaw.lib.e_sqlite3" Version="3.50.3" />
     <!-- Aspire Packages -->
     <PackageVersion Include="Aspire.Hosting.PostgreSQL" Version="13.4.4" />
     <PackageVersion Include="Aspire.Hosting.Redis" Version="13.4.4" />
diff --git a/src/QuickApiMapper.Management.Api/QuickApiMapper.Management.Api.csproj b/src/QuickApiMapper.Management.Api/QuickApiMapper.Management.Api.csproj
index 4b44b81..c4f5cb3 100644
--- a/src/QuickApiMapper.Management.Api/QuickApiMapper.Management.Api.csproj
+++ b/src/QuickApiMapper.Management.Api/QuickApiMapper.Management.Api.csproj
@@ -15,6 +15,9 @@
     <PackageReference Include="AspNetCore.HealthChecks.NpgSql" />
     <PackageReference Include="AspNetCore.HealthChecks.Sqlite" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Design" />
+    <!-- Explicit reference overrides the transitive SQLitePCLRaw.lib.e_sqlite3 2.1.11
+         (vulnerable per GHSA-2m69-gcr7-jv3q) pulled in via bundle_e_sqlite3. -->
+    <PackageReference Include="SQLitePCLRaw.lib.e_sqlite3" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/QuickApiMapper.Persistence.SQLite/QuickApiMapper.Persistence.SQLite.csproj b/src/QuickApiMapper.Persistence.SQLite/QuickApiMapper.Persistence.SQLite.csproj
index ecb6723..b41d825 100644
--- a/src/QuickApiMapper.Persistence.SQLite/QuickApiMapper.Persistence.SQLite.csproj
+++ b/src/QuickApiMapper.Persistence.SQLite/QuickApiMapper.Persistence.SQLite.csproj
@@ -19,6 +19,9 @@
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    <!-- Explicit reference overrides the transitive SQLitePCLRaw.lib.e_sqlite3 2.1.11
+         (vulnerable per GHSA-2m69-gcr7-jv3q) pulled in via bundle_e_sqlite3. -->
+    <PackageReference Include="SQLitePCLRaw.lib.e_sqlite3" />
   </ItemGroup>
 
 </Project>