From 0296704ddb1e9d14f35c7e7d264a93be0ec0ba4f Mon Sep 17 00:00:00 2001 From: James A Sutherland Date: Thu, 25 Jun 2026 12:08:07 -0500 Subject: [PATCH] Pin SQLitePCLRaw.lib.e_sqlite3 to 3.50.3 to fix GHSA-2m69-gcr7-jv3q Microsoft.Data.Sqlite transitively pulls SQLitePCLRaw.lib.e_sqlite3 2.1.11, which carries a known high-severity SQLite vulnerability (GHSA-2m69-gcr7-jv3q) and fails the build under NU1903. Pin the native package to 3.50.3 (bundle dependency range is open-ended [2.1.11, ), so no downgrade/conflict warnings) and add a direct versionless PackageReference in SharpDicom.csproj to apply the pin to the transitive dependency, matching the existing SharpCompress/Snappier pinning pattern in SharpDicom.MongoDB. --- Directory.Packages.props | 2 ++ src/SharpDicom/SharpDicom.csproj | 2 ++ 2 files changed, 4 insertions(+) diff --git a/Directory.Packages.props b/Directory.Packages.props index 1a75f19e..59d4525c 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -21,6 +21,8 @@ + + diff --git a/src/SharpDicom/SharpDicom.csproj b/src/SharpDicom/SharpDicom.csproj index 56b9893c..29b76ab9 100644 --- a/src/SharpDicom/SharpDicom.csproj +++ b/src/SharpDicom/SharpDicom.csproj @@ -29,6 +29,8 @@ + +