[JD.AI] Suppress unfixable SQLitePCLRaw NU1903 audit advisory in CI#546
Merged
Conversation
dotnet restore fails under CI (TreatWarningsAsErrors when CI=true) because NuGet audit promotes GHSA-2m69-gcr7-jv3q (high severity, SQLitePCLRaw.lib.e_sqlite3 <= 2.1.11, transitive via Microsoft.Data.Sqlite/EFCore.Sqlite 10.0.9) to error NU1903. The advisory has no patched wrapper release yet (CVE-2025-6965 fixed in SQLite 3.50.2 but not shipped in SQLitePCLRaw), so there is nothing to bump to. Add a scoped NuGetAuditSuppress for this single advisory. All other audit warnings continue to be treated as errors. This unblocks every CI workflow (Integration Tests, CI, PR validation, E2E) that runs dotnet restore. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
Code Coverage |
Contributor
Test Results7 641 tests 7 622 ✅ 2m 40s ⏱️ Results for commit ecbace9. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Integration Tests workflow (and every other CI workflow that runs
dotnet restore) has been failing onmainsince ~2026-06-20. Root cause is not the Flawright/RealInputMode E2E issue.dotnet restorefails at restore time because NuGet audit promotes advisory GHSA-2m69-gcr7-jv3q to error NU1903:Directory.Build.propssetsTreatWarningsAsErrors=truewhenCI=true, so this audit warning becomes a hard error and the job dies before tests run.SQLitePCLRaw.lib.e_sqlite3is a transitive dependency ofMicrosoft.Data.Sqlite/Microsoft.EntityFrameworkCore.Sqlite10.0.9. The advisory was published 2026-06-18 (matching the failure onset).Why suppression (not a bump)
The underlying SQLite CVE (CVE-2025-6965) is fixed in SQLite 3.50.2, but the SQLitePCLRaw wrapper packages have no patched release (advisory lists patched version: None). There is no version to bump to.
Fix
Add a scoped
NuGetAuditSuppressfor this single advisory inDirectory.Build.props. All other audit warnings continue to be treated as errors. A comment documents removal once a patched wrapper ships.Verification
Reproduced
CI=true dotnet restorefailing with NU1903 before the change, and passing (exit 0, no NU1903) after.🤖 Generated with Claude Code