Skip to content

[JD.AI] Suppress unfixable SQLitePCLRaw NU1903 audit advisory in CI#546

Merged
JerrettDavis merged 1 commit into
mainfrom
fix/integration-tests
Jun 22, 2026
Merged

[JD.AI] Suppress unfixable SQLitePCLRaw NU1903 audit advisory in CI#546
JerrettDavis merged 1 commit into
mainfrom
fix/integration-tests

Conversation

@JerrettDavis

Copy link
Copy Markdown
Owner

Problem

The Integration Tests workflow (and every other CI workflow that runs dotnet restore) has been failing on main since ~2026-06-20. Root cause is not the Flawright/RealInputMode E2E issue.

dotnet restore fails at restore time because NuGet audit promotes advisory GHSA-2m69-gcr7-jv3q to error NU1903:

Package 'SQLitePCLRaw.lib.e_sqlite3' 2.1.11 has a known high severity vulnerability

Directory.Build.props sets TreatWarningsAsErrors=true when CI=true, so this audit warning becomes a hard error and the job dies before tests run. SQLitePCLRaw.lib.e_sqlite3 is a transitive dependency of Microsoft.Data.Sqlite / Microsoft.EntityFrameworkCore.Sqlite 10.0.9. The advisory was published 2026-06-18 (matching the failure onset).

Why suppression (not a bump)

The underlying SQLite CVE (CVE-2025-6965) is fixed in SQLite 3.50.2, but the SQLitePCLRaw wrapper packages have no patched release (advisory lists patched version: None). There is no version to bump to.

Fix

Add a scoped NuGetAuditSuppress for this single advisory in Directory.Build.props. All other audit warnings continue to be treated as errors. A comment documents removal once a patched wrapper ships.

Verification

Reproduced CI=true dotnet restore failing with NU1903 before the change, and passing (exit 0, no NU1903) after.

🤖 Generated with Claude Code

dotnet restore fails under CI (TreatWarningsAsErrors when CI=true) because
NuGet audit promotes GHSA-2m69-gcr7-jv3q (high severity, SQLitePCLRaw.lib.e_sqlite3
<= 2.1.11, transitive via Microsoft.Data.Sqlite/EFCore.Sqlite 10.0.9) to error
NU1903. The advisory has no patched wrapper release yet (CVE-2025-6965 fixed in
SQLite 3.50.2 but not shipped in SQLitePCLRaw), so there is nothing to bump to.

Add a scoped NuGetAuditSuppress for this single advisory. All other audit
warnings continue to be treated as errors. This unblocks every CI workflow
(Integration Tests, CI, PR validation, E2E) that runs dotnet restore.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions

Copy link
Copy Markdown
Contributor

Code Coverage

Summary
  Generated on: 06/22/2026 - 18:11:24
  Coverage date: 06/22/2026 - 18:09:11 - 06/22/2026 - 18:11:14
  Parser: MultiReport (7x Cobertura)
  Assemblies: 23
  Classes: 1067
  Files: 591
  Line coverage: 74.7%
  Covered lines: 36868
  Uncovered lines: 12443
  Coverable lines: 49311
  Total lines: 97272
  Branch coverage: 61.8% (13929 of 22510)
  Covered branches: 13929
  Total branches: 22510
  Method coverage: 86.4% (6319 of 7307)
  Full method coverage: 74.2% (5427 of 7307)
  Covered methods: 6319
  Fully covered methods: 5427
  Total methods: 7307

@github-actions

Copy link
Copy Markdown
Contributor

Test Results

7 641 tests   7 622 ✅  2m 40s ⏱️
    7 suites     19 💤
    7 files        0 ❌

Results for commit ecbace9.

@JerrettDavis JerrettDavis merged commit 31ad20e into main Jun 22, 2026
15 checks passed
@JerrettDavis JerrettDavis deleted the fix/integration-tests branch June 22, 2026 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant