From ee30e068b619ca262a7d5912a990035c536772e3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 25 Jun 2026 12:38:06 +0000
Subject: [PATCH] fix: upgrade sqlite-net-base to 1.11.272-beta and address
GHSA-2m69-gcr7-jv3q
- Upgrade sqlite-net-base from 1.10.196-beta to 1.11.272-beta in all projects
- Add explicit SQLitePCLRaw.bundle_green 2.1.11 to ToDoSampleApp.csproj
- Bump package version to 3.1.0 with updated release notes
- Update README: fix .NET 10 header, add Security section, update Installation section
referencing MAUI discussion #36070 (GHSA-2m69-gcr7-jv3q)
---
README.md | 38 +++++++++++++++++--
.../IntegratedTestsSampleApp.csproj | 2 +-
sample/ToDoSampleApp/ToDoSampleApp.csproj | 3 +-
.../SQLiteNetExtensions.csproj | 8 +++-
4 files changed, 44 insertions(+), 7 deletions(-)
diff --git a/README.md b/README.md
index 69f0f1e..4ba68af 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# SQLiteNetExtensions.Modern
-This is a .NET 9 migration of the [TwinCoders]([https://bitbucket.org/twincoders]) [SQLiteNetExtensions](https://bitbucket.org/twincoders/sqlite-net-extensions/src/master/)
+This is a .NET 10 migration of the [TwinCoders]([https://bitbucket.org/twincoders]) [SQLiteNetExtensions](https://bitbucket.org/twincoders/sqlite-net-extensions/src/master/)
Available on NuGet: https://www.nuget.org/packages/SQLiteNetExtensions.Modern [](https://www.nuget.org/packages/SQLiteNetExtensions.Modern/)
@@ -9,6 +9,13 @@ This is a .NET 9 migration of the [TwinCoders]([https://bitbucket.org/twincoders
sqlite-net is an open source, minimal library to allow .NET and Mono applications to store data in [SQLite 3 databases](http://www.sqlite.org). SQLite-Net Extensions extends its functionality to help the user handle relationships between sqlite-net entities.
### What's new
+## .NET 10
+* Migrated extensions to .NET 10
+* Migrated samples to .NET 10
+* Migrated Integration tests and unit tests to .NET 10
+* Upgraded `sqlite-net-base` to 1.11.272-beta
+* Explicit `SQLitePCLRaw.bundle_green 2.1.11` references added to all sample projects
+* **Security:** Addresses [GHSA-2m69-gcr7-jv3q](https://github.com/advisories/GHSA-2m69-gcr7-jv3q) — see [Security](#security) section below
## .NET 9
* Migrated extensions to .NET 9
* Migrated samples to .NET 9
@@ -37,12 +44,37 @@ Complementarily `UpdateWithChildren` looks at the relationships that you have se
You can update foreign keys manually if you feel more comfortable handling some relationships by yourself and let the SQLite-Net extensions handle the rest for you. You can even add or remove SQLite-Net extensions of any project at any time without changes to your database.
+## Security
+
+> ⚠️ **Known vulnerability in `sqlite-net-pcl` ≤ 1.9.172**
+>
+> The stable release `sqlite-net-pcl 1.9.172` (referenced in the official [.NET MAUI local databases](https://learn.microsoft.com/en-us/dotnet/maui/data-cloud/database-sqlite) guide) brings in a transitive dependency on `SQLitePCLRaw.lib.e_sqlite3 2.1.2`, which contains a high-severity SQLite vulnerability ([GHSA-2m69-gcr7-jv3q](https://github.com/advisories/GHSA-2m69-gcr7-jv3q)).
+>
+> This project uses **`sqlite-net-base`** (without a bundled SQLite provider) together with an **explicit** `SQLitePCLRaw.bundle_green` reference, giving you full control over the SQLite native library version. Starting with version 3.1.0 the dependency has been upgraded to `sqlite-net-base 1.11.272-beta` and `SQLitePCLRaw.bundle_green 2.1.11`.
+>
+> **Recommended package combination:**
+> ```xml
+>
+>
+>
+> ```
+>
+> See the [dotnet/maui discussion #36070](https://github.com/dotnet/maui/discussions/36070) for full context.
+
## Installation
The easiest way of installing the library in your project is by adding a reference to [_SQLiteNetExtensions.Modern_ NuGet package](https://www.nuget.org/packages/SQLiteNetExtensions.Modern/).
-Currently, the recommended version is the official SQLite-Net PCL NuGet package. If you are using this SQLite-Net version, you can simply add a reference to [_SQLiteNetExtensions.Modern_ NuGet package](https://www.nuget.org/packages/SQLiteNetExtensions.Modern/). Nuget package contains both sync and async versions.
+This package uses `sqlite-net-base` so you need to also add a SQLitePCLRaw bundle. The recommended combination is:
+
+```xml
+
+
+
+```
+
+> **Do not** use `sqlite-net-pcl 1.9.172` — it introduces a high-severity SQLite vulnerability via its bundled `SQLitePCLRaw.lib.e_sqlite3 2.1.2`. See the [Security](#security) section above.
-Otherwise, you can download and compile the sources by yourself and add the reference to your newly compiled DLL or add SQLite-Net Extensions project as a dependency to your code.
+The NuGet package contains both sync and async extension versions. You can also download and compile the sources and add the reference to your compiled DLL, or add the SQLite-Net Extensions project as a dependency directly.
## Get help
The best way to get help is searching [StackOverflow](http://stackoverflow.com) for already existing answers of your problem or asking your own question and tagging it with [`sqlite-net-extensions` tag](http://stackoverflow.com/questions/tagged/sqlite-net-extensions).
diff --git a/sample/IntegratedTestsSampleApp/IntegratedTestsSampleApp.csproj b/sample/IntegratedTestsSampleApp/IntegratedTestsSampleApp.csproj
index d357727..43e73dd 100644
--- a/sample/IntegratedTestsSampleApp/IntegratedTestsSampleApp.csproj
+++ b/sample/IntegratedTestsSampleApp/IntegratedTestsSampleApp.csproj
@@ -66,7 +66,7 @@
-
+
diff --git a/sample/ToDoSampleApp/ToDoSampleApp.csproj b/sample/ToDoSampleApp/ToDoSampleApp.csproj
index 5ce602a..a3c15de 100644
--- a/sample/ToDoSampleApp/ToDoSampleApp.csproj
+++ b/sample/ToDoSampleApp/ToDoSampleApp.csproj
@@ -68,7 +68,8 @@
-
+
+
diff --git a/src/SQLiteNetExtensions.Modern/SQLiteNetExtensions.Modern/SQLiteNetExtensions.csproj b/src/SQLiteNetExtensions.Modern/SQLiteNetExtensions.Modern/SQLiteNetExtensions.csproj
index ce26ae9..5b1a3cc 100644
--- a/src/SQLiteNetExtensions.Modern/SQLiteNetExtensions.Modern/SQLiteNetExtensions.csproj
+++ b/src/SQLiteNetExtensions.Modern/SQLiteNetExtensions.Modern/SQLiteNetExtensions.csproj
@@ -9,7 +9,7 @@
yurkinh
Copyright © yurkinh and contributors
README.md
- 3.0.0
+ 3.1.0
True
https://github.com/yurkinh/SQLiteNetExtensions.Modern
https://github.com/yurkinh/SQLiteNetExtensions.Modern
@@ -31,11 +31,15 @@
* Fixed nullable warnings
* Updated sample and nugets
* Added compatibility for AOT, CoreCLR
+ * Upgraded sqlite-net-base to 1.11.272-beta
+ * Addresses SQLite high-severity vulnerability GHSA-2m69-gcr7-jv3q
+ (use sqlite-net-base + SQLitePCLRaw.bundle_green >= 2.1.11
+ instead of the vulnerable sqlite-net-pcl 1.9.172)
-
+