From cfff934bddca2e75f1e1ec51a6635f9a3abea128 Mon Sep 17 00:00:00 2001
From: "soroush.asadi" <soroush.asadi@aliasaas.com>
Date: Fri, 26 Jun 2026 03:06:10 +0330
Subject: [PATCH] Fix SQLite advisory: bump SQLitePCLRaw to 3.0.x

The transitive SQLitePCLRaw.lib.e_sqlite3 2.1.11 (via EF Core 10 Sqlite) is
flagged High by GHSA-2m69-gcr7-jv3q, and the 2.x line has no patched release
(first_patched_version: null). Pin SQLitePCLRaw.bundle_e_sqlite3 3.0.3, which
is outside the vulnerable range (<= 2.1.11). Runtime-verified: EnsureCreated
and a DB read both succeed; `dotnet list package --vulnerable` is now clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 SoroushAsadi.Web.csproj | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/SoroushAsadi.Web.csproj b/SoroushAsadi.Web.csproj
index 9d41700..afa075f 100644
--- a/SoroushAsadi.Web.csproj
+++ b/SoroushAsadi.Web.csproj
@@ -13,6 +13,9 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
+    <!-- Override the transitive SQLitePCLRaw 2.1.11 (GHSA-2m69-gcr7-jv3q, no 2.x patch)
+         with the 3.0.x line, which is outside the vulnerable range (<= 2.1.11). -->
+    <PackageReference Include="SQLitePCLRaw.bundle_e_sqlite3" Version="3.0.3" />
   </ItemGroup>
 
 </Project>