You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Discovered while verifying #498 (the SQLitePCLRaw NU1903 fix for #492). Restoring the Avalonia and Uno desktop-head samples on Linux/macOS surfaces a separate, unrelated NU1903 high-severity restore warning:
warning NU1903: Package 'Tmds.DBus.Protocol' 0.21.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-xrw6-gwf8-vvr9
and (for Uno's desktop head):
warning NU1903: Package 'Tmds.DBus' 0.16.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xrw6-gwf8-vvr9
Confirmed dependency chain for the Avalonia desktop sample via project.assets.json: Avalonia.FreeDesktop/11.3.0 → Tmds.DBus.Protocol2.1.2 (floor), used for Linux D-Bus integration (system tray, clipboard, etc. via the FreeDesktop backend pulled in by Avalonia.Desktop).
samples/todoapp/TodoApp.Uno/TodoApp.Uno/TodoApp.Uno.csproj (net10.0-desktop head) — floats Tmds.DBus 0.16.0. This restore attempt hit an unrelated, pre-existing NU1605 package-downgrade error (Uno.WinUI 5.5.87 vs 5.4.22, driven by a mismatch between global.json's Uno.Sdk version and CommunityToolkit.WinUI.Behaviors' floor), so the full dependency chain for the Tmds.DBus 0.16.0 floor wasn't confirmed — worth investigating together with, or ahead of, this NU1903.
Both samples use ManagePackageVersionsCentrally=false (or a per-sample local catalog for Uno), same as the SQLitePCLRaw samples fixed in fix: resolve NU1903 for SQLitePCLRaw.lib.e_sqlite3 by pinning SQLitePCLRaw 3.x #498, so the same explicit-PackageReference-override pattern should apply here if no newer Avalonia/Avalonia.FreeDesktop release already bumps the floor.
Ask
Investigate one of:
Whether a newer Avalonia/Avalonia.Desktop/Avalonia.FreeDesktop release (past 11.3.0) already bumps its Tmds.DBus.Protocol dependency to >= 0.21.3, and bump the sample's Avalonia.* package versions if so.
Resolve the pre-existing Uno.WinUINU1605 package-downgrade issue on TodoApp.Uno's desktop head first (unrelated to this advisory but currently blocks confirming the Tmds.DBus 0.16.0 dependency chain there), then apply the equivalent Tmds.DBus >= 0.92.0 override if still needed.
Confirm whether Tmds.DBus/Tmds.DBus.Protocol is reachable code (Linux D-Bus paths) in these samples at all before deciding this is worth a version bump vs. just documenting/suppressing.
Summary
Discovered while verifying #498 (the SQLitePCLRaw NU1903 fix for #492). Restoring the Avalonia and Uno desktop-head samples on Linux/macOS surfaces a separate, unrelated
NU1903high-severity restore warning:and (for Uno's desktop head):
What's known so far
Tmds.DBus.Protocol0.21.3 (fixes< 0.21.3and>= 0.22.0, < 0.92.0),Tmds.DBus0.92.0 (fixes< 0.92.0). Unlike Investigate resolving NU1903 for SQLitePCLRaw.lib.e_sqlite3 (no patched version exists) #492, a drop-in patched version genuinely exists here for both packages.project.assets.json:Avalonia.FreeDesktop/11.3.0→Tmds.DBus.Protocol2.1.2(floor), used for Linux D-Bus integration (system tray, clipboard, etc. via the FreeDesktop backend pulled in byAvalonia.Desktop).samples/todoapp/TodoApp.Avalonia/TodoApp.Avalonia.Desktop/TodoApp.Avalonia.Desktop.csproj—dotnet restorefloatsTmds.DBus.Protocol 0.21.2.samples/todoapp/TodoApp.Uno/TodoApp.Uno/TodoApp.Uno.csproj(net10.0-desktophead) — floatsTmds.DBus 0.16.0. This restore attempt hit an unrelated, pre-existingNU1605package-downgrade error (Uno.WinUI5.5.87 vs 5.4.22, driven by a mismatch betweenglobal.json'sUno.Sdkversion andCommunityToolkit.WinUI.Behaviors' floor), so the full dependency chain for theTmds.DBus0.16.0 floor wasn't confirmed — worth investigating together with, or ahead of, this NU1903.ManagePackageVersionsCentrally=false(or a per-sample local catalog for Uno), same as the SQLitePCLRaw samples fixed in fix: resolve NU1903 for SQLitePCLRaw.lib.e_sqlite3 by pinning SQLitePCLRaw 3.x #498, so the same explicit-PackageReference-override pattern should apply here if no newerAvalonia/Avalonia.FreeDesktoprelease already bumps the floor.Ask
Investigate one of:
Avalonia/Avalonia.Desktop/Avalonia.FreeDesktoprelease (past 11.3.0) already bumps itsTmds.DBus.Protocoldependency to >= 0.21.3, and bump the sample'sAvalonia.*package versions if so.<PackageReference Include="Tmds.DBus.Protocol" Version="0.21.3" />(or later) override toTodoApp.Avalonia.Desktop.csproj, mirroring theSQLitePCLRaw.bundle_e_sqlite3override pattern used in fix: resolve NU1903 for SQLitePCLRaw.lib.e_sqlite3 by pinning SQLitePCLRaw 3.x #498.Uno.WinUINU1605package-downgrade issue onTodoApp.Uno's desktop head first (unrelated to this advisory but currently blocks confirming theTmds.DBus0.16.0 dependency chain there), then apply the equivalentTmds.DBus>= 0.92.0 override if still needed.Tmds.DBus/Tmds.DBus.Protocolis reachable code (Linux D-Bus paths) in these samples at all before deciding this is worth a version bump vs. just documenting/suppressing.Related
SQLitePCLRaw.lib.e_sqlite3) where this was discovered as an out-of-scope side finding.