Skip to content

fix: resolve remaining sample package drift and Microsoft.OpenApi NU1903#493

Merged
adrianhall merged 1 commit into
CommunityToolkit:mainfrom
adrianhall:issues/489
Jul 6, 2026
Merged

fix: resolve remaining sample package drift and Microsoft.OpenApi NU1903#493
adrianhall merged 1 commit into
CommunityToolkit:mainfrom
adrianhall:issues/489

Conversation

@adrianhall

Copy link
Copy Markdown
Collaborator

Summary

Addresses the remaining unresolved items from #489 (the earlier sample fixes for datasync-server, datasync-server-cosmosdb-singlecontainer, and most of todoapp-blazor-wasm/todoapp-mvc were already merged in #488/#490/#491).

Package version drift fixes

  • samples/todoapp-mvc: Microsoft.EntityFrameworkCore.SqlServer 10.0.3 → 10.0.9 (missed in docs: document secure UnsafeEntityLogging default in todoapp-mvc sample #485; same drift class as docs: document secure UnsafeEntityLogging default in datasync-server sample (#477) #488).
  • samples/todoapp-blazor-wasm: stray Microsoft.AspNetCore.Components.WebAssembly* / Microsoft.Extensions.Http 10.0.3 → 10.0.9.
  • samples/todoapp client platforms (Avalonia, MAUI, WPF, WinUI3, Uno): 10.0.3 → 10.0.9 on Microsoft.EntityFrameworkCore, Microsoft.Extensions.Logging.Debug, Microsoft.Extensions.DependencyInjection, System.Text.Json/Formats.Asn1/IO.Packaging.
  • CommunityToolkit.Datasync.Client 10.0.0 → 10.1.0 everywhere it's referenced (Avalonia, MAUI, Uno, WPF, WinUI3, todoapp-blazor-wasm/Client, todoapp-tutorial/ClientApp) to match the latest published package, bringing it in line with the server samples already on 10.1.0.

All values were checked against the root Directory.Packages.props (DotNetVersion/EFCoreVersion = 10.0.9) and the latest published CommunityToolkit.Datasync.* NuGet versions.

NU1903 — Microsoft.OpenApi (GHSA-v5pm-xwqc-g5wc)

Pinned Microsoft.OpenApi to the patched 2.7.5 release in root Directory.Packages.props. Because CentralPackageTransitivePinningEnabled is already true there, this propagates through ProjectReferences into samples/datasync-server and samples/datasync-server-cosmosdb-singlecontainer without needing a per-sample override — verified every project.assets.json in the repo now resolves Microsoft.OpenApi/2.7.5, with zero remaining 2.0.0 resolutions.

NU1903 — SQLitePCLRaw.lib.e_sqlite3 (GHSA-2m69-gcr7-jv3q)

No patched version exists for this package (confirmed via the advisory and NuGet — the package is deprecated with no newer release). Filed #492 to track investigating this separately (potential suppression, migration off the EF Core Sqlite provider, or an alternate package) rather than bundling a bigger change into this PR.

Not in scope for this PR

Per discussion on #489, a CI/script-based drift-prevention mechanism was intentionally not added here — this is a one-time cleanup pass, not an ask for ongoing automation.

Verification

  • dotnet restore / dotnet build / dotnet test on Datasync.Toolkit.sln: build succeeded, all test suites passed (Server, Client, EFCore, CosmosDb, MongoDB, LiteDb, InMemory, Automapper, NSwag, OpenApi, Swashbuckle test projects — 0 failures).
  • Per-sample dotnet restore + dotnet build confirmed clean for: todoapp-mvc, todoapp-blazor-wasm, datasync-server, datasync-server-cosmosdb-singlecontainer, todoapp-tutorial, TodoApp.Avalonia (+ .Desktop), TodoApp.WPF.
  • TodoApp.MAUI, TodoApp.Uno (mobile TFMs), and TodoApp.WinUI3's full build could not be exercised on this (macOS, no Android/iOS/Windows workloads) machine, but dotnet restore got past all package-version resolution before hitting the workload-not-installed check, confirming the version pins themselves resolve cleanly.

Related

…903 (CommunityToolkit#489)

- Bump samples/todoapp-mvc Microsoft.EntityFrameworkCore.SqlServer 10.0.3 -> 10.0.9
  to match the repo's EFCoreVersion (missed in CommunityToolkit#485).
- Bump stray Microsoft.AspNetCore.Components.WebAssembly*/Microsoft.Extensions.Http
  pins in todoapp-blazor-wasm from 10.0.3 -> 10.0.9.
- Bump Microsoft.EntityFrameworkCore (Avalonia), Microsoft.Extensions.Logging.Debug
  (MAUI), Microsoft.Extensions.DependencyInjection (WinUI3), and
  System.Text.Json/System.Formats.Asn1/System.IO.Packaging (Uno, local CPM) from
  10.0.3 -> 10.0.9 across the todoapp client-platform samples.
- Bump CommunityToolkit.Datasync.Client 10.0.0 -> 10.1.0 across every client
  sample (Avalonia, MAUI, Uno, WPF, WinUI3, todoapp-tutorial/ClientApp,
  todoapp-blazor-wasm/Client) to match the latest published package, alongside
  the already-updated 10.1.0 server samples.
- Pin Microsoft.OpenApi to 2.7.5 in root Directory.Packages.props to resolve the
  NU1903 high-severity advisory (GHSA-v5pm-xwqc-g5wc) on the 2.0.0 version
  floated transitively via Microsoft.AspNetCore.OpenApi/NSwag.AspNetCore/
  Swashbuckle.AspNetCore. CentralPackageTransitivePinningEnabled propagates this
  through project references into samples/datasync-server and
  samples/datasync-server-cosmosdb-singlecontainer without needing per-sample
  pins; verified every restored project.assets.json in the repo now resolves
  Microsoft.OpenApi/2.7.5.

The remaining NU1903 advisory (SQLitePCLRaw.lib.e_sqlite3, GHSA-2m69-gcr7-jv3q)
has no patched version available and is tracked separately in CommunityToolkit#492.

Verified: dotnet restore/build/test on Datasync.Toolkit.sln (2280+ tests
passing across all suites), plus restore+build for every affected sample
solution/project (todoapp-mvc, todoapp-blazor-wasm, datasync-server,
datasync-server-cosmosdb-singlecontainer, todoapp-tutorial, TodoApp.Avalonia,
TodoApp.Avalonia.Desktop, TodoApp.WPF). TodoApp.MAUI/TodoApp.Uno mobile TFMs
and TodoApp.WinUI3 build could not be fully exercised in this environment due
to missing Android/iOS/Windows workloads, but package restore succeeded up to
that point, confirming the version pins resolve cleanly.
@adrianhall adrianhall merged commit 81bde54 into CommunityToolkit:main Jul 6, 2026
7 of 8 checks passed
@adrianhall adrianhall deleted the issues/489 branch July 6, 2026 09:43
adrianhall added a commit that referenced this pull request Jul 6, 2026
…CLRaw 3.x (#498)

* fix: resolve NU1903 for SQLitePCLRaw.lib.e_sqlite3 by pinning SQLitePCLRaw 3.x (#492)

Microsoft.EntityFrameworkCore.Sqlite floats a transitive dependency on
SQLitePCLRaw.bundle_e_sqlite3 2.1.11, which pulls in the deprecated
SQLitePCLRaw.lib.e_sqlite3 2.1.11 and triggers NU1903 (GHSA-2m69-gcr7-jv3q /
CVE-2025-6965 - SQLite versions before 3.50.2 have a memory corruption
issue). The advisory says no patched version exists for lib.e_sqlite3, but
the SQLitePCLRaw 3.x line (released after the advisory) drops lib.e_sqlite3
entirely and depends on SourceGear.sqlite3 3.50.4.5 instead (SQLite 3.50.4,
above the fix line), with full runtime asset coverage for android, ios,
maccatalyst, browser-wasm, linux (incl. musl), osx, and win RIDs.

- Pin SQLitePCLRaw.bundle_e_sqlite3 to 3.0.3 in the root Directory.Packages.props.
  CentralPackageTransitivePinningEnabled propagates this into
  src/CommunityToolkit.Datasync.Client, tests/CommunityToolkit.Datasync.TestCommon,
  tests/CommunityToolkit.Datasync.TestService, and tests/CommunityToolkit.Datasync.Client.Test
  without needing an explicit PackageReference, mirroring the Microsoft.OpenApi
  NU1903 fix from #489.
- This does not affect the main packages' own published dependency floor, so
  every sample that consumes CommunityToolkit.Datasync.Client via NuGet
  PackageReference still floats the vulnerable version on its own. Added the
  same explicit override to the 7 affected samples: TodoApp.Avalonia,
  TodoApp.MAUI, TodoApp.WPF, TodoApp.WinUI3, TodoApp.Uno (via its own local
  Directory.Packages.props), todoapp-tutorial/ClientApp, and
  todoapp-blazor-wasm/TodoApp.BlazorWasm.Client.
- TodoApp.Avalonia.Desktop needs no change; it inherits the pin transitively
  via its ProjectReference to TodoApp.Avalonia (verified via restore).

Verified: dotnet restore/build/test on Datasync.Toolkit.sln (2280 tests
passing across all 12 suites, 0 warnings on build). Confirmed every restored
project.assets.json in src/tests now resolves SQLitePCLRaw.bundle_e_sqlite3/3.0.3
with zero occurrences of sqlitepclraw.lib.e_sqlite3 anywhere in the graph.
Also verified restore (and build where the target platform doesn't require a
missing workload) for TodoApp.Avalonia, TodoApp.Avalonia.Desktop,
TodoApp.BlazorWasm.Client, todoapp-tutorial/ClientApp, TodoApp.WPF, and
TodoApp.WinUI3 -- all clean, no NU1903, SQLitePCLRaw resolves to 3.0.3.
TodoApp.MAUI (net10.0-android) and TodoApp.Uno's mobile TFMs could not be
restored in this environment due to missing Android/iOS workloads, the same
limitation noted in #493; the package-version pin is applied identically and
is expected to resolve cleanly once those workloads are available, same as
every other affected project.

Fixes #492

* docs: document the SQLitePCLRaw NU1903 fix and fix a broken admonition title

- Add a note under 'Creating an offline-capable DbContext' in
  docs/in-depth/client/index.md pointing consumers at the
  SQLitePCLRaw.bundle_e_sqlite3 3.0.3 override from #492/#498 if they hit
  the NU1903 audit warning in their own application.
- Fix the 'Blazor WASM and Blazor Hybrid' admonition above that section:
  it used an unquoted, bold (**...**) title (!!! note **Blazor WASM and
  Blazor Hybrid**), which the admonition markdown extension's title regex
  does not accept -- the whole block silently failed to parse as an
  admonition and rendered as a plain paragraph with literal '!!! note'
  text. Quoting the title (!!! note "Blazor WASM and Blazor Hybrid")
  fixes it. Verified against python-markdown + pymdownx.superfences
  (the extensions configured in mkdocs.shared.yml) that both admonitions
  now render as proper admonition blocks, including the nested fenced
  xml code sample.

* docs: fix a second broken admonition title in client index.md

!!! warning DO NOT USE THE SAME ENTITY TYPE FOR BOTH SERVICE AND CLIENT
used an unquoted, all-caps multi-word title. The admonition extension's
title regex swallows unquoted words into the block's CSS class list
instead of using them as the title, so this rendered with the generic
'Warning' title (its intended custom title was silently dropped) and
polluted the div's class attribute with lowercased title words. Quoting
the title fixes both problems. Verified against python-markdown +
pymdownx.superfences (the extensions configured in mkdocs.shared.yml):
now renders as <div class="admonition warning"> with the correct
custom title.

* docs: add 'Building the documentation site' section to README

Documents how to build/serve the MkDocs site locally (python venv,
mkdocs + mkdocs-mermaid2-plugin, mkdocs serve on localhost:7000, and
mkdocs build for a static site). Also add .venv-*/ to .gitignore so a
local docs venv isn't accidentally committed.

---------

Co-authored-by: ahall <ahall@cloudflare.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Audit sample projects for stale/inconsistent NuGet package pins and NU1903 vulnerability warnings

1 participant