From 71f0b630794f98ffff88dcfd3e94fb88e2c2711b Mon Sep 17 00:00:00 2001
From: JonKazama-Hellion <f.wathling@gmail.com>
Date: Sun, 3 May 2026 22:13:10 +0200
Subject: [PATCH] build: harden NuGet restore and ship SQLite >= 3.50.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two pre-existing build/security defects flagged by CodeRabbit:

- HellionChat.csproj sets RestorePackagesWithLockFile=true so dotnet
  restore honors the committed packages.lock.json. Floating version
  ranges in the lockfile previously could drift between machines or
  CI runs, producing builds with subtly different transitive
  dependencies
- HellionChat.csproj pins SQLitePCLRaw.lib.e_sqlite3 to 3.50.3 to
  override the older 2.1.11 native build that
  Microsoft.Data.Sqlite 10.0.7 transitively pulls in. Ships SQLite
  3.50.3 which contains the fixes for CVE-2025-6965 (memory
  corruption from aggregate-term overflow) and CVE-2025-7709. The
  managed Microsoft.Data.Sqlite wrapper stays on 10.0.7 — only the
  native binary is bumped, no API breakage. Verified via the NuGet
  spec: "the first three numbers in the version number of this
  package indicate the version of SQLite that was used to build it"
---
 HellionChat/HellionChat.csproj | 10 ++++++++++
 HellionChat/packages.lock.json | 11 ++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/HellionChat/HellionChat.csproj b/HellionChat/HellionChat.csproj
index 5c48222..bfae8dc 100644
--- a/HellionChat/HellionChat.csproj
+++ b/HellionChat/HellionChat.csproj
@@ -6,6 +6,9 @@
              derives from. -->
         <Version>1.0.0</Version>
         <ImplicitUsings>enable</ImplicitUsings>
+        <!-- Honor packages.lock.json on restore so floating version ranges
+             don't silently drift between machines or CI runs. -->
+        <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
         <!-- v1.0.0 standalone cut — both AssemblyName and RootNamespace
              are HellionChat. The plugin no longer maintains source-level
              cherry-pick compatibility with upstream Infiziert90/ChatTwo;
@@ -17,6 +20,13 @@
     <ItemGroup>
         <PackageReference Include="MessagePack" Version="3.1.4" />
         <PackageReference Include="Microsoft.Data.Sqlite" Version="10.0.7" />
+        <!-- Override the transitively-referenced native SQLite build to one
+             that ships SQLite >= 3.50.3 (CVE-2025-6965 memory corruption,
+             CVE-2025-7709 fixed in 3.50.x). Microsoft.Data.Sqlite 10.0.7
+             pulls SQLitePCLRaw 2.1.11 which carries the older lib; pinning
+             the lib package directly forces the newer native binary
+             without a major bump on the managed wrapper. -->
+        <PackageReference Include="SQLitePCLRaw.lib.e_sqlite3" Version="3.50.3" />
         <PackageReference Include="morelinq" Version="4.4.0" />
         <PackageReference Include="Pidgin" Version="3.3.0" />
         <PackageReference Include="SixLabors.ImageSharp" Version="3.1.12" />
diff --git a/HellionChat/packages.lock.json b/HellionChat/packages.lock.json
index de7501a..1149114 100644
--- a/HellionChat/packages.lock.json
+++ b/HellionChat/packages.lock.json
@@ -54,6 +54,12 @@
         "resolved": "3.1.12",
         "contentHash": "iAg6zifihXEFS/t7fiHhZBGAdCp3FavsF4i2ZIDp0JfeYeDVzvmlbY1CNhhIKimaIzrzSi5M/NBFcWvZT2rB/A=="
       },
+      "SQLitePCLRaw.lib.e_sqlite3": {
+        "type": "Direct",
+        "requested": "[3.50.3, )",
+        "resolved": "3.50.3",
+        "contentHash": "tVyhqQ8wxgedWiiPFChyZhE8I3PkOM/AE1azsj1qsdYUws13ONBFyi3aDxju4tD2kzedB2q5+50WrTyY0h2gMQ=="
+      },
       "MessagePack.Annotations": {
         "type": "Transitive",
         "resolved": "3.1.4",
@@ -91,11 +97,6 @@
         "resolved": "2.1.11",
         "contentHash": "PK0GLFkfhZzLQeR3PJf71FmhtHox+U3vcY6ZtswoMjrefkB9k6ErNJEnwXqc5KgXDSjige2XXrezqS39gkpQKA=="
       },
-      "SQLitePCLRaw.lib.e_sqlite3": {
-        "type": "Transitive",
-        "resolved": "2.1.11",
-        "contentHash": "Ev2ytaXiOlWZ4b3R67GZBsemTINslLD1DCJr2xiacpn4tbapu0Q4dHEzSvZSMnVWeE5nlObU3VZN2p81q3XOYQ=="
-      },
       "SQLitePCLRaw.provider.e_sqlite3": {
         "type": "Transitive",
         "resolved": "2.1.11",