ImageSharp, MessagePack and Pidgin pinned to [x.y, next-major) so a
lock-file regeneration cannot drift across a major. Resolved versions
unchanged; lock-file diff is request-string only.
Catches up the only direct NuGet dependency that drifted behind on
the v1.0.0 standalone cut. The bump includes:
- 3.4.0: AnyCharExcept performance optimisation for single-char inputs
- 3.5.0: incremental parsing API in Pidgin.Incremental, public Expected
constructors, SequenceTokenParser performance improvement
- 3.5.1: CIString Unicode handling fix (relevant for non-ASCII
channel/tab names)
No security advisory drove this; rolling forward to align v1.0.0 with
the current upstream of every direct dependency. dotnet restore +
Release build verified locally, packages.lock.json regenerated.
Two pre-existing build/security defects flagged by CodeRabbit:
- HellionChat.csproj sets RestorePackagesWithLockFile=true so dotnet
restore honors the committed packages.lock.json. Floating version
ranges in the lockfile previously could drift between machines or
CI runs, producing builds with subtly different transitive
dependencies
- HellionChat.csproj pins SQLitePCLRaw.lib.e_sqlite3 to 3.50.3 to
override the older 2.1.11 native build that
Microsoft.Data.Sqlite 10.0.7 transitively pulls in. Ships SQLite
3.50.3 which contains the fixes for CVE-2025-6965 (memory
corruption from aggregate-term overflow) and CVE-2025-7709. The
managed Microsoft.Data.Sqlite wrapper stays on 10.0.7 — only the
native binary is bumped, no API breakage. Verified via the NuGet
spec: "the first three numbers in the version number of this
package indicate the version of SQLite that was used to build it"
JonKazama-Hellion