JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues 1 Pull Requests Actions Releases 28 Activity
Files
55aeaea5b9fe772f762824640af4e625cd731acd
HellionChat/HellionChat/HellionChat.csproj
T
JonKazama-Hellion 71f0b63079 build: harden NuGet restore and ship SQLite >= 3.50.3 
Two pre-existing build/security defects flagged by CodeRabbit:

- HellionChat.csproj sets RestorePackagesWithLockFile=true so dotnet
  restore honors the committed packages.lock.json. Floating version
  ranges in the lockfile previously could drift between machines or
  CI runs, producing builds with subtly different transitive
  dependencies
- HellionChat.csproj pins SQLitePCLRaw.lib.e_sqlite3 to 3.50.3 to
  override the older 2.1.11 native build that
  Microsoft.Data.Sqlite 10.0.7 transitively pulls in. Ships SQLite
  3.50.3 which contains the fixes for CVE-2025-6965 (memory
  corruption from aggregate-term overflow) and CVE-2025-7709. The
  managed Microsoft.Data.Sqlite wrapper stays on 10.0.7 — only the
  native binary is bumped, no API breakage. Verified via the NuGet
  spec: "the first three numbers in the version number of this
  package indicate the version of SQLite that was used to build it"
2026-05-03 22:13:10 +02:00

84 lines
3.9 KiB
XML
Raw Blame History

<Project Sdk="Dalamud.NET.Sdk/15.0.0">
<PropertyGroup>
<!-- Hellion Chat versioning runs separately from upstream Chat 2.
0.1.0 is our bootstrap release; the underlying Chat 2 base is
called out in the yaml changelog so users can see what it
derives from. -->
<Version>1.0.0</Version>
<ImplicitUsings>enable</ImplicitUsings>
<!-- Honor packages.lock.json on restore so floating version ranges
don't silently drift between machines or CI runs. -->
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
<!-- v1.0.0 standalone cut — both AssemblyName and RootNamespace
are HellionChat. The plugin no longer maintains source-level
cherry-pick compatibility with upstream Infiziert90/ChatTwo;
upstream changes are integrated manually if at all. -->
<AssemblyName>HellionChat</AssemblyName>
<RootNamespace>HellionChat</RootNamespace>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="MessagePack" Version="3.1.4" />
<PackageReference Include="Microsoft.Data.Sqlite" Version="10.0.7" />
<!-- Override the transitively-referenced native SQLite build to one
that ships SQLite >= 3.50.3 (CVE-2025-6965 memory corruption,
CVE-2025-7709 fixed in 3.50.x). Microsoft.Data.Sqlite 10.0.7
pulls SQLitePCLRaw 2.1.11 which carries the older lib; pinning
the lib package directly forces the newer native binary
without a major bump on the managed wrapper. -->
<PackageReference Include="SQLitePCLRaw.lib.e_sqlite3" Version="3.50.3" />
<PackageReference Include="morelinq" Version="4.4.0" />
<PackageReference Include="Pidgin" Version="3.3.0" />
<PackageReference Include="SixLabors.ImageSharp" Version="3.1.12" />
</ItemGroup>
<ItemGroup>
<Compile Update="Resources\Language.Designer.cs">
<DesignTime>True</DesignTime>
<AutoGen>True</AutoGen>
<DependentUpon>Language.resx</DependentUpon>
</Compile>
</ItemGroup>
<ItemGroup>
<EmbeddedResource Update="Resources\Language.resx">
<Generator>ResXFileCodeGenerator</Generator>
<LastGenOutput>Language.Designer.cs</LastGenOutput>
</EmbeddedResource>
</ItemGroup>
<!-- HellionChat — Hellion-specific resource bundle (HellionStrings.resx
+ HellionStrings.<lang>.resx) is picked up automatically by the SDK
default include. Designer.cs is hand-maintained, no auto-gen needed. -->
<!-- Bundled Hellion font (Exo 2, OFL-1.1). Embedded as a manifest
resource with a fixed LogicalName so FontManager can pull the
bytes back at runtime via AddFontFromMemory. The OFL license
text travels with it inside the assembly to satisfy the
"license must be distributed with the font" clause. -->
<ItemGroup>
<EmbeddedResource Include="Resources\HellionFont.ttf">
<LogicalName>HellionFont.ttf</LogicalName>
</EmbeddedResource>
<EmbeddedResource Include="Resources\HellionFont-OFL.txt">
<LogicalName>HellionFont-OFL.txt</LogicalName>
</EmbeddedResource>
</ItemGroup>
<!-- Plugin icon. Copy images/* into the build output so Dalamud
finds the icon next to the DLL, and let the SDK default
DalamudPackager pipeline include the same path in the
release ZIP. Earlier we shipped a custom DalamudPackager
targets override that explicitly set HandleImages and
ImagesPath; that override conflicted with the SDK 15
default and the resulting manifest carried no IconUrl.
Removed in v0.5.2. -->
<ItemGroup>
<None Include="images\**">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
</None>
</ItemGroup>
</Project>
Reference in New Issue View Git Blame Copy Permalink