[release/9.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle#38544
Open
ViveliDuCh wants to merge 3 commits into
Open
[release/9.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle#38544ViveliDuCh wants to merge 3 commits into
ViveliDuCh wants to merge 3 commits into
Conversation
…3MC.PCLRaw.bundle
There was a problem hiding this comment.
Pull request overview
Backports the switch of the shipped SQLite native bundle to SQLite3MC.PCLRaw.bundle onto release/9.0, along with the prerequisite SQLitePCLRaw 3.x packaging changes, to address the SQLite CVEs tracked in #38257.
Changes:
- Update product packages (
Microsoft.Data.Sqlite,EFCore.Sqlite) and select test projects to referenceSQLite3MC.PCLRaw.bundle, and bumpSQLitePCLRawVersionto 3.0.3. - Rework test provider/bundle references for the removed SQLitePCLRaw 3.x bundles (move
sqlite3/winsqlite3tests toSQLitePCLRaw.core+SQLitePCLRaw.provider.*, introducesqlite3mctest project, remove legacye_sqlite3mctest project). - Wire solution/package plumbing for the above (CPM version properties, solution/project list updates, InternalsVisibleTo updates).
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/Microsoft.Data.Sqlite.Tests/TestUtilities/SqliteTestFramework.cs | Updates test-framework selection for the new provider matrix and adds provider initialization for non-bundle providers. |
| test/Microsoft.Data.Sqlite.Tests/SqliteConnectionTest.cs | Adjusts conditional behavior for password/encryption support under the new SQLITE3MC symbol. |
| test/Microsoft.Data.Sqlite.Tests/Microsoft.Data.Sqlite.winsqlite3.Tests.csproj | Switches from deprecated bundle_winsqlite3 to SQLitePCLRaw.core + SQLitePCLRaw.provider.winsqlite3. |
| test/Microsoft.Data.Sqlite.Tests/Microsoft.Data.Sqlite.Tests.csproj | Adds a net462 RID and retains bundle_e_sqlite3 reference for the default test matrix. |
| test/Microsoft.Data.Sqlite.Tests/Microsoft.Data.Sqlite.sqlite3mc.Tests.csproj | Retargets the encryption-capable test project to SQLite3MC.PCLRaw.bundle and defines SQLITE3MC. |
| test/Microsoft.Data.Sqlite.Tests/Microsoft.Data.Sqlite.sqlite3.Tests.csproj | Switches from deprecated bundle_sqlite3 to SQLitePCLRaw.core + SQLitePCLRaw.provider.sqlite3. |
| test/Microsoft.Data.Sqlite.Tests/Microsoft.Data.Sqlite.e_sqlite3mc.Tests.csproj | Removes the deprecated e_sqlite3mc test project. |
| test/EFCore.Sqlite.FunctionalTests/Query/PrimitiveCollectionsQuerySqliteTest.cs | Marks a specific test as skipped (Issue #32561). |
| test/EFCore.Sqlite.FunctionalTests/EFCore.Sqlite.FunctionalTests.csproj | Moves functional tests to run directly on SQLite3MC.PCLRaw.bundle. |
| test/EFCore.Design.Tests/EFCore.Design.Tests.csproj | Updates bundle reference used by design tests. |
| test/Directory.Packages.props | Replaces deprecated bundle package versions with provider package versions for tests (imports root CPM). |
| src/Microsoft.Data.Sqlite/Microsoft.Data.Sqlite.csproj | Switches shipped product dependency to SQLite3MC.PCLRaw.bundle. |
| src/Microsoft.Data.Sqlite.Core/Properties/InternalsVisibleTo.cs | Updates friend assemblies to match new/removed test projects. |
| src/EFCore.Sqlite/EFCore.Sqlite.csproj | Switches shipped provider dependency to SQLite3MC.PCLRaw.bundle. |
| Microsoft.Data.Sqlite.slnf | Updates the solution filter to remove deprecated test projects and include sqlite3mc tests. |
| eng/Versions.props | Bumps SQLitePCLRawVersion and adds SQLite3MCPCLRawBundleVersion. |
| EFCore.sln | Removes deprecated test projects and adds sqlite3mc tests to the main solution. |
| Directory.Packages.props | Adds CPM version for SQLite3MC.PCLRaw.bundle and removes deprecated bundle_sqlite3 version entry. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
|
The asserts in NorthwindAggregateOperatorsQueryTestBase should be changed to account for double rounding errors, see https://github.com/dotnet/efcore/pull/38532/changes#diff-e0f7ef3829d5b8632fedd04284d951c116ac7f1ba7da7917517070202cd130af |
…ounding tolerance, bump Helix image to ubuntu-22.04
AndriySvyryd
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #38257
Backports #38402, #36551
Description
Backports #38402 to
release/9.0, switchingMicrosoft.Data.SqliteandMicrosoft.EntityFrameworkCore.Sqliteto the encryption-capableSQLite3MC.PCLRaw.bundle(2.3.5) and, since9.0lacked #36551, also bumpingSQLitePCLRawto3.0.3; breaking-change guidance is in dotnet/EntityFramework.Docs#5385.Customer impact
Gives net9.0 customers an actively maintained, encryption-capable native SQLite by default, replacing the aging
bundle_e_sqlite3that was flagged against known SQLite CVEs in #38257.How found
Raised by customers in #38257 asking that the vulnerable native SQLite dependency be updated or replaced.
Regression
No. This is a deliberate security/servicing alignment with net11.0 and a documented breaking change, not a regression fix.
Testing
Added a
Microsoft.Data.Sqlite.sqlite3mc.Testsproject and pointedEFCore.Sqlite.FunctionalTests/EFCore.Design.Testsat SQLite3MC so CI exercises the shipped bundle.Risk
Low-to-moderate; it swaps the default native SQLite engine but mirrors the change already validated in net11.0 preview 6 (#38402) and lets customers opt back into
bundle_e_sqlite3per the published guidance.Links