build: update sqlite3 to 3.x and adapt encryption helper to build hooks#2397
build: update sqlite3 to 3.x and adapt encryption helper to build hooks#2397td-famedly wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Migration lacks SQLCipher availability check
- Extracted the cipher_version guard into a shared helper and invoked it on the migration connection so ensureDatabaseFileEncrypted now throws the same explicit StateError as applyPragmaKey when SQLCipher is unavailable.
Or push these changes by commenting:
@cursor push 1096483dbe
Preview (1096483dbe)
diff --git a/lib/src/database/sqflite_encryption_helper/io.dart b/lib/src/database/sqflite_encryption_helper/io.dart
--- a/lib/src/database/sqflite_encryption_helper/io.dart
+++ b/lib/src/database/sqflite_encryption_helper/io.dart
@@ -71,6 +71,16 @@
// hell, it's unencrypted. This should not happen. Time to encrypt it.
final plainDb = await factory.openDatabase(path);
+ // make sure SQLCipher is actually available before running the
+ // SQLCipher-specific migration statements below, otherwise they would
+ // fail with an unclear error instead of the explicit one.
+ try {
+ await _ensureSqlCipherAvailable(plainDb);
+ } catch (_) {
+ await plainDb.close();
+ rethrow;
+ }
+
final encryptedPath = '$path.encrypted';
await plainDb.execute(
@@ -107,25 +117,30 @@
/// * applies [cipher] as PRAGMA key
/// * checks whether this operation was successful
Future<void> applyPragmaKey(Database database) async {
+ await _ensureSqlCipherAvailable(database);
+
+ final result = await database.rawQuery("PRAGMA KEY='$cipher';");
+ assert(result.single['ok'] == 'ok');
+ }
+
+ /// ensures the given [database] is backed by SQLCipher
+ ///
+ /// Throws a [StateError] when the `cipher_version` PRAGMA is not supported,
+ /// since the encryption PRAGMAs fail silently with regular sqlite3 (meaning
+ /// that we'd accidentally use plaintext databases).
+ Future<void> _ensureSqlCipherAvailable(Database database) async {
final cipherVersion = await database.rawQuery('PRAGMA cipher_version;');
if (cipherVersion.isEmpty) {
- // Make sure that we're actually using SQLCipher, since the pragma
- // used to encrypt databases just fails silently with regular
- // sqlite3
- // (meaning that we'd accidentally use plaintext databases).
throw StateError(
'SQLCipher library is not available, '
'please check your dependencies!',
);
- } else {
- final version = cipherVersion.singleOrNull?['cipher_version'];
- Logs().d(
- 'PRAGMA supported by bundled SQLite. Encryption supported. SQLCipher version: $version.',
- );
}
- final result = await database.rawQuery("PRAGMA KEY='$cipher';");
- assert(result.single['ok'] == 'ok');
+ final version = cipherVersion.singleOrNull?['cipher_version'];
+ Logs().d(
+ 'PRAGMA supported by bundled SQLite. Encryption supported. SQLCipher version: $version.',
+ );
}
/// checks whether a File has a plain text SQLite headerYou can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 32c46bd. Configure here.
| } | ||
|
|
||
| throw UnsupportedError('Unsupported platform: ${Platform.operatingSystem}'); | ||
| } |
There was a problem hiding this comment.
Migration lacks SQLCipher availability check
Medium Severity
This commit makes ffiInit a deprecated no-op, so SQLCipher is no longer loaded before database use. applyPragmaKey still validates PRAGMA cipher_version, but ensureDatabaseFileEncrypted runs ATTACH/sqlcipher_export on the opened database without that check, so apps that still rely on ffiInit or omit build hooks hit unclear migration failures instead of the same explicit error.
Reviewed by Cursor Bugbot for commit 32c46bd. Configure here.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2397 +/- ##
==========================================
+ Coverage 59.29% 59.45% +0.16%
==========================================
Files 161 161
Lines 20300 20287 -13
==========================================
+ Hits 12037 12062 +25
+ Misses 8263 8225 -38
Continue to review full report in Codecov by Harness.
|
Also covers SQfLiteEncryptionHelper with tests.
| slugify: ^2.0.0 | ||
| sqflite_common: ^2.4.5 | ||
| sqlite3: ^2.1.0 | ||
| sqlite3: ^3.3.4 |



Summary
Updates the last outdated dependencies in
pubspec.yaml(everything else already resolves to the latest version compatible with Dart 3.11):sqlite3^2.1.0→^3.3.4— the major bump dependabot could not land (build(deps): bump sqlite3 from 2.9.4 to 3.0.1 #2190…build: (deps): bump sqlite3 from 2.9.4 to 3.3.4 #2393) because sqlite3 3.x droppedpackage:sqlite3/open.dartin favour of build hooks.sqflite_common_ffi^2.3.4+4→^2.4.0+3(2.4.1+ needs Dart 3.12).sqflite_commonstays at 2.5.8 (2.5.9+ needs Dart 3.12).To make the SDK compile against sqlite3 3.x,
SQfLiteEncryptionHelper.ffiInitno longer performs the runtimeDynamicLibraryoverride (that API is gone). It is now a deprecated no-op pointing apps to the hooksuser_defines(source: sqlcipher) migration path. BothapplyPragmaKeyandensureDatabaseFileEncryptednow checkPRAGMA cipher_versionand throw an explicitStateErrorwhen SQLCipher is not actually loaded, and the helper is covered by new tests intest/sqflite_encryption_helper_test.dart.Verification
dart analyze,dart format,dependency_validator,dart pub publish --dry-runall cleanweb_testcompiles viadart run webdev build;test/box_test.dart --platform chromepasses