[release/13.4] Bump StreamJsonRpc to 2.25.29 to clear MessagePack NU1903

Directory.Packages.props

@@ -133,7 +133,7 @@
     <PackageVersion Include="StackExchange.Redis" Version="2.13.1" />
     <PackageVersion Include="System.IO.Hashing" Version="10.0.8" />
     <PackageVersion Include="Yarp.ReverseProxy" Version="2.3.0" />
-    <PackageVersion Include="StreamJsonRpc" Version="2.22.23" />
+    <PackageVersion Include="StreamJsonRpc" Version="2.25.28" />
     <PackageVersion Include="Semver" Version="3.0.0" />
     <PackageVersion Include="Sigstore" Version="0.5.0" />
     <PackageVersion Include="Tuf" Version="0.5.0" />

src/Aspire.Hosting/Aspire.Hosting.csproj

@@ -74,7 +74,19 @@
     <PackageReference Include="AspNetCore.HealthChecks.Uris" />
     <PackageReference Include="Semver" />
     <PackageReference Include="System.IO.Hashing" />
-    <PackageReference Include="StreamJsonRpc" />
+    <!--
+        StreamJsonRpc 2.25.28 brings MessagePack 2.5.302 transitively (clears
+        GHSA-hv8m-jj95-wg3x / CVE-2026-48109 for downstream consumers like AppHost
+        projects generated by `dotnet new aspire-starter`). However, the StreamJsonRpc
+        nupkg ships an analyzer assembly built against Roslyn 4.14, which is newer
+        than the Roslyn 4.11 shipped in the .NET 8 SDK that our template tests use to
+        build generated AppHost projects — that triggers CSC error CS9057. We don't
+        use any of the StreamJsonRpc analyzers in this assembly, so ExcludeAssets
+        skips them without affecting runtime behavior. Remove the ExcludeAssets once
+        our template-test toolchain moves to a .NET SDK with Roslyn >= 4.14.
+        See microsoft/vs-streamjsonrpc#1459.
+    -->
+    <PackageReference Include="StreamJsonRpc" ExcludeAssets="analyzers" />
   </ItemGroup>
 
   <ItemGroup>

src/Aspire.Hosting/buildTransitive/Aspire.Hosting.targets

@@ -9,4 +9,22 @@
     <Analyzer Include="$(_AspireIntegrationAnalyzerAssembly)" Condition="Exists('$(_AspireIntegrationAnalyzerAssembly)')" />
   </ItemGroup>
 
+  <!--
+    StreamJsonRpc 2.25+ ships an analyzer (StreamJsonRpc.Analyzers.dll) built against
+    Roslyn 4.14. When a consumer project is built with the .NET 8 SDK (Roslyn 4.11),
+    the C# compiler fails to load the analyzer with CSC error CS9057. The .NET 8 SDK
+    discovers analyzer assemblies from the NuGet cache by convention, so the
+    ExcludeAssets="analyzers" flag on our PackageReference is not enough to keep the
+    analyzer out of the consumer compile. Aspire does not depend on any StreamJsonRpc
+    analyzer diagnostic, so unconditionally remove it from the Analyzer item set
+    before compile. Applied via buildTransitive so it reaches any consumer that
+    pulls Aspire.Hosting in (e.g. via Aspire.Hosting.AppHost or Aspire.Hosting.Testing).
+    See: https://github.com/microsoft/vs-streamjsonrpc/pull/1459
+  -->
+  <Target Name="_AspireRemoveStreamJsonRpcAnalyzer" BeforeTargets="CoreCompile">
+    <ItemGroup>
+      <Analyzer Remove="@(Analyzer)" Condition="'%(Filename)' == 'StreamJsonRpc.Analyzers' or '%(Filename)' == 'StreamJsonRpc.Analyzers.CodeFixes'" />
+    </ItemGroup>
+  </Target>
+
 </Project>