chore(deps): update dependency nuget.protocol to v7

[thomhurst]

This PR contains the following updates:

Package	Type	Update	Change
NuGet.Protocol (source)	nuget	major	6.14.0 -> 7.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

Claude finished @thomhurst's task —— View job

---

PR Review: NuGet.Protocol v6→v7 Update

Reviewing this dependency update for potential issues and compatibility.

Todo List

• Read the changed file to understand the exact update
• Search codebase for NuGet.Protocol usage
• Check for breaking changes in NuGet.Protocol v7
• Analyze compatibility impact
• Provide comprehensive review feedback

---

Review Findings

✅ Code Quality & Best Practices

• Clean change: Single line update in centralized package management file
• Follows conventions: Uses Central Package Management properly
• Automated process: Renovate bot ensures consistent dependency management

⚠️ Potential Compatibility Issues

Major Version Bump (6.x → 7.x): This is a major version change that could introduce breaking changes.

Current Usage Analysis:

• NuGet.Protocol is used in test-only code in two identical NuGetDownloader.cs helper classes
• Uses these APIs from NuGet.Protocol.Core.Types:
  • SourceRepositoryProvider
  • PackageSourceProvider
  • Repository.Provider.GetCoreV3()
  • FindPackageByIdResource
  • CopyNupkgToStreamAsync()

Risk Assessment:

• ✅ Low impact scope: Only affects test infrastructure, not production code
• ⚠️ Potential API changes: Major version could break test helper methods
• ✅ Isolated usage: Simple download functionality that's unlikely to be heavily affected

🔒 Security Considerations

• ✅ Trusted source: Official Microsoft NuGet package
• ✅ Security updates: Newer versions typically include security fixes
• ✅ No direct security exposure: Used only in test scenarios

⚡ Performance Considerations

• ✅ Test-only impact: No production performance implications
• ↔️ Neutral impact: NuGet protocol improvements may actually enhance package download performance

🧪 Test Coverage

• ⚠️ Cannot verify: Unable to run tests without approval for build commands
• ✅ Limited surface area: Only affects two identical test helper files
• ✅ CI will verify: Automated testing should catch any breakage

Recommendation: ✅ APPROVE with Verification

This is a low-risk dependency update because:

1. Limited blast radius: Only affects test infrastructure
2. Simple usage pattern: Basic NuGet download functionality
3. Standard automation: Renovate bot with automerge suggests confidence
4. Security benefit: Staying current with official Microsoft packages

Action Required:

• ✅ The CI pipeline should verify compilation and test execution
• ✅ Monitor for any test failures in the affected source generator tests

If tests pass, this update is safe to merge. If tests fail, investigate the specific NuGet.Protocol v7 API changes affecting the NuGetDownloader implementations.

---