Fix Nerdbank.MessagePack security vulnerabilities; fix Linux build and test failures

[Copilot]

Nerdbank.MessagePack 1.1.62 has two moderate security advisories (GHSA-qjvr-435c-5fjh, GHSA-92vj-hp7m-gwcj). Additionally, scripts/validate was failing on Linux due to two pre-existing bugs uncovered when trying to confirm the fix.

Package update

• Directory.Packages.props: Nerdbank.MessagePack 1.1.62 → 1.2.4

Linux build fix

• AdaptiveRemote.EndToEndTests.Host.Wpf.csproj, AdaptiveRemote.EndToEndTests.Host.Console.csproj: Added <EnableWindowsTargeting>true</EnableWindowsTargeting>. These Windows-TFM projects were failing with NETSDK1073 on Linux while the production WPF project already had this property.

Linux test fix

• PersistSettingsTests: %LocalAppData% doesn't expand on Linux, so InputSettingsPath == ResolvedSettingsPath, causing the Times.Never Moq setup to overwrite the Times.Once setup for the same path. Replaced with a controlled env var (AR_TEST_SETTINGS_DIR) set/restored in ClassInitialize/ClassCleanup, and changed ResolvedSettingsPath from a static field to a static property so it evaluates after ClassInitialize runs.

// Before: %LocalAppData% doesn't expand on Linux — both paths identical
private static readonly string InputSettingsPath = Path.Combine("%LocalAppData%", "path", "to", "settings.ini");
private static readonly string ResolvedSettingsPath = Environment.ExpandEnvironmentVariables(InputSettingsPath);

// After: controlled env var guaranteed to differ from the unexpanded form
private const string TestSettingsDirEnvVar = "AR_TEST_SETTINGS_DIR";
private static readonly string InputSettingsPath = Path.Combine($"%{TestSettingsDirEnvVar}%", "path", "to", "settings.ini");
private static string ResolvedSettingsPath => Environment.ExpandEnvironmentVariables(InputSettingsPath);

[Copilot]

Pull request overview

Updates a vulnerable dependency and addresses Linux CI breakages by enabling Windows targeting for Windows-only test hosts and fixing a cross-platform path expansion issue in a unit test.

Changes:

• Bumps Nerdbank.MessagePack to 1.2.4 to address reported security advisories.
• Adds <EnableWindowsTargeting>true</EnableWindowsTargeting> to Windows-TFM E2E host projects so they can be built on Linux.
• Fixes PersistSettingsTests on Linux by using a controlled environment variable and deferring expansion until after ClassInitialize.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
test/AdaptiveRemote.EndToEndTests.Host.Wpf/AdaptiveRemote.EndToEndTests.Host.Wpf.csproj	Enables Windows targeting to avoid Linux build failures for a Windows-TFM test host.
test/AdaptiveRemote.EndtoEndTests.Host.Console/AdaptiveRemote.EndToEndTests.Host.Console.csproj	Enables Windows targeting to avoid Linux build failures for a Windows-TFM test host.
test/AdaptiveRemote.App.Tests/Services/ProgrammaticSettings/PersistSettingsTests.cs	Makes settings-path expansion deterministic across OSes via a test-controlled env var.
Directory.Packages.props	Updates Nerdbank.MessagePack to a non-vulnerable version.

[github-actions]

Test Results

401 tests  ±0   401 ✅ ±0   2m 13s ⏱️ -32s
  5 suites ±0     0 💤 ±0 
  5 files   ±0     0 ❌ ±0 

Results for commit bfd4870. ± Comparison against base commit b877808.

This pull request removes 3 and adds 2 tests. Note that renamed tests count towards both.

,False)
AdaptiveRemote.Services.ProgrammaticSettings.PersistSettingsTests ‑ PersistSettings_Set_ValidatesKeyNameAsync (Hello
AdaptiveRemote.Services.ProgrammaticSettings.PersistSettingsTests ‑ PersistSettings_Set_ValidatesValueAsync (Invalid

AdaptiveRemote.Services.ProgrammaticSettings.PersistSettingsTests ‑ PersistSettings_Set_ValidatesKeyNameAsync (Hello
,False)
AdaptiveRemote.Services.ProgrammaticSettings.PersistSettingsTests ‑ PersistSettings_Set_ValidatesValueAsync (Invalid
,False)