C#: Update Roslyn and other pinned depenencies.

[michaelnebel]

A couple of interesting things.

Changes to decoding.

It appears that the decoder compiler argument wasn't respected (there is an error that the code page is not installed when running the extractor on main) prior to this change. However, with the Roslyn update windows-1252 is added as an Emit option for the CSharp Compilation in the extractor.

If I decode the SBCS.cs in VS-Code using Windows-1252, then it is the character

Character: ’
Unicode: U+2019
Windows-1252 byte: 0x92

That is, the output of the test is now U+2019 (unless we change the content of the file).

Im am not sure exactly what the test is supposed to test. Is the test supposed to test that

• Decoding of 0x92 behaves differently under Windows-1252 than UTF-8? If that is the case, then expected output file has always contained a faulty value.
• Decoding a UTF-8 with BOM encoded file using Windows-1252 still uses UTF-8 even though Windows-1252 is specified as codepage? If that is the case, then the encoding of the file is wrong.

I assume that the test is suppose to test the latter. As such, I have updated the test file with the proper encoding (UTF-8 w. BOM).

Deriving unbound generic extensions methods.

It appears there has been a slight change in the symbols produced by Roslyn, which meant that we needed to do a small update to the logic handling extraction of extension methods.

DCA

• Performance appears to be unaffected.
• There are some changes to the produced alerts. Some of the changes are caused by the usual wobliness. On top of that it appears that the number of expressions with no type has decreased for the some of the (buildless) DCA projects. It could be a coincidence or maybe the newer version of Roslyn is better at guesstimating expression types for code that doesn't compile. In any case, it appears that the alert discrepancies are in buildless projects, which is expected if Roslyn has become better/worse at extracting symbols from code that doesn't compile.

[Copilot]

Pull request overview

This PR updates the C# extractor’s pinned NuGet dependencies (notably Roslyn/MSBuild), and adjusts extractor/test artifacts to match behavior changes introduced by the updated dependency set.

Changes:

• Bump pinned NuGet packages (Roslyn 5.3.0, MSBuild 18.6.3, MessagePack, Basic.CompilerLog.Util, etc.) and regenerate Paket/Bazel lock metadata accordingly.
• Update extension-method extraction logic to tolerate Roslyn symbol shape changes for (possibly unbound) generic extension methods.
• Refresh encoding and standalone-dependency integration test inputs/expectations to align with the updated toolchain/dependency closure.

Show a summary per file

File	Description
csharp/ql/test/library-tests/encoding/SBCS.cs	Adjusts the encoding test input (adds UTF-8 BOM) to match expected decoding behavior.
csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected	Updates expected runtime assembly list after dependency closure changes (removal of NaturalSort.Extension).
csharp/paket.main.bzl	Regenerates Bazel nuget_repo package pin data for the updated NuGet set.
csharp/paket.lock	Updates resolved dependency graph and versions for Paket after bumps.
csharp/paket.dependencies	Updates top-level pinned dependency versions (Roslyn/MSBuild/Basic.CompilerLog.Util).
csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs	Makes extension-method mapping resilient to Roslyn changes by comparing against AssociatedExtensionImplementation?.ConstructedFrom.

Copilot's findings

• Files reviewed: 4/6 changed files
• Comments generated: 0