chore: fix vulnerable packages

[Flash0ver]

Fixes #2814

• Fix vulnerable package dependencies #2814

---

After #4756, revisiting #2814.

Fixing most vulnerabilities.

Except Hangfire.Core (through Sentry.Hangfire)

Project `Sentry.Hangfire` has the following vulnerable packages
   [net462]: 
   Transitive Package      Resolved   Severity   Advisory URL                                                                                                                                                                                                                                                                                                                                                                              
   > Newtonsoft.Json       5.0.1      High       https://github.com/advisories/GHSA-5crp-9r3c-p9vr

   [net10.0]:
   [net9.0]:
   [net8.0]:
   Transitive Package      Resolved   Severity   Advisory URL                                                                                                                                                                                                                                                                                                                                                                              
   > Newtonsoft.Json       11.0.1     High       https://github.com/advisories/GHSA-5crp-9r3c-p9vr

This is tracked via issue #4616.

Also removing some packages transitively pinned, where I believe through other changes in the meantime the vulnerable package is no longer in use.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.84%. Comparing base (356f8e9) to head (d376daf).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4757      +/-   ##
==========================================
- Coverage   73.85%   73.84%   -0.01%     
==========================================
  Files         485      485              
  Lines       17689    17689              
  Branches     3496     3496              
==========================================
- Hits        13064    13063       -1     
- Misses       3765     3769       +4     
+ Partials      860      857       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Flash0ver]

@sentry review

[jamescrosswell]

beta??? Should we stick to the stable packages?

[Flash0ver]

The Microsoft.CodeAnalysis.*.Testing packages are updated rarely and irregularly on the NuGet.org feed.

The documentation of Microsoft.CodeAnalysis.Testing is listing the Azure Packages feed for prerelease packages.

The currently latest version on NuGet.org - v1.1.2 - brings in a transitive dependencies with a high vulnerability. Trying to fix that via:

<PackageReference Include="Microsoft.CodeAnalysis.CSharp.Analyzer.Testing" Version="1.1.2" />
<PackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeFix.Testing" Version="1.1.2" />

<!-- https://github.com/advisories/GHSA-447r-wph3-92pm -->
<PackageReference Include="System.Formats.Asn1" Version="6.0.1" />

has caused error NU1510: Warning As Error: PackageReference System.Formats.Asn1 will not be pruned. Consider removing this package from your dependencies, as it is likely unnecessary. on CI when running msbuild: https://github.com/getsentry/sentry-dotnet/actions/runs/19544130525/job/55958403935

I wasn't able to quickly find a solution to the "Pruning" problem. I didn't want to suppress the diagnostic by passing it to the msbuild command in the workflow, to avoid hiding unrelated problems. Using the latest pre-release was the quickest solution I came up with.

Due to that vulnerability warning (as error), and the relatively "old" latest on NuGet.org, I opted to use the pre-release from the Azure Packages feed, to kill two birds with one stone.