Language Server attributes package vulnerability warning to wrong project (MessagePack shown for project that doesn't use it)

[denis-peshkov]

Environment data

dotnet --info output:
VS Code version:
C# Extension version:

C# logs

C# output window contents:

[Warn - 8:57:54 AM] [solution/open] [LanguageServerProjectSystem] Warning while loading /Users/forgery/Work/Guru/Boilerplate/src/Boilerplate.Localization.UnitTests/Boilerplate.Localization.UnitTests.csproj: Package 'MessagePack' 2.5.140 has a known moderate severity vulnerability, GHSA-4qm4-8hg2-g2xm

See https://github.com/dotnet/vscode-csharp/blob/main/SUPPORT.md#collecting-general-logs for collecting more detailed logs

Steps to reproduce

1. Open a solution where one project references MessagePack 2.5.140 (e.g. Boilerplate.Orm) and another (e.g. Boilerplate.Localization.UnitTests) does not
2. Ensure the project without MessagePack references only projects that also do not use MessagePack (e.g. Localization.UnitTests → Localization)
3. Open the solution in VS Code
4. Check C# output / Language Server logs

Expected behavior

The MessagePack vulnerability warning should be shown for the project that actually references MessagePack (e.g. Boilerplate.Orm), not for projects that do not depend on it

Actual behavior

The warning is shown for Boilerplate.Localization.UnitTests, which does not reference MessagePack. Verified with dotnet list Boilerplate.Localization.UnitTests/Boilerplate.Localization.UnitTests.csproj package --include-transitive — MessagePack does not appear in the dependency tree

Additional context

• MessagePack 2.5.140 is a direct dependency of Boilerplate.Orm
• Boilerplate.Localization.UnitTests only references Boilerplate.Localization (ProjectReference), which has no package dependencies
• The Language Server attributes the vulnerability to the wrong project