.Net: Bump Snappier to 1.3.1 to fix NU1903 high-severity vulnerability (GHSA-pggp-6c3x-2xmx) (#13960)

### Motivation and Context

`MongoDB.Driver 3.5.2` transitively introduces `Snappier 1.0.0`, which
carries a high-severity vulnerability (GHSA-pggp-6c3x-2xmx): infinite
loop during SnappyStream decompression of malformed framed input. All
Snappier versions ≤ 1.3.0 are affected; 1.3.1 is the first patched
release. This was blocking the merge queue via NU1903.

### Description

- **`dotnet/Directory.Packages.props`** — Add `PackageVersion` entry
pinning `Snappier` to `1.3.1`.
- **`dotnet/src/VectorData/MongoDB/MongoDB.csproj`** — Add explicit
`PackageReference` for `Snappier` (versionless, resolved via CPM) so
NuGet treats it as a direct dependency at 1.3.1, overriding the
transitive 1.0.0 from `MongoDB.Driver`.
- **`dotnet/src/VectorData/CosmosMongoDB/CosmosMongoDB.csproj`** — Same
override for the CosmosMongoDB connector.

In NuGet's resolution algorithm, a direct reference at depth 1 wins over
a transitive reference at depth 2, so this cleanly forces 1.3.1 without
changing the `MongoDB.Driver` pin itself.

### Contribution Checklist

- [x] The code builds clean without any errors or warnings
- [x] The PR follows the [SK Contribution
Guidelines](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md)
and the [pre-submission formatting
script](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md#development-scripts)
raises no violations
- [x] All unit tests pass, and I have added new tests where possible
- [x] I didn't break anyone 😄

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

Please investigate a solution to snappier vulnerability fix (update
version) and propose a PR with the bump, ideally following the first
immediate a non breaking version bump

<analysis>
**Chronological Review:**
1. User asked to analyze PR #13431 (Gemini multimodal tool results in
microsoft/semantic-kernel) for gaps
2. Initial analysis identified ~11 gaps with broad scope including
OpenAI Assistants, AzureAI, Responses API, MistralAI
3. User invoked ouroboros skill, asked to reassess scoping to Google
package only
4. Reassessment: Google connector bypasses FunctionCallsProcessor; only
validated regression is OpenAI Responses API
5. User invoked ouroboros to seed the observation; created seed file
`pr-13431-followup.seed.yaml`
6. User asked to execute seed + identify pipeline error
7. Implemented 5 file changes; identified pipeline error CS8602 in
GeminiRequestTests.cs:809
8. All builds/tests passed; user asked about string→object impact in
plan mode
9. Investigation revealed `FunctionCallsProcessor` is `internal sealed`,
source-distributed, so blast radius small
10. User confirmed all implemented; ran CI-parity dotnet format via
WSL2+Docker (all pass)
11. User asked to commit and push - committed `de08bce99` and pushed to
Cozmopolit fork
12. User asked to check PR comments - found 2 Copilot bot review
comments
13. User said: add OpenAI test (item 1), reply out-of-scope (item 2)
14. Added OpenAI ChatCompletion test, committed `e9f27d21a`, pushed,
replied to both bot comments
15. User asked PR number (13431)
16. User invoked /auto pr_task - PR was green, no action needed
17. User said merge queue failed, asked to investigate
18. Investigation found: NU1903 Snappier 1.0.0 vulnerability blocking
merge queue; not caused by our PR
19. **Most recent: User asked "Do we have a fix in main for this
already?"**
20. **Investigation confirmed: NO fix in main** - origin/main HEAD
`1a5065e5c` unchanged, `MongoDB.Driver 3.5.2` still pinned, no Snappier
override, no PRs/issues for Snappier or NU1903 in the repo recently
21. **Offered to open a small fix PR pinning Snappier to a patched
version**

**Intent Mapping:**
- User wants PR #13431 fully landed
- User wants to understand whether merge queue failure is in scope
- User now considering whether to fix the Snappier vulnerability
separately

**Technical Inventory:**
- .NET 10.0, semantic-kernel repo
- WSL2 + Docker (mcr.microsoft.com/dotnet/sdk:10.0) for CI parity
- gh CLI for PR/CI operations
- Git remotes: origin=microsoft, roger=rogerbarreto fork,
cozmopolit=Cozmopolit fork (added)
- Branch: `fix/multimodal-tool-results`
- PR head fork: Cozmopolit, maintainerCanModify=true

**Code Archaeology:**
Files changed in commits `de08bce99` + `e9f27d21a`:
- `dotnet/src/Agents/OpenAI/Internal/ResponseThreadActions.cs` — added
GetFunctionResultAsString helper
-
`dotnet/src/Agents/UnitTests/OpenAI/Internal/ResponseThreadActionsTests.cs`
— new (3 tests)
-
`dotnet/src/Connectors/Connectors.Google/Core/Gemini/Models/GeminiRequest.cs`
— extracted s_imageFunctionResponseEnvelope
-
`dotnet/src/Connectors/Connectors.Google.UnitTests/Core/Gemini/GeminiRequestTests.cs`
— CS8602 fix
-
`dotnet/src/InternalUtilities/connectors/AI/FunctionCalling/FunctionCallsProcessor.cs`
— XML-doc tightening
-
`dotnet/src/Connectors/Connectors.OpenAI.UnitTests/Services/OpenAIChatCompletionServiceTests.cs`
— added
ItSendsImageContentNotSupportedErrorWhenToolResultIsImageContentAsync

Identified vulnerable package: `MongoDB.Driver 3.5.2` in
`dotnet/Directory.Packages.props:173` brings in transitive `Snappier
1.0.0`

**Progress Assessment:**
- ✅ All planned implementation completed
- ✅ Both bot review comments replied to
- ✅ All 7 todos done
- ⚠️ PR cannot merge due to environmental Snappier vulnerability (not
our PR's fault)
- 🔲 User considering whether to open a separate Snappier fix PR

**Context Validation:**
- PR state: OPEN, MERGEABLE, CLEAN, APPROVED (markwallace-microsoft)
- HEAD SHA: `e9f27d21a85a8b97ee5f29619b23b82a03e313ff`
- All required CI checks pass on PR head
- Merge queue attempt failed at 2026-05-07T10:01:31, removed by
github-merge-queue[bot] at 10:08:05
- Failed merge_group run: 25489152862

**Recent Commands Analysis:**
Most recent two tool batches:
1. `git fetch origin main; git log origin/main
--since="2026-05-06T15:00:00Z" --oneline` → only `1a5065e5c`
(yesterday's commit)
2. `git show origin/main:dotnet/Directory.Packages.props | grep
Snappier|MongoDB.Driver` → only `MongoDB.Driver 3.5.2`, no Snappier
override
3. `gh search prs/issues --state all "Snappier"` → command failed
(invalid `all` state)
4. `gh api search/issues?q=Snappier+repo:microsoft/semantic-kernel` →
empty results
5. `gh api search/issues?q=NU1903+repo:microsoft/semantic-kernel` → 3
historical results from 2024, all unrelated

Final response: confirmed NO fix in main, offered to open a small fix PR
pinning Snappier.
</analysis>

<summary>
1. Conversation Overview:
   - Primary Objectives:
     - Analyze SK PR #13431 (G...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

Created from Copilot CLI via the copilot delegate command.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: rogerbarreto <19890735+rogerbarreto@users.noreply.github.com>

Author: Copilot

dotnet/Directory.Packages.props

@@ -171,6 +171,7 @@
     <PackageVersion Include="DuckDB.NET.Data.Full" Version="1.2.0" />
     <PackageVersion Include="DuckDB.NET.Data" Version="1.1.3" />
     <PackageVersion Include="MongoDB.Driver" Version="3.5.2" />
+    <PackageVersion Include="Snappier" Version="1.3.1" /><!-- Vulnerability fix: GHSA-pggp-6c3x-2xmx; transitively pinned via MongoDB.Driver -->
     <PackageVersion Include="Microsoft.Graph" Version="5.94.0" />
     <PackageVersion Include="Microsoft.OpenApi" Version="1.6.24" />
     <PackageVersion Include="Microsoft.OpenApi.Readers" Version="1.6.24" />

dotnet/src/VectorData/CosmosMongoDB/CosmosMongoDB.csproj

@@ -30,6 +30,7 @@
 
   <ItemGroup>
     <PackageReference Include="MongoDB.Driver" />
+    <PackageReference Include="Snappier" /><!-- Pin to patched version; overrides transitive 1.0.0 from MongoDB.Driver (GHSA-pggp-6c3x-2xmx) -->
   </ItemGroup>
 
   <ItemGroup>

dotnet/src/VectorData/MongoDB/MongoDB.csproj

@@ -30,6 +30,7 @@
 
   <ItemGroup>
     <PackageReference Include="MongoDB.Driver" />
+    <PackageReference Include="Snappier" /><!-- Pin to patched version; overrides transitive 1.0.0 from MongoDB.Driver (GHSA-pggp-6c3x-2xmx) -->
   </ItemGroup>
 
   <ItemGroup>