Pin MessagePack to patched version to unblock main CI restores

[Copilot]

Main CI started failing across build/lint/integration because restore treated NU1903 as an error in aspire, caused by a vulnerable transitive MessagePack version (2.5.192). This PR applies a central package override so all projects restore against a patched version.

• Root cause addressed

  • aspire/aspire.csproj inherits warnings-as-errors, so vulnerability warning NU1903 on transitive MessagePack failed restore and cascaded to multiple workflows.

• Change

  • Added a central package pin in Directory.Packages.props:
    • MessagePack → 2.5.301 (patched for GHSA-hv8m-jj95-wg3x).

• Why this scope

  • Uses existing central package management to override transitive resolution once, rather than editing individual project files.

<!-- Directory.Packages.props -->
<PackageVersion Include="MessagePack" Version="2.5.301" />

[Mpdreamz]

#3493 should address the MessagePack dependency CVE too 🙏

[github-actions]

Label error. Requires exactly 1 of: automation, breaking, bug, changelog:skip, chore, ci, dependencies, documentation, enhancement, feature, fix, redesign. Found:

[reakaleek]

Fixed by #3493