fix: address memory leaks in channels, transports, and listeners; update Newtonsoft.Json to 13.0.1

[Copilot]

Fixes ten memory-leak categories identified by static analysis and updates Newtonsoft.Json to address a known vulnerability. No new public APIs are added; the changes only add proper disposal of existing resources and correct one async-return bug.

Changes

Memory Leak Fixes

• ChannelBase: unsubscribe Transport.Closing event in Dispose to prevent channels from being kept alive through event delegates when transports outlive channels.
• CloseWithTimeoutAsync (TcpTransport, PipeTcpTransport, WebSocketTransport, PipeWebSocketTransport): made async/await so the CancellationTokenSource using scope spans the full operation and is not disposed while the task is still running.
• EnvelopePipe.Dispose(): added missing _semaphore.Dispose().
• SynchronizedTransportDecorator: implement IDisposable to dispose two SemaphoreSlim instances that were never disposed.
• TransportBase: implement IDisposable (protected virtual Dispose(bool) / public Dispose()) to dispose _openCloseSemaphore; all concrete subclasses (TcpTransport, PipeTcpTransport, WebSocketTransport, PipeWebSocketTransport, RedisTransport) call base.Dispose(disposing).
• TcpTransportListener / PipeTcpTransportListener: implement IDisposable to dispose the SemaphoreSlim.
• RedisTransportListener.Dispose(): also dispose the SemaphoreSlim (previously only the connection multiplexer was disposed).
• HttpContextChannel: implement IDisposable to dispose _sendSemaphore.
• BufferedChannelListener.Start(): dispose the previous cancelled CancellationTokenSource before replacing it with a new one.

Security Fix

• Newtonsoft.Json: updated from 9.0.1 to 13.0.1 in Lime.Client.Windows (packages.config and Lime.Client.Windows.csproj) to address the improper handling of exceptional conditions vulnerability (patched in 13.0.1). All other projects were already on 13.0.1.

Testing

• All changed files build with 0 errors.
• Lime.Protocol.UnitTests: 527 passed / 1 pre-existing failure (a timing-sensitive ResendMessages test that also fails on main without these changes).
• CodeQL scan: 0 alerts.

[cyber-sast]

Checkmarx One – Scan Summary & Details – 8b8362f5-5f8d-4dbd-a852-26a462c877b7

---

Policy Management Violations (2)

Policy Name: Politica Geral - Exploitable Path

• Rule Name: Vulnerabilidade encontrada! Consulte o canal #checkmarx-sca-alerts no Slack.
  Scanner: SCA
  Entity: Vulnerability
  Conditions(s): TestDependencyPackage Equal false, VulnerabilityExploitablePath Equal true

Policy Name: CVE-2024-21907

The following violations of your team's AppSec policy rules were identified in this project. Since 'Break Build' is enabled for these rules, you must resolve these issues before the Pull Request can be merged.

• Rule Name: Biblioteca Newtonsoft.Json vulneravel. Atualizar para a versão 13.0.1
  Scanner: SCA
  Entity: Vulnerability
  Conditions(s): DevDependencyPackage Equal false, VulnerabilityCve Equal "CVE-2024-21907"

---

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.

[leonardo-avila]

@copilot Update Newtonsoft.Json package to version 13.0.1 to fix some vulnerability issues.

[Copilot]

@copilot Update Newtonsoft.Json package to version 13.0.1 to fix some vulnerability issues.

Done in commit e5c6065. The SDK-style projects (Lime.Protocol, Lime.Transport.WebSocket, Lime.Transport.Redis, and the two test projects) were already on 13.0.1. Updated the legacy Lime.Client.Windows project — both packages.config (version 9.0.1 → 13.0.1) and the <Reference> HintPath in the .csproj (assembly version 9.0.0.0 → 13.0.0.0, path updated to Newtonsoft.Json.13.0.1\lib\net45\).