[release/1.7] Update x/net to 0.13

[Kern--]

This silences govulncheck detecting
https://pkg.go.dev/vuln/GO-2023-1988.

containerd only uses x/net for context and httpcontext which do not render html.

Before this change:

$ govulncheck --mode binary bin/containerd
Scanning your binary for known vulnerabilities...

Vulnerability #1: GO-2023-1988
    Improper rendering of text nodes in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2023-1988
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.8.0
    Fixed in: golang.org/x/net@v0.13.0
    Example traces found:
      #1: html.Render

Your code is affected by 1 vulnerability from 1 module.

After this change:

$ govulncheck --mode binary bin/containerd
Scanning your binary for known vulnerabilities...

No vulnerabilities found.

Equivalent release/1.6 change #9130

[k8s-ci-robot]

Hi @Kern--. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[thaJeztah]

this moves the 1.7 branch ahead of main; do we need 0.13 or is 0.12 enough for the cve? (potentially backporting from main)

Otherwise if we really need v0.13 we should make sure main is updated first

containerd/go.mod

Line 127 in e1655fe

golang.org/x/net v0.12.0 // indirect

[samuelkarp]

➕ If we want 0.13.0, let's update main first.

[Kern--]

Sure. I created #9184. 0.13.0 is the version that fixes this issue.