CVE-2022-32149 upgrade golang.org/x/text to v0.3.8

[sarahhenkens]

Describe the bug

The golang.org/x/text package is currently pinned at v0.3.7 which is causing the CVE-2022-32149 vulnerability. This module should be upgraded to v0.3.8 to resolve this vulnerability in git-lfs.

To Reproduce

n/a

Expected behavior

n/a

System environment

n/a

Output of git lfs env

n/a

Additional context

n/a

[bk2204]

Hey,

Thanks for the report. I'll get a PR opened for this, but note that since Git LFS doesn't use the vulnerable code, this isn't a vulnerability in Git LFS. As such, we'll merge a PR to fix the main branch, and include it as part of a normal release in the future.

[sarahhenkens]

@bk2204 can we do a patch release for getting this vuln fix out?

[chrisd8088]

As mentioned in #5403, someone other than @bk2204 will likely do the next release -- specifically, I am aiming to get a release done in July, if at all possible.

I would echo the previous comment, though, and note that Git LFS is not actually vulnerable to the problem reported in the CVE.