upgrade x/net to 0.33.0 to fix CVE

[gergelyfabian]

Describe the bug
x/net has a CVE in version <0.33.0

To Reproduce
Run a vulnerability checker on an installed git-lfs.

Expected behavior
I'd like to have git-lfs free of CVEs.

[chrisd8088]

Thanks for the report! Dependabot has noted this as well.

Fortunately it's a false positive in our case, because the specific issue from CVE-2024-45338 involves the x/net/html package and the Git LFS client doesn't parse any HTML, so there is no immediate need to release a new version of Git LFS.

While we do import some packages from the x/net module, both directly and indirectly, none of them are the x/net/html package. We can confirm this is the case by running go list -json all | grep x/net/html, which returns no output.

Nevertheless, we might as well upgrade the module, so that when we do release v3.7.0 of the Git LFS client, security scanners will not generate false positive reports.

For reference, the details of the vulnerability are described in golang/go#70906, the GO-2024-3333 report, and in the release announcement for version 0.33.0 of the x/net module.

[gergelyfabian]

Already created a pull request: #5940