Upgrade golang.org/x/net from 0.23.0 to 0.33.0

[gergelyfabian]

As noted in #5939 (comment), the vulnerability addressed by this update to the x/net Go module, reported as CVE-2024-45338, only pertains to the x/net/html package and the Git LFS client doesn't parse any HTML, so there is no immediate need to release a new version of Git LFS.

While we do import some packages from the x/net module, both directly and indirectly, none of them are the x/net/html package. We can confirm this is the case by running go list -json all | grep x/net/html, which returns no output.

Nevertheless, we might as well upgrade the module, so that when we do release v3.7.0 of the Git LFS client, security scanners will not generate false positive reports.

For reference, the details of the vulnerability are described in golang/go#70906, the GO-2024-3333 report, and in the release announcement for version 0.33.0 of the x/net module.

Resolves #5939.

[chrisd8088]

Thanks for the contribution! I've taken the liberty of fleshing out the PR description and slightly revising the title, and once our CI suite passes, we can merge this.

[hadiweslati]

Why not removing golang.org/x/net v0.0.0? Or it's not affected by the security issue?

[chrisd8088]

That's an interesting question. The entries in the go.sum module are not actually the dependencies of the project. You can see those with go list -m all, and if we filter for x/net, we only get the module we expect:

$ go list -m golang.org/x/net
golang.org/x/net v0.33.0

There's some explanation in the Go wiki as to why the go.sum contains information for older module versions, and more information in the documentation of the go.sum file:

A module may have a text file named go.sum in its root directory, alongside its go.mod file. The go.sum file contains cryptographic hashes of the module’s direct and indirect dependencies

The go.sum file may contain hashes for multiple versions of a module. The go command may need to load go.mod files from multiple versions of a dependency in order to perform minimal version selection.

So in this particular case, the various v0.0.0 entries are used in that Minimal Version Selection process, but in the end, only the v0.33.0 version of x/net will be selected.

Now we could remove the v0.23.0 entries for x/net from go.sum, as go mod tidy indicates they aren't used in the MVS process at all anymore. We usually run go mod tidy when we update dependencies, so we'll get around to this eventually, but it's not urgent and their presence in go.sum is not a cause for concern.

[hadiweslati]

Thanks for this great explaination 🙏