(security): Bump golang.org/x/net module

[milosgajdos]

Fixes: https://nvd.nist.gov/vuln/detail/CVE-2024-45338

[thaJeztah]

Can you remove the "security" from the PR and commit message to not scare people; this is a false positive as we don't use this code; vulnerability is in the html package;

Version v0.33.0 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which could cause a denial of service.

Which is not in use;

ls -l vendor/golang.org/x/net/
total 8
-rw-r--r--  1 root root 1453 Dec 10 09:39 LICENSE
-rw-r--r--  1 root root 1303 Oct 10 07:33 PATENTS
drwxr-xr-x  3 root root   96 Nov  4 09:20 http
drwxr-xr-x 27 root root  864 Dec 10 09:39 http2
drwxr-xr-x 17 root root  544 Nov  4 09:20 idna
drwxr-xr-x  3 root root   96 Oct 10 07:33 internal
drwxr-xr-x  5 root root  160 Nov  4 09:20 trace

And confirmed by govulncheck that there's no vulnerabilities in our code;

git rev-parse --verify HEAD
4890d9e03616d563083fa944aaa083cc49b54ff5

git describe --tags --match="v[0-9]*" HEAD
v3.0.0-rc.2

go install golang.org/x/vuln/cmd/govulncheck@latest

govulncheck -show=verbose ./...
Scanning your code and 840 packages across 109 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

Vulnerability #1: GO-2024-3333
    Non-linear parsing of case-insensitive content in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2024-3333
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.30.0
    Fixed in: golang.org/x/net@v0.33.0

Vulnerability #2: GO-2022-0646
    CBC padding oracle issue in AWS S3 Crypto SDK for golang in
    github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0646
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/aws-sdk-go@v1.55.5
    Fixed in: N/A

Vulnerability #3: GO-2022-0635
    In-band key negotiation issue in AWS S3 Crypto SDK for golang in
    github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0635
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/aws-sdk-go@v1.55.5
    Fixed in: N/A

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.

[milosgajdos]

No need to scrape anything IMHO.

Anything that has a CVE assigned IS a security vulnerability: Yes, I do know we don't use it but that doesn't mean that we shouldn't patch or that we shouldn't mark it as a security issue

Besides, we are not here to make people feel good about their deployments 🤷‍♂️

[thaJeztah]

Point is that I want to reduce noise and I'm already getting a ton of that in just about every repository that's using Go; if possible avoid ambiguity (as it's not fixing an issue in this repository)

[wy65701436]

lgtm

[milosgajdos]

Ping @davidspek

[davidspek]

Sorry for the slow response.