fix(deps): Update module golang.org/x/net to v0.33.0

[coded9]

Fix for CVE-2024-45338

[ahmetb]

Can we not do these? It's extremely annoying to keep getting these PRs and none of them has actually ever been an applicable attack vector for this software.

[coded9]

Yeah, I completely agree. But, most companies have strict compliance requirements on allowing any library with critical/high vulnerabilities.

[ahmetb]

It's unclear to me why dependabot isn't sending this PR if it's a high impact vulnerability. :-/

[coded9]

I think it could be due to weekly schedule configured here

[stefanb]

I have noticed that @dependabot had problems with this update in other repositories, because when i triggered it manually:

...it failed:

In the logs:

updater | 2024/12/20 10:28:59 INFO <job_936012345> Latest version is 0.33.0
updater | 2024/12/20 10:28:59 INFO <job_936012345> Requirements to unlock update_not_possible
updater | 2024/12/20 10:28:59 INFO <job_936012345> Requirements update strategy 
updater | 2024/12/20 10:28:59 INFO <job_936012345> The latest possible version of golang.org/x/net that can be installed is 0.23.0
updater | 2024/12/20 10:28:59 INFO <job_936012345> The earliest fixed version is .

It looks like an issue with either @dependabot or the vulnerability data.

[ahmetb]

This fix ideally should be done at https://github.com/grpc/grpc-go/blob/master/go.mod.

Some offline probe that runs in a container is far less riskier than the actual grpc server in terms of these vulnerabilities.

[coded9]

@ahmetb Do we want to wait until that gets addressed in grpc-go?

[stefanb]

It is being done in upstream in a rather large PR (because it is a monorepo):

• update x/net to resolve CVE-2024-45338 grpc/grpc-go#7964

Doing the small bump locally here may be quicker.