build(deps): bump deps specifically CVE-2024-45338

[lzap]

SSIA

[lzap]

Excluded images from the update, incompatible change.

[lzap]

The same issue as in osbuild/osbuild-composer#4545 trying to solve it.

[lzap]

For the record, this is how I solved it:

lzap@dev:~/images$ tools/prepare-source.sh
+ GO_VERSION=1.21.13
++ go env GOPATH
+ GO_BINARY=/home/lzap/go/bin/go1.21.13
+ go install golang.org/dl/go1.21.13@latest
+ /home/lzap/go/bin/go1.21.13 download
go1.21.13: already downloaded in /home/lzap/sdk/go1.21.13
+ /home/lzap/go/bin/go1.21.13 mod tidy
go: github.com/osbuild/images/pkg/cloud/gcp imports
        cloud.google.com/go/storage imports
        google.golang.org/grpc/stats/opentelemetry: ambiguous import: found package google.golang.org/grpc/stats/opentelemetry in multiple modules:
        google.golang.org/grpc v1.67.3 (/home/lzap/go/pkg/mod/google.golang.org/grpc@v1.67.3/stats/opentelemetry)
        google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a (/home/lzap/go/pkg/mod/google.golang.org/grpc/stats/opentelemetry@v0.0.0-20240907200651-3ffb98b2c93a)

lzap@dev:~/images$ go get google.golang.org/grpc/stats/opentelemetry@none
go: downgraded cloud.google.com/go/storage v1.44.0 => v1.43.0
go: removed google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a

lzap@dev:~/images$ tools/prepare-source.sh
+ GO_VERSION=1.21.13
++ go env GOPATH
+ GO_BINARY=/home/lzap/go/bin/go1.21.13
+ go install golang.org/dl/go1.21.13@latest
+ /home/lzap/go/bin/go1.21.13 download
go1.21.13: already downloaded in /home/lzap/sdk/go1.21.13
+ /home/lzap/go/bin/go1.21.13 mod tidy
+ /home/lzap/go/bin/go1.21.13 fmt ./...
+ ./test/scripts/generate-gitlab-ci ./.gitlab-ci.yml

[thozza]

LGTM