chore: bump golang.org/x/net to v0.55.0 and golang.org/x/sys to v0.45.0 to fix CVEs

[Copilot]

Addresses 8 CVEs in golang.org/x/net (7× HIGH) and golang.org/x/sys (1× UNKNOWN) affecting the hubagent binary.

Dependency updates

• golang.org/x/net v0.47.0 → v0.55.0

  • CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-42502, CVE-2026-42506 — excessive CPU / incorrect output when parsing/rendering arbitrary HTML
  • CVE-2026-33814 — HTTP/2 DoS via malformed SETTINGS_MAX_FRAME_SIZE frame
  • CVE-2026-39821 — privilege escalation via incorrect Punycode label processing in x/net/idna

• golang.org/x/sys v0.38.0 → v0.45.0

  • CVE-2026-39824 — integer overflow in NewNTUnicodeString (x/sys/windows)
  • v0.45.0 is the minimum required by x/net v0.55.0, so v0.44.0 (the stated fix version) was not usable directly

Related golang.org/x/* packages (crypto, sync, term, text, tools) were bumped transitively by go mod tidy.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!