Resolve CVE-2024 Security Issue: Upgrade golang.org/x/net to v0.42.0 and Clean Dependencies

[ernest-phillips]

Fixes https://github.com/github/gh-classroom/security/dependabot/13
To address the security vulnerability in golang.org/x/net, the following steps were taken:

1. Upgraded to v0.42.0 using a replace directive in go.mod.

2. Ran go mod tidy to ensure a clean dependency graph and remove unused dependencies.

3. Confirmed the effective version with:

   go list -m all | grep golang.org/x/net

   Output showed that version v0.42.0 is the only one in use.

4. Verified that the main module does not directly depend on golang.org/x/net:

   go mod why golang.org/x/net
   # golang.org/x/net
   (main module does not need package golang.org/x/net)

No other versions of golang.org/x/net are reachable, and the project builds and tests cleanly. This resolves the vulnerability without introducing govulncheck.

[Copilot]

Pull Request Overview

This PR addresses a security vulnerability (CVE-2024) by upgrading the golang.org/x/net dependency to version v0.42.0 using a replace directive and updating the Go version to 1.23.0.

• Upgraded Go version from 1.21 to 1.23.0 with toolchain 1.24.5
• Updated multiple golang.org/x dependencies to latest versions (net, sync, sys, term, text)
• Added replace directive to explicitly pin golang.org/x/net to v0.42.0

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
go.mod	Updated Go version, toolchain, dependencies, and added replace directive for security fix
.github/workflows/go.yml	Updated CI workflow to use Go 1.23 instead of 1.19

[smashwilson]

👍🏻

[smashwilson]

Is the Go upgrade necessary to upgrade the module?

[ernest-phillips]

I looked into the requirements for the golang.org/x/net v0.42.0 upgrade. It turns out that Go 1.23 is the minimum required version, as specified by the module’s go.mod file:

go 1.23

https://github.com/golang/net/blob/v0.42.0/go.mod