deps: bump golang.org/x/net to v0.55.0 to fix GO-2026-5026

[dlevy-msft-sql]

Problem

The Go Vulnerability Check workflow fails on PRs because govulncheck reports GO-2026-5026 against golang.org/x/net@v0.54.0:

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Example trace from the failed run on #760:

internal/container/controller.go:216:28: container.Controller.ContainerFiles
  -> client.Client.ExecAttach
  -> idna.ToASCII

Root Cause

golang.org/x/net is an indirect dependency in go.mod. Dependabot's gomod ecosystem only proposes version bumps for modules listed as direct requirements; indirect deps move only when a direct dep's update transitively pulls them. The golang-x group on the recent dependabot PR (#760) therefore bumped golang.org/x/sys but left golang.org/x/net at the vulnerable v0.54.0.

The Go vuln database advisory (GO-2026-5026) also is not always mirrored to the GitHub Advisory Database, so Dependabot's security-update path didn't fire either.

Solution

Bump golang.org/x/net to v0.55.0 (the fixed version) and run go mod tidy. This also picks up the same golang.org/x/sys v0.45.0 bump proposed in #760, so this PR can supersede or land alongside it.

Changes

File	Change
go.mod	golang.org/x/net v0.54.0 -> v0.55.0 (indirect); golang.org/x/sys v0.44.0 -> v0.45.0
go.sum	regenerated by go mod tidy

Testing

• go build ./... passes locally.
• CI's govulncheck ./... should now pass; expecting GO-2026-5026 to drop off.

Related

• Failed run on deps(deps): bump golang.org/x/sys from 0.44.0 to 0.45.0 in the golang-x group #760: https://github.com/microsoft/go-sqlcmd/actions/runs/26423597391/job/77782866289
• Advisory: https://pkg.go.dev/vuln/GO-2026-5026