security: up dependencies to fix security vulnerabilities

[sicoyle]

Description

Dapr has a few vulnerabilities that we should address from a security perspective by upping our dependency versions 👇

Package	Affected version	Patched version	Fixed in this PR?	Impact
google.golang.org/grpc	< 1.56.3	v1.56.3	yes	gRPC-Go HTTP/2 rapid reset vulnerability
golang.org/x/net	< 0.17.0	latest	yes	HTTP/2 rapid reset can cause excessive work in net/http
github.com/hamba/avro/v2	< 2.13.0	latest	yes	avro vul to detail service via attacker-controller param
github.com/nats-io/nats-server/v2	>= 2.2.0, < 2.9.23	latest	yes	NATS.io: Adding accounts for just the system account adds auth bypass
github.com/jackc/pgx/v5	>= 5.0.0, < 5.5.4	v5.5.4	yes	pgproto3 SQL injection via protocol message size overflow
google.golang.org/protobuf	< 1.33.0	latest	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON
github.com/lestrrat-go/jwx/v2	< 2.0.21	latest	JWX vulnerable to a denial of service attack using compressed JWE message
github.com/dvsekhvalnov/jose2go	< 1.6.0	latest	jsoe2go vulnerable to denial of service via large p2c value
NPM wrangler pkg	>= 3.0.0, < 3.19.0	3.19.0	arbitrary remote code execution within wrangler dev workers sandbox (CRITICAL!)
golang.org/x/crypto	< v0.17.0	latest	Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin

Also update test go modules as those should be kept current with regular code depenencies.

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #[issue number]

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

• Code compiles correctly
• Created/updated tests
• Extended the documentation / Created issue in the https://github.com/dapr/docs/ repo: dapr/docs#[issue number]

[sicoyle]

Going to let this sit until closer to code freeze ~May 28th, as this should be part of the release process.

[berndverst]

Going to let this sit until closer to code freeze ~May 28th, as this should be part of the release process.

If you don't want something merged you should make it a draft PR @sicoyle

[berndverst]

When you imported dapr/dapr 1.13.2 into certification tests it seems that a method signature has changed in Dapr runtime (happens often). You need to update all cert test with the method changes.

After some examination it seems the errors are related to tracing changes. Please resolve this to get this PR merged. Thanks!

Error is this

Error: /home/runner/go/pkg/mod/github.com/dapr/dapr@v1.13.2/pkg/runtime/hotreload/loader/disk/resource.go:33:21: not enough type arguments for type Batcher: have 1, want 2
Error: /home/runner/go/pkg/mod/github.com/dapr/dapr@v1.13.2/pkg/runtime/hotreload/loader/disk/resource.go:48:31: cannot infer T (/home/runner/go/pkg/mod/github.com/dapr/kit@v0.13.1-0.20240402103809-0c7cfce53d9e/events/batcher/batcher.go:50:24)```