update go module dependencies

[singholt]

Summary

This PR updates go module dependencies in both the agent and init packages. Dependabot currently has 5 open PRs that's trying to do these updates but failing.

Implementation details

This PR has 5 commits, updating one dependency in each commit, made easy for you to review.

1. agent: update golang.org/x/net from v0.5.0 -> v0.7.0

Helps us close #3578.

2. agent: update github.com/containerd/containerd from v1.4.13 -> v1.5.18

Helps us close #3573.

3. init: update github.com/containerd/containerd from v1.6.8 -> v.16.18

Helps us close #3574 and I also updated init's go mod version from 1.17 -> 1.19 to match agent's go mod version.

4. agent: update github.com/prometheus/client_golang from v1.7.1 -> v1.11.1

Helps us close #3572.

5. agent: update github.com/gorilla/websocket from v1.4.2 -> v1.5.0

Helps us close #3339.

The following commands were run, to update all the dependencies above:

1. In go.mod file, update the target dependency from X to Y.
2. go mod tidy
3. go mod vendor

Note: go mod vendor on tip of dev branch pulls in some new github.com/docker/docker changes. These changes lead to failed tests on Windows. The docker module update is being dealt with in PR #3557 and this PR does not touch it.

All except [5] are security updates. Dependabot has an open issue/PFR where it does not honor the dependabot config settings for security updates: dependabot/dependabot-core#2767. It opens multiple PRs against "master" which is our default branch. Whereas we'd like to pull in the updates to "dev" first, so a human intervention is necessary.

Testing

New tests cover the changes: no

Description for the changelog

Enhancement: update go module dependencies

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[danehlim]

Thanks for raising this PR!

I also updated init's go mod version from 1.17 -> 1.19 to match agent's go mod version.

Just for my reference and understanding, what would the impact be of leaving ecs-init's go mod version as 1.17? Phrased differently, are there any specific issues/concerns we address by updating ecs-init's go mod version to 1.19 other than simply matching Agent's go mod version?

[danehlim]

nit: Per our offline discussions, 4/5 of these updates are security updates. For context purposes, could we update the PR description to indicate that?

[singholt]

Just for my reference and understanding, what would the impact be of leaving ecs-init's go mod version as 1.17? Phased differently, are there any specific issues/concerns we address by updating ecs-init's go mod version to 1.19 other than simply matching Agent's go mod version?

the go version in go mod file specifies the minimum go version required to build packages in a module. Ref: https://go.dev/doc/modules/gomod-ref#go

so its more to do with keeping up-to date with the latest version and less to do with keeping the agent and init module versions in sync actually.