Bump deps, add script to make it easier

[imjasonh]

Dependabot gets tripped up by our multi-module repo, so instead I wrote a script that should automate it for us in hack/bump-deps.sh.

If we want, we can hook it up to GitHub Actions to create PRs for us and drop dependabot, or we can just use dependabot to notify us when bumps are needed and do it manually, like I've been doing lately. A benefit to this is that it's one big PR instead of individual ones.

lmk what you think.

This PR gets us past a containerd dependabot alert that doesn't affect us, but spams us and downstream users with the alert.

[mattmoor]

Didn't we explicitly leave these at 0.22?

cc @dprotaso

[imjasonh]

Ping. I'd like to move forward with this, but if there's something we should do to make Knative's and Knative-using packages' lives easier, I'm all ears.

[justaugustus]

Didn't we explicitly leave these at 0.22?

@mattmoor -- There was a request to use 0.22.5, but there wasn't a reason provided:

• Add pkg/authn/kubernetes #1234 (comment)
• Add pkg/authn/kubernetes #1234 (comment)

Would suggest using 0.23.3, unless there's a good reason not to.

[mattmoor]

tl;dr It's because that's what Knative and Tekton are pinned to. I'll defer to @dprotaso to explain the cadence.

[imjasonh]

Couldn't Knative and Tekton solve this with a replace k8s.io/foo => k8s.io/foo v0.22.5?

[justaugustus]

They could, based on my understanding.
I think it's important that the upstream take input from downstreams, but set the pace by keeping deps as up-to-date as possible.

[dprotaso]

We'll be bumping to 0.23 in one month. K8s 1.21 is still in supported for the next two months: https://kubernetes.io/releases/patch-releases/#1-21

[codecov-commenter]

Codecov Report

Merging #1260 (31ab4dd) into main (a8c9fa3) will increase coverage by 0.13%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1260      +/-   ##
==========================================
+ Coverage   73.78%   73.92%   +0.13%     
==========================================
  Files         111      111              
  Lines        8289     8345      +56     
==========================================
+ Hits         6116     6169      +53     
- Misses       1571     1573       +2     
- Partials      602      603       +1     

Impacted Files	Coverage Δ
pkg/v1/platform.go	100.00% <0.00%> (ø)
pkg/v1/daemon/image.go	75.67% <0.00%> (+0.16%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a8c9fa3...31ab4dd. Read the comment docs.

[imjasonh]

This is effectively blocking automatic security updates, like #1287, since dependabot can't manage our deps without help.