Fix critical CVEs from daily vulnerability scan

Update Go dependencies across all components to address critical
vulnerabilities detected by the daily scheduled scan (Build #34330).

Key dependency updates:
- google.golang.org/grpc v1.65.0 → v1.79.3
  Fixes CVE-2026-33186 (CVSS 9.1): authorization bypass via malformed
  :path headers missing leading slash could bypass path-based deny rules
  in interceptors like grpc/authz.

- google.golang.org/protobuf v1.34.2 → v1.36.10
  Required by grpc v1.79.3.

- golang.org/x/net v0.26.0/v0.35.0 → v0.48.0
  Fixes multiple HTML parsing DoS vulnerabilities (CVE-2024-45338,
  CVE-2025-58190, CVE-2025-47911).

- github.com/containerd/containerd v1.6.36 → v1.6.39, v1.7.2 → v1.7.30
  Fixes CVE-2024-40635 (integer overflow in User ID handling) and
  CVE-2024-25621 (local privilege escalation via CRI directory perms).

- github.com/golang-jwt/jwt/v5 v5.0.0/v5.2.1 → v5.2.2
  Fixes CVE-2025-30204 (CVSS 8.7): DoS via excessive memory allocation
  during JWT header parsing.

- github.com/go-jose/go-jose/v3 v3.0.0 → v3.0.4
  Fixes CVE-2025-27144: DoS via crafted JOSE parsing input.

- github.com/hashicorp/go-retryablehttp v0.7.0-v0.7.5 → v0.7.7
  Fixes CVE-2024-41110: basic auth credentials leaked to log files.

Also updates transitive dependencies pulled in by the above:
- golang.org/x/sys, golang.org/x/text, golang.org/x/sync
- google.golang.org/genproto/googleapis/rpc
- go.opentelemetry.io/otel (pinned v1.39.0 in image-builder-bob)

Not addressed in this PR (requires code changes):
- github.com/opencontainers/runc v1.1.14 → v1.2.x: API breaking change
  in libcontainer/cgroups/ebpf (functions made unexported). Needs code
  migration in ws-daemon/pkg/cgroup/plugin_fuse_v2.go.
- github.com/dgrijalva/jwt-go: deprecated library, needs migration to
  github.com/golang-jwt/jwt/v5.

Fixes: CLC-2235

Co-authored-by: Ona <no-reply@ona.com>