[Aikido] Fix 17 security issues in x/net, x/image

[aikido-autofix]

Upgrade golang.org/x/net and golang.org/x/image to fix privilege escalation via Punycode validation bypass, HTTP/2 infinite loop DoS, and TIFF decoder memory exhaustion.

✅ 17 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-11039	🚨 CRITICAL	[golang.org/x/net] Punycode validation bypass in idna functions allows ASCII-only labels to be incorrectly accepted, enabling privilege escalation when hostname validation is bypassed through encoded domain names. An attacker could exploit inconsistent validation between encoded and decoded hostnames to circumvent access controls.
CVE-2026-39821	🚨 CRITICAL	[golang.org/x/net] Punycode validation bypass in idna functions allows ASCII-only labels to be incorrectly accepted, enabling privilege escalation when hostname validation is bypassed through encoded domain names. An attacker could exploit inconsistent validation between encoded and decoded hostnames to circumvent access controls.
CVE-2026-33814	HIGH	[golang.org/x/net] When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
AIKIDO-2026-11035	MEDIUM	[golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
AIKIDO-2026-11036	MEDIUM	[golang.org/x/net] The HTML parser mishandled character references in DOCTYPE nodes, causing them to be incorrectly rendered. This can lead to XSS when rendering parsed HTML.
AIKIDO-2026-11038	MEDIUM	[golang.org/x/net] The HTML parser mishandled certain HTML elements in foreign content, causing them to be incorrectly rendered. This can lead to XSS when rendering parsed HTML.
AIKIDO-2026-11040	MEDIUM	[golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVE-2026-42506	MEDIUM	[golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVE-2026-25681	MEDIUM	[golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVE-2026-27136	MEDIUM	[golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVE-2026-42502	MEDIUM	[golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
AIKIDO-2026-11037	LOW	[golang.org/x/net] Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
CVE-2026-25680	LOW	[golang.org/x/net] Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
CVE-2026-46599	HIGH	[golang.org/x/image] The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
CVE-2026-33813	MEDIUM	[golang.org/x/image] Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
CVE-2026-33812	MEDIUM	[golang.org/x/image] Parsing a malicious font file can cause excessive memory allocation.
CVE-2026-42500	MEDIUM	[golang.org/x/image] Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.

🔗 Related Tasks

• https://theplanttokyo.atlassian.net/browse/MAINT-1338
• https://theplanttokyo.atlassian.net/browse/MAINT-1416