fix(security): go security fixes (2026-06-23)

[github-actions]

Included fixes

• CVE-2026-53488 (high): containerd CRI image-config LABEL -> restart-monitor binary:// host command execution — github.com/containerd/containerd/v2 2.2.4 -> 2.2.5
• CVE-2026-53489 (high): Arbitrary host CRI log file read via symlink following in CRI checkpoint restore — github.com/containerd/containerd/v2 2.2.4 -> 2.2.5
• CVE-2026-53492 (high): containerd CRI checkpoint restore CDI annotation smuggling — github.com/containerd/containerd/v2 2.2.4 -> 2.2.5
• CVE-2026-50195 (medium): containerd CRI checkpoint import allows local image tag poisoning — github.com/containerd/containerd/v2 2.2.4 -> 2.2.5
• CVE-2026-47262 (medium): containerd image-triggered runtime DoS via unbounded group parsing — github.com/containerd/containerd/v2 2.2.4 -> 2.2.5

Skipped (already satisfied / would downgrade)

• CVE-2026-34040 (high): github.com/docker/docker fixed_version 29.3.1 is not a published revision for this module path (go get github.com/docker/docker@v29.3.1 returns unknown revision). No safe actionable bump exists beyond current latest v28.5.2+incompatible.
• CVE-2026-33997 (medium): github.com/docker/docker has no fixed_version in alerts; current resolved version remains v28.5.2+incompatible and no newer published revision exists on this module path.
• CVE-2026-41567 (high): github.com/docker/docker has no fixed_version in alerts; current resolved version remains v28.5.2+incompatible and no newer published revision exists on this module path.
• CVE-2026-41568 (medium): github.com/docker/docker has no fixed_version in alerts; current resolved version remains v28.5.2+incompatible and no newer published revision exists on this module path.
• CVE-2026-42306 (high): github.com/docker/docker has no fixed_version in alerts; current resolved version remains v28.5.2+incompatible and no newer published revision exists on this module path.

Risks

• No major version bump was applied for direct module requirements; this is a patch-level bump for github.com/containerd/containerd/v2.
• go work sync propagated related golang.org/x/* transitive updates across workspace members.

[jitsu-code-review]

Reviewed the dependency-only security update across all touched Go modules (go.mod/go.sum). I checked the version bumps for correctness and validated dependency consistency by running go list -mod=readonly ./... in each modified module (admin, bulkerapp, bulkerlib, config-keeper, connectors/firebase, eventslog, ingest, ingress-manager, jitsubase, kafkabase, operator, reprocessing-worker, sync-controller, sync-sidecar).

No actionable bugs, security regressions, or correctness issues were identified in this change set.