Update github.com/containerd/containerd to v1.5.13 to fix security issues

[bmelbourne]

Update Go github.com/containerd/containerd package to v1.5.13 to fix critical security vulnerabilities outlined in CVE-2021-43816 and CVE-2022-31030.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43816
GHSA-5ffw-gxpp-mxpf (CVE-2022-31030)

[nyrahul]

Thanks for the PR, @bmelbourne
I am getting a different go.sum when I run go mod tidy with the new go.mod. This is been verified. We are also trying to add a CI check to cross-verify the generated go.sum.

[bmelbourne]

Thanks for the PR, @bmelbourne I am getting a different go.sum when I run go mod tidy with the new go.mod. This is been verified. We are also trying to add a CI check to cross-verify the generated go.sum.

@nyrahul
Containerd have been releasing some rapid updates recently to fixes various issues, and I may have inadvertently forgotten to run go mod tidy. PR now updated.

[nyrahul]

Please find comments inline. Thanks again for the PR.

[nyrahul]

Is there a reason to explicitly state this indirect dependency? Similarly, there are few other indirect dependencies down this file which are newly added and the compilation works fine even if removed.

[nyrahul]

An indirect dependency on MS winio! I am not sure if this is needed. Please check. Thanks

[nyrahul]

When I run go mod tidy it does not generate this line. When I checked the details, this line is supposed to get the checksum of entire code base of ttrpc whereas the next line containing ....ttrpc/go.mod simply gets a checksum on the go.mod file.
Point is, do we require this explicit entire code base checksum to be added?
Also I dont understand why it does not get added when I run go mod tidy. Is there any specific flag you used with the tidy command?

[bmelbourne]

/reopen