Security: Address Dependabot vulnerability alerts

[simulot]

Security Vulnerabilities

Three Dependabot security alerts need to be addressed:

1. Medium Severity - golang.org/x/crypto/ssh/agent

• GHSA ID: GHSA-f6x5-jh6r-wrfv
• Issue: Vulnerable to panic if message is malformed due to out of bounds read
• Severity: Medium
• Package: golang.org/x/crypto

2. Medium Severity - golang.org/x/crypto/ssh

• GHSA ID: GHSA-j5w8-q4qc-rx2x
• Issue: Allows an attacker to cause unbounded memory consumption
• Severity: Medium
• Package: golang.org/x/crypto

3. Low Severity - github.com/disintegration/imaging

• GHSA ID: GHSA-q7pp-wcgr-pffx
• Issue: Crash when processing crafted TIFF files
• Severity: Low
• Package: github.com/disintegration/imaging

Action Items

• Update golang.org/x/crypto to latest patched version
• Update github.com/disintegration/imaging to latest patched version
• Run security tests to verify fixes
• Update go.mod and go.sum

References

• Dependabot alerts: https://github.com/simulot/immich-go/security/dependabot
• Related to PR release: v0.31.0 #1211 (release v0.31.0)

Priority

Medium - These are existing vulnerabilities on the main branch and should be addressed in a follow-up PR after the v0.31.0 release.