fix(deps): update module github.com/crossplane/crossplane/apis/v2 to v2.3.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/crossplane/crossplane/apis/v2	v2.3.2 → v2.3.3

---

Release Notes

crossplane/crossplane (github.com/crossplane/crossplane/apis/v2)

v2.3.3

Compare Source

v2.3.3 is a patch release scoped to fixing issues reported by users of Crossplane v2.3 and fixing security related issues in Crossplane's dependencies.

🎉 Highlights

• Fixed package signature verification TOCTOU (GHSA-mf7q-r4rv-jv94): A time-of-check-to-time-of-use flaw could let a malicious OCI registry pass signature verification with a signed image and then serve unsigned content for installation. For v2.3 this fix ships via the crossplane-runtime v2.3.3 bump in #​7541, since the affected code moved from crossplane to crossplane-runtime during the v2.3 milestone. See the crossplane-runtime v2.3.3 release notes for the full details.
• Correct namespace on injected resource refs in crossplane render: crossplane render previously set a namespace on every injected resource reference, which is inaccurate for namespaced XRs (whose resource refs are local and carry no namespace) and broke composition functions with strict schemas, such as the generated KCL bindings used in control plane projects. Render now matches the real reconciler and sets the namespace only for cluster-scoped XRs. Backported in #​7525, originally fixed in #​7523.
• Dependency security updates: This release also bumps the Go toolchain to 1.25.11 and golang.org/x/net and golang.org/x/sys in the apis module to pick up CVE fixes (#​7530). See ## What's Changed below for the full list.

What's Changed

• [Backport release-2.3] render: Set namespace on injected resource refs only for cluster-scoped XRs by @​github-actions[bot] in #​7525
• [release-2.3] bump Go to 1.25.11 and apis golang.org/x/net, x/sys for CVEs [security] by @​phisco in #​7530
• Update crossplane-runtime to v2.3.3 by @​lsviben in #​7541

Full Changelog: crossplane/crossplane@v2.3.2...v2.3.3

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.10 -> 1.25.11

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.