chore(deps): bump kbld from v0.48.1 to v0.49.1

[nikhilsagotiya]

What this PR does / why we need it:

Bumps kbld dependency from v0.48.1 to v0.49.1 to pick up the SHA-1 removal fix.

kbld v0.49.1 replaces crypto/sha1 with crypto/sha256 in the e2e packaging test, eliminating a cryptographic audit finding (SHA-1 is not FIPS-approved). Although the SHA-1 usage was in test-only code (//go:build e2e), the upstream fix has been merged and this bump brings kapp-controller in sync with the latest kbld release.

Reference: carvel-dev/kbld#598

Which issue(s) this PR fixes:

Fixes # (no separate issue filed — tracked via the upstream kbld PR above)

Does this PR introduce a user-facing change?

No — this is a dependency version bump. No API or behavioral changes for kapp-controller users.

Additional Notes for your reviewer:

Review Checklist:

• Follows the developer guidelines
• Relevant tests are added or updated
• Relevant docs in this repo added or updated
• Relevant carvel.dev docs added or updated in a separate PR and there's
  a link to that PR
• Code is at least as readable and maintainable as it was before this
  change

Additional documentation e.g., Proposal, usage docs, etc.:

Kbld PR: https://github.com/carvel-dev/kbld/pull/598

[sameerforge]

LGTM

[nikhilsagotiya]

Hi @joaopapereira , Could you please review this PR, Thanks.