chore: bump github.com/goccy/go-yaml to v1.18.0 to fix crypto vulnerabilities

[ivanbron]

📌 Description

This PR updates the dependency github.com/goccy/go-yaml from v1.12.0 to v1.18.0.

The previous version (v1.12.0) was pulling in an outdated release of golang.org/x/crypto that contained known security vulnerabilities. Upgrading to v1.18.0 removes those insecure transitive dependencies and ensures the project uses a maintained, patched version.

✅ Benefits

Eliminates vulnerabilities inherited from old golang.org/x/crypto versions

Keeps the project aligned with the latest stable and secure go-yaml release

No breaking API changes expected, as the update stays within the v1.x series

🔍 Notes

Ran go mod tidy to update go.mod and go.sum accordingly

Verified that no regressions or breaking changes are introduced

[ivanbron]

helo @inhere
We kindly appreciate if you can address this one. This vulnerability is a blocker for a use case.
Happy to provide more info if requested.
Regards,
Iván.

[Copilot]

Pull Request Overview

This PR updates the github.com/goccy/go-yaml dependency from v1.12.0 to v1.18.0 to address security vulnerabilities in transitive crypto dependencies. The update also modernizes the Go version requirements and removes obsolete dependencies.

• Updated go-yaml dependency from v1.12.0 to v1.18.0 for security fixes
• Bumped Go version requirement from 1.19 to 1.21.0 and added toolchain specification
• Cleaned up indirect dependencies that are no longer required

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[ivanbron]

hmmm looks like go-yaml requires to be at least on go 1.21.0 is this a blocker to generate a new release of this lib?

[inhere]

hmmm looks like go-yaml requires to be at least on go 1.21.0 is this a blocker to generate a new release of this lib?

Yes, I wanted to upgrade go-yaml when I updated my dependencies the other day, but he needed go1.21+. I don't know what impact will it have on downstream dependencies after upgrading? So it was not upgraded.

[ivanbron]

hmmm looks like go-yaml requires to be at least on go 1.21.0 is this a blocker to generate a new release of this lib?

Yes, I wanted to upgrade go-yaml when I updated my dependencies the other day, but he needed go1.21+. I don't know what impact will it have on downstream dependencies after upgrading? So it was not upgraded.

I see. Is there any plan to upgrade old dependencies any time soon?

[inhere]

fixed: github.com/goccy/go-yaml from v1.12.0 to v1.18.0 on master