fix(deps): bump golang.org/x/crypto and migrate yaml.v3 to maintained fork

[jeremylem]

Summary

This PR resolves two security findings reported by container image scanners against the v1.7.1 release:

1. CVEs in golang.org/x/crypto v0.51.0 — all in the ssh subpackage. Bumped to v0.53.0 (latest as of 2026-06-19), which contains the upstream fixes (GO-2026-5005, 5006, 5013, 5014, 5015, 5016, 5017, 5018, 5019, 5020, 5021, 5023, 5033).
2. gopkg.in/yaml.v3 v3.0.1 end-of-life — the upstream go-yaml/yaml repository was archived in April 2024 and will not receive further patches. Migrated the two runtime imports to go.yaml.in/yaml/v3 v3.0.4, the actively maintained community successor that was already present in this repo as an indirect dependency.

Changes

• go.mod / go.sum: bump golang.org/x/crypto to v0.53.0; promote go.yaml.in/yaml/v3 from indirect to direct require; drop the direct require on gopkg.in/yaml.v3. Routine go mod tidy also bumps golang.org/x/sync, sys, term, text, and tools to current patch versions.
• pkg/development/file/decoder.go and pkg/development/development.go: swap the yaml import path. No API or behaviour changes — go.yaml.in/yaml/v3 is a drop-in replacement that exports the same yaml.Marshal / yaml.Unmarshal.

Note: gopkg.in/yaml.v3 still appears as // indirect in go.mod because golangci-lint (a build-time developer tool) transitively requires it. It is not in the production binary's call graph.

Verification

Check	Result
go build ./cmd/permify	ok
go vet ./...	ok
go test ./pkg/development/...	ok
govulncheck ./cmd/permify (source mode)	No vulnerabilities found
govulncheck -mode=binary against the resulting binary	No vulnerabilities found

Before this change, govulncheck reported 13 SSH-subpackage vulnerabilities present in the binary (none reachable from main per source-mode analysis, but still flagged by container scanners). After this change, both modes return clean.

Compatibility

• go.yaml.in/yaml/v3 v3.0.x has the same public API as gopkg.in/yaml.v3 v3.0.x — the migration is a straight import-path rename, no code adjustments needed.
• golang.org/x/crypto v0.53.0 is API-compatible with v0.51.0.

Summary by CodeRabbit

• Chores
  • Updated Go module dependencies including security, cryptography, and system-level libraries to their latest versions.
  • Migrated YAML library implementation for improved compatibility and long-term maintenance.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7896e0aa-de96-48a3-ad7d-e1280cd07427

📥 Commits

Reviewing files that changed from the base of the PR and between aa3a7c6 and 5720e90.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod
• pkg/development/development.go
• pkg/development/file/decoder.go

---

📝 Walkthrough

Walkthrough

Two source files (pkg/development/development.go and pkg/development/file/decoder.go) replace their YAML v3 import path from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3. Correspondingly, go.mod promotes go.yaml.in/yaml/v3 to a direct dependency and bumps several golang.org/x/* indirect packages.

Changes

YAML library migration and dependency bump

Layer / File(s)	Summary
YAML import path change in source files pkg/development/development.go, pkg/development/file/decoder.go	Both files replace gopkg.in/yaml.v3 with go.yaml.in/yaml/v3; marshal/unmarshal call sites are unchanged.
go.mod: direct YAML dependency and x/* version bumps go.mod	go.yaml.in/yaml/v3 is promoted from indirect to direct; golang.org/x/sync, mod, term, crypto, sys, text, and tools are bumped; gopkg.in/yaml.v3 is moved to a later require block as indirect.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hippity hop, a new YAML path,
From gopkg.in down a different math,
go.yaml.in is where we now roam,
With x/crypto and friends finding home.
The module is tidy, the rabbit delights —
Updated deps shine like carrots at night! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly matches the main changes: bumping golang.org/x/crypto and migrating yaml.v3 to the maintained fork go.yaml.in/yaml/v3, addressing security vulnerabilities and dependency maintenance issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jeremylem]

I have read the CLA Document and I hereby sign the CLA