chore(deps): replace yaml lib (#1960)

janisz · web-flow · commit 69ef6799ac9e · 2025-07-04T12:22:02.000+02:00
Signed-off-by: Tomasz Janiszewski &lt;tomek@redhat.com&gt;
diff --git a/cmd/clair/config.go b/cmd/clair/config.go
@@ -24,7 +24,7 @@ import (
 	"github.com/stackrox/scanner/database"
 	"github.com/stackrox/scanner/pkg/analyzer"
 	"github.com/stackrox/scanner/pkg/updater"
-	"gopkg.in/yaml.v2"
+	"go.yaml.in/yaml/v3"
 )
 
 // File represents a YAML configuration file that namespaces all
diff --git a/database/pgsql/pgsql.go b/database/pgsql/pgsql.go
@@ -31,7 +31,7 @@ import (
 	"github.com/stackrox/scanner/database/metrics"
 	"github.com/stackrox/scanner/database/pgsql/migrations"
 	"github.com/stackrox/scanner/pkg/commonerr"
-	"gopkg.in/yaml.v2"
+	"go.yaml.in/yaml/v3"
 )
 
 const (
diff --git a/ext/vulnsrc/alpine/alpine.go b/ext/vulnsrc/alpine/alpine.go
@@ -30,7 +30,7 @@ import (
 	"github.com/stackrox/scanner/ext/versionfmt/apk"
 	"github.com/stackrox/scanner/ext/vulnsrc"
 	"github.com/stackrox/scanner/pkg/fsutil"
-	"gopkg.in/yaml.v2"
+	"go.yaml.in/yaml/v3"
 )
 
 const (
diff --git a/go.mod b/go.mod
@@ -14,7 +14,6 @@ require (
 	github.com/distribution/reference v0.6.0
 	github.com/docker/distribution v2.8.3+incompatible
 	github.com/facebookincubator/nvdtools v0.1.5
-	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-git/go-billy/v5 v5.6.2
 	github.com/go-git/go-git/v5 v5.16.2
 	github.com/google/go-cmp v0.7.0
@@ -47,14 +46,15 @@ require (
 	go.etcd.io/bbolt v1.4.0
 	go.uber.org/goleak v1.3.0
 	go.uber.org/ratelimit v0.3.1
+	go.yaml.in/yaml/v3 v3.0.3
 	golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67
 	golang.org/x/sys v0.33.0
 	google.golang.org/api v0.239.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822
 	google.golang.org/grpc v1.73.0
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1
 	google.golang.org/protobuf v1.36.6
-	gopkg.in/yaml.v2 v2.4.0
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
@@ -93,6 +93,7 @@ require (
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/facebookincubator/flog v0.0.0-20190930132826-d2511d0ce33c // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
@@ -178,6 +179,7 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.29.3 // indirect
 	k8s.io/apimachinery v0.29.3 // indirect
@@ -188,7 +190,6 @@ require (
 	nhooyr.io/websocket v1.8.11 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
 // @stackrox/scanner
diff --git a/go.sum b/go.sum
@@ -759,6 +759,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/ratelimit v0.3.1 h1:K4qVE+byfv/B3tC+4nYWP7v/6SimcO7HzHekoMNBma0=
 go.uber.org/ratelimit v0.3.1/go.mod h1:6euWsTB6U/Nb3X++xEUXA8ciPJvr19Q/0h1+oDcJhRk=
+go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE=
+go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
diff --git a/pkg/vulnloader/istioloader/yaml.go b/pkg/vulnloader/istioloader/yaml.go
@@ -3,9 +3,9 @@ package istioloader
 import (
 	"io"
 
-	"github.com/ghodss/yaml"
 	"github.com/pkg/errors"
 	"github.com/stackrox/istio-cves/types"
+	"sigs.k8s.io/yaml"
 )
 
 // LoadYAMLFileFromReader loads the Istio CVE feed from the given io.Reader.
diff --git a/pkg/vulnloader/k8sloader/yaml.go b/pkg/vulnloader/k8sloader/yaml.go
@@ -3,9 +3,9 @@ package k8sloader
 import (
 	"io"
 
-	"github.com/ghodss/yaml"
 	"github.com/pkg/errors"
 	"github.com/stackrox/k8s-cves/pkg/validation"
+	"sigs.k8s.io/yaml"
 )
 
 // LoadYAMLFileFromReader loads the Kubernetes CVE feed from the given io.Reader.
diff --git a/pkg/vulnloader/nvdloader/enricher.go b/pkg/vulnloader/nvdloader/enricher.go
@@ -5,12 +5,12 @@ import (
 	"path/filepath"
 
 	"github.com/facebookincubator/nvdtools/vulndb"
-	"github.com/ghodss/yaml"
 	"github.com/go-git/go-billy/v5/memfs"
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/storage/memory"
 	"github.com/pkg/errors"
 	"github.com/stackrox/dotnet-scraper/types"
+	"sigs.k8s.io/yaml"
 )
 
 const (

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ import (`
`24`	`24`	`"github.com/stackrox/scanner/database"`
`25`	`25`	`"github.com/stackrox/scanner/pkg/analyzer"`
`26`	`26`	`"github.com/stackrox/scanner/pkg/updater"`
`27`		`- "gopkg.in/yaml.v2"`
	`27`	`+ "go.yaml.in/yaml/v3"`
`28`	`28`	`)`
`29`	`29`
`30`	`30`	`// File represents a YAML configuration file that namespaces all`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ import (`
`31`	`31`	`"github.com/stackrox/scanner/database/metrics"`
`32`	`32`	`"github.com/stackrox/scanner/database/pgsql/migrations"`
`33`	`33`	`"github.com/stackrox/scanner/pkg/commonerr"`
`34`		`- "gopkg.in/yaml.v2"`
	`34`	`+ "go.yaml.in/yaml/v3"`
`35`	`35`	`)`
`36`	`36`
`37`	`37`	`const (`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ import (`
`30`	`30`	`"github.com/stackrox/scanner/ext/versionfmt/apk"`
`31`	`31`	`"github.com/stackrox/scanner/ext/vulnsrc"`
`32`	`32`	`"github.com/stackrox/scanner/pkg/fsutil"`
`33`		`- "gopkg.in/yaml.v2"`
	`33`	`+ "go.yaml.in/yaml/v3"`
`34`	`34`	`)`
`35`	`35`
`36`	`36`	`const (`
Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,9 @@ package istioloader`
`3`	`3`	`import (`
`4`	`4`	`"io"`
`5`	`5`
`6`		`- "github.com/ghodss/yaml"`
`7`	`6`	`"github.com/pkg/errors"`
`8`	`7`	`"github.com/stackrox/istio-cves/types"`
	`8`	`+ "sigs.k8s.io/yaml"`
`9`	`9`	`)`
`10`	`10`
`11`	`11`	`// LoadYAMLFileFromReader loads the Istio CVE feed from the given io.Reader.`
Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,9 @@ package k8sloader`
`3`	`3`	`import (`
`4`	`4`	`"io"`
`5`	`5`
`6`		`- "github.com/ghodss/yaml"`
`7`	`6`	`"github.com/pkg/errors"`
`8`	`7`	`"github.com/stackrox/k8s-cves/pkg/validation"`
	`8`	`+ "sigs.k8s.io/yaml"`
`9`	`9`	`)`
`10`	`10`
`11`	`11`	`// LoadYAMLFileFromReader loads the Kubernetes CVE feed from the given io.Reader.`