chore: dependency updates + transitive CVE fixes

[kendraash]

What

Dependency maintenance across three commits.

1. Requested dependency bumps (minor/patch)

Direct:

• github.com/jackc/pgx/v5 v5.7.4 → v5.10.0
• golang.org/x/text v0.36.0 → v0.38.0
• google.golang.org/grpc v1.81.0 → v1.81.1

Indirect:

• golang.org/x/crypto v0.50.0 → v0.53.0
• golang.org/x/net v0.53.0 → v0.56.0
• golang.org/x/sync v0.20.0 → v0.21.0
• golang.org/x/sys v0.43.0 → v0.46.0
• golang.org/x/term v0.42.0 → v0.44.0

2. Patch bumps

• github.com/google/cel-go v0.28.0 → v0.28.1
• github.com/vertica/vertica-sql-go v1.3.5 → v1.3.6

3. Security: transitive CVE fixes

An OSV scan of the full dependency tree flagged advisories in reachable transitive deps. Patched:

• github.com/go-viper/mapstructure/v2 v2.2.1 → v2.4.0 — GO-2025-3787, GO-2025-3900 (log info-leak)
• github.com/golang-jwt/jwt/v5 v5.2.1 → v5.2.2 — GO-2025-3553 (DoS, header parsing)
• go.mongodb.org/mongo-driver v1.17.4 → v1.17.7 — GHSA-cp6g-7hqx-qxhp (heap OOB read, GSSAPI)

Not included (present in the module graph but not compiled into the binary, so not exploitable here): quic-go (GHSA-vvgj-x9jq-8cj9), logrus (GO-2025-4188).

How

go get (pinned versions) → go mod tidy → go mod vendor for each group.

Verification

• ✅ go build ./...
• ✅ go test ./... (all packages pass)
• ✅ OSV recheck: all three security bumps report clean

🤖 Generated with Claude Code

[github-actions]

@-

[github-actions]

No blocking issues found.

[github-actions]

Connector PR Review: chore: dependency updates + transitive CVE fixes

Blocking Issues: 0 | Suggestions: 1 | Threads Resolved: 0
Criteria: Criteria status: none loaded - .claude/skills/ci-review.md was not found at trusted base db2336fd1f87.
Review mode: full
View review run

Review Summary

Scanned the full PR diff for security and correctness. This is a dependency-maintenance PR with no source-code changes: go.mod, go.sum, and vendor/modules.txt are mutually consistent, and every version bump matches the PR description (direct: cel-go, pgx/v5, vertica-sql-go, x/text, grpc; security: mapstructure v2.4.0, golang-jwt/jwt/v5 v5.2.2, mongo-driver v1.17.7). The repo's go 1.25.2 directive satisfies the bumped modules that now require go 1.25.0 (e.g. pgx v5.10.0). No blocking issues found.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

• vendor/modules.txt: golang-jwt/jwt/v5 v5.2.2 is listed with no vendored packages, so it is not compiled into this binary; the PR text describing it as a "reachable transitive dep compiled into the binary" is slightly inaccurate. The bump is harmless and defensible as a pre-emptive pin (low confidence).

Prompt for AI agents

```
Verify each finding against the current code and only fix it if needed.

Suggestions

In `vendor/modules.txt` (and the PR description):

• The module `github.com/golang-jwt/jwt/v5 v5.2.2` appears in modules.txt without any
  vendored package paths under it, meaning no package from it is imported/compiled into
  the binary. The PR description lists jwt among "reachable transitive deps compiled into
  the binary." Either correct the PR description to note jwt is in the module graph but
  not compiled, or leave the version pin as a pre-emptive/defensive bump. No code change
  required; this is a documentation-accuracy nit.
  ```

[github-actions]

No blocking issues found.