fix: fix cve issue

[Yisaer]

Fixed CVE issues

• CVE-2026-2303
  Upgraded github.com/openziti/sdk-golang to go.mod:62, which in turn upgraded go.mongodb.org/mongo-driver to go.mod:376.
• CVE-2025-27144, CVE-2024-28180
  The old gopkg.in/go-jose/go-jose.v2 dependency is no longer required by the current main module after the openziti dependency upgrade.
• CVE-2026-26014
  The openziti dependency chain now pulls github.com/pion/dtls/v3 at v3.1.2 instead of the vulnerable v3.0.2.
• CVE-2025-54410, CVE-2025-15558
  Upgraded github.com/trinodb/trino-go-client to go.mod:78, which moved the transitive docker/docker and docker/cli dependencies away from the versions reported in the CSV.
• CVE-2019-16884, CVE-2024-45310, CVE-2024-21626, CVE-2025-31133, CVE-2025-52565, CVE-2025-52881
  The same trino-go-client upgrade also moved runc off 1.1.12 to 1.3.1.

False positives / stale scan findings

• CVE-2024-27304
  The CSV reports jackc/pgproto3 v1.1.0, but the current branch uses pgproto3/v2, so this is a stale finding.
• CVE-2025-30215, CVE-2026-27571, CVE-2023-47090
  These are reported against nats-server v2.8.4, but the current main module does not require nats-server; it uses nats.go. These should be treated as false positives.
• CVE-2024-45339
  Reported against golang/glog v1.2.2, which is not required by the current main module.
• CVE-2023-36308
  Reported against disintegration/imaging v1.6.2, which is not required by the current main module.
• CVE-2022-28948
  Reported against yaml.v2, but this only appears through a test path (goja.test) and should not be treated as a runtime vulnerability in the current build.

Not yet confirmed as fixed

• CVE-2024-35255
  github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 is still present through gosnowflake -> azblob@v1.0.0 -> azidentity@v1.1.0. This is not resolved yet.
• CVE-2024-51744, CVE-2025-30204
  The github.com/golang-jwt/jwt v3.2.1 path is still present through azblob -> azidentity -> jwt, so this cannot be claimed as fixed yet.
• CVE-2024-51744, CVE-2025-30204
  The CSV reported github.com/golang-jwt/jwt/v4 v4.5.0 on the old trino path, which has been replaced, but the current dependency graph still contains another jwt/v4@v4.0.0 path. This still needs a rescan and f
  ollow-up.
• CVE-2026-27141
  golang.org/x/net is now at go.mod:387, but go-adodb itself has no newer upstream release. This needs a rescan to confirm whether the finding is gone.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.83%. Comparing base (c0d7792) to head (5663159).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4012      +/-   ##
==========================================
- Coverage   71.88%   71.83%   -0.05%     
==========================================
  Files         460      460              
  Lines       53275    53275              
==========================================
- Hits        38293    38265      -28     
- Misses      12045    12063      +18     
- Partials     2937     2947      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.