fix: fix cve issue

[Yisaer]

Background

This PR addresses the SCA/CVE findings listed in ekuiper240b5.csv with the following principles:

• Do not remove functionality to “fix” vulnerabilities
• Keep pgx support intact
• Prioritize real runtime dependency issues, stale self-dependency chains, and test-only dependency findings that can be removed via upgrades or small code changes

Fixed / Mitigated in this PR

1. pgx / pgproto3

• Upgraded pgx from v4 to v5
• Removed the old pgx/v4 -> pgproto3/v2 dependency chain
• Fixed / eliminated:
  • CVE-2024-27304 (jackc/pgproto3 v1.1.0)
  • BDSA-2026-4422 (jackc/pgproto3 v2.3.3)

2. Stale self-dependency in tools/kubernetes

• Removed the dependency on old published github.com/lf-edge/ekuiper/v2 v2.3.1
• Replaced the tiny helper usage with a local equivalent implementation
• This removed the stale dependency tree that was reintroducing old vulnerable modules, including:
  • go-jose v2.6.3
    • BDSA-2023-3257
    • CVE-2024-28180
    • CVE-2025-27144
  • and the old pgproto3 v1.1.0 chain

3. Transitive dependency upgrades for optional paths

• Upgraded / pinned the following transitive dependencies:
  • runc -> v1.3.5
  • docker/cli -> v29.3.0
  • azidentity -> v1.13.1
  • azblob -> v1.6.4
  • jwt -> v3.2.2
  • jwt/v4 -> v4.5.2
  • nats-server -> v2.12.5
  • imaging -> patched revision
  • x/crypto -> v0.49.0
• This fixes or mitigates findings related to:
  • CVE-2019-16884
  • CVE-2025-31133
  • CVE-2025-52565
  • CVE-2025-52881
  • CVE-2025-15558
  • CVE-2024-35255
  • CVE-2024-51744
  • CVE-2025-30204
  • CVE-2025-30215
  • CVE-2026-27571
  • CVE-2023-47090
  • CVE-2023-36308

4. Isolated MySQL-backed integration test dependencies

• Added an explicit mysql_integration_test build tag to the embedded-MySQL integration test helper and the tests that depend on it
• This prevents the default dependency graph from pulling in the test-only chain:
  go-mysql-server -> go-kit -> nats-server
• This does not remove any runtime functionality; it only narrows the default test/dependency surface

Not fully fixed / requires rescan confirmation

1. yaml for Go v2.4.0

• Related finding:
  • CVE-2022-28948
• Current status:
  • This comes from internal/plugin/js -> github.com/dop251/goja -> goja.test -> gopkg.in/yaml.v2
  • It is part of an upstream test dependency, not a direct runtime dependency in this repo
  • The latest available goja version still keeps this dependency in its go.mod
• Conclusion:
  • This PR does not fully remove this finding
  • It should be handled after rescanning as a test-only / upstream-pending item

2. golang.org/x/crypto

• Related findings:
  • CVE-2017-3204
  • CVE-2019-11840
• Current status:
  • Upgraded to golang.org/x/crypto v0.49.0
  • The CSV finding references old v0.48.0
• Conclusion:
  • The dependency has already been upgraded in code
  • If the scanner still reports these findings, they are likely stale results or false positives and should be confirmed via rescan

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.75%. Comparing base (b38a763) to head (8a18367).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4014      +/-   ##
==========================================
- Coverage   71.88%   70.75%   -1.13%     
==========================================
  Files         460      459       -1     
  Lines       53275    53241      -34     
==========================================
- Hits        38292    37667     -625     
- Misses      12045    12653     +608     
+ Partials     2938     2921      -17     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.