…decryption panic vulnerability (#719)

This update addresses a denial of service vulnerability in Go JOSE where
decrypting a JSON Web Encryption (JWE) object can panic if the `alg` field
indicates a key wrapping algorithm and the `encrypted_key` field is empty.

The panic occurs in cipher.KeyUnwrap() when attempting to allocate a slice
with a zero or negative length.

Co-authored-by: Michael Guarino <[email protected]>

* plural up ux improvements

* linter

* revert aws.go

* fix dry-run

* add byok

* install agent

* update

* clean up

* linter

* update prune BYOK

* allow http urls in plural up

* linter

This commit upgrades the Go version from 1.26.1 to 1.26.2 to address the
crypto/x509 vulnerability (CVE affecting certificate chain validation).

The vulnerability causes denial of service via inefficient certificate
chain validation when certificates contain a very large number of
policy mappings.

Changes:
- Updated go.mod: go directive from 1.26.1 to 1.26.2
- Updated Dockerfile: golang base images from 1.26.1-alpine3.22 to 1.26.2-alpine3.22

Testing:
- go mod tidy: completed successfully with no dependency changes
- go build: binary compiled successfully (117MB)
- go test: all unit tests passed
- docker build: image built successfully (749MB) and tested

Fix Version: 1.26.2
Previous Version: 1.26.1
Package: stdlib

Co-authored-by: Michael Guarino <[email protected]>

Upgraded github.com/aws/aws-sdk-go-v2/service/s3 from v1.79.3 to v1.97.3 to address CVE affecting EventStream header decoder. This fixes a denial of service vulnerability where malformed EventStream responses could cause process termination.

CVE Details:
- Severity: Medium (CVSS 5.9)
- Impact: Denial of Service due to panic in EventStream decoder
- Fixed in: AWS SDK release 2026-03-23 and above

Changes:
- Updated github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3
- Updated github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream to v1.7.8
- Updated related AWS SDK v2 dependencies via go mod tidy

Verification:
- Code compiles successfully with upgraded SDK
- No breaking API changes detected
- Docker build verified

Co-authored-by: Michael Guarino <[email protected]>

… PATH hijacking vulnerability (#725)

Upgraded OpenTelemetry Go SDK from v1.40.0 to v1.43.0 to address CVE-2026-24051.
The vulnerability allowed PATH hijacking attacks on BSD and Solaris platforms due to
the BSD kenv command not using an absolute path.

Also upgraded related OpenTelemetry packages to maintain compatibility:
- go.opentelemetry.io/otel: v1.40.0 -> v1.43.0
- go.opentelemetry.io/otel/metric: v1.40.0 -> v1.43.0
- go.opentelemetry.io/otel/sdk/metric: v1.40.0 -> v1.43.0
- go.opentelemetry.io/otel/trace: v1.40.0 -> v1.43.0

Co-authored-by: Michael Guarino <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>

This commit upgrades helm.sh/helm/v3 from v3.20.0 to v3.20.2 to address
a security vulnerability related to Chart.yaml extraction directory collapse.

The vulnerability allowed specially crafted Charts to write contents to
the immediate output directory rather than the expected subdirectory during
'helm pull --untar' operations.

Changes:
- Updated go.mod: helm.sh/helm/v3 v3.20.0 -> v3.20.2
- Updated go.sum with new dependency checksums

Build verification completed successfully.

Co-authored-by: Michael Guarino <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>