Revert "chore(deps): update security updates (major)"

[flemzord]

Reverts #132

Summary by CodeRabbit

• Chores
  • Updated and downgraded multiple dependency versions across authentication libraries, utility packages, and development tools
  • Application code and exposed APIs remain unchanged

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request downgrades multiple direct and indirect dependencies to older major versions in go.mod, including go-libs, OIDC, jose, backoff, jwx, shortuuid, and yaml packages. No code logic or control flow is modified.

Changes

Cohort / File(s)	Summary
Dependency Downgrades go.mod	Multiple direct and indirect dependency major versions decreased: go-libs v4→v3, zitadel/oidc v3→v2, go-jose v4→v2, backoff v5→v4, docker/cli v29→v27, jwx v3→unversioned, shortuuid v4→v3, ulid v2→unversioned, xsync v4→v3, yaml v3→v2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Down we hop from version peaks so high,
The libs and oidc streams now unify,
Where jose and yaml take simpler ways,
Our code shall dance through downgrade days! 🎪

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: reverting a previous security update commit, which matches the changeset that downgrades multiple Go module dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch revert-132-renovate/major-security

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 73: Update the module requirement for github.com/docker/cli from
v27.3.1+incompatible to v29.2.0 (or later) in go.mod and then re-resolve the
module graph (e.g., run go get github.com/docker/cli@v29.2.0 and go mod tidy) so
the dependency is upgraded and the lockfiles are refreshed; verify the upgrade
(go list -m all or go mod verify) to ensure the CVE-fixed version is used.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 704ee841-fd6a-4658-9fe0-22d01d42048d

📥 Commits

Reviewing files that changed from the base of the PR and between 4eeb0a6 and 2d75571.

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify vulnerability status of the currently pinned version
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": { "name": "github.com/docker/cli", "ecosystem": "Go" },
  "version": "27.3.1+incompatible"
}'

# Optional: verify a candidate upgraded version (replace X.Y.Z)
# curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
#   "package": { "name": "github.com/docker/cli", "ecosystem": "Go" },
#   "version": "X.Y.Z"
# }'

Repository: formancehq/auth

Length of output: 4231

---

Upgrade github.com/docker/cli to v29.2.0 or later before merge.

Version 27.3.1+incompatible is affected by GHSA-p436-gjf2-799p (CVE-2025-15558), a local privilege escalation vulnerability in the Docker CLI plugin manager on Windows. Upgrade to v29.2.0 or later and re-resolve the module graph.

🧰 Tools

🪛 OSV Scanner (2.3.3)

[HIGH] 73-73: github.com/docker/cli 27.3.1+incompatible: Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows

(GHSA-p436-gjf2-799p)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 73, Update the module requirement for github.com/docker/cli
from v27.3.1+incompatible to v29.2.0 (or later) in go.mod and then re-resolve
the module graph (e.g., run go get github.com/docker/cli@v29.2.0 and go mod
tidy) so the dependency is upgraded and the lockfiles are refreshed; verify the
upgrade (go list -m all or go mod verify) to ensure the CVE-fixed version is
used.

[NumaryBot]

Approved for revert