fix: remediate Snyk high Go module findings

[JoshSEdwards]

Repo

• Repository: vinyldns/vinyldns-cli
• Base branch: main
• Branch under review: snyksweeper/vinyldns-cli-20260603T162653Z
• Base commit: f9d1709844fe9b31ee948df9e43f83dc071cd84f

KB Source

• snyksweeper-skill/kb/README.md
• snyksweeper-skill/kb/vinyldns/vinyldns-cli.md
• KB status: repo page is marked <NEEDS VALIDATION>.

Findings Addressed

• Addressed 10 exported high-severity gomodules findings on go.mod.
• All exported findings mapped to the shared AWS SDK dependency family rooted at github.com/aws/aws-sdk-go-v2.
• Initial export did not include any Dockerfile findings for this repo during this run.

Changes Made

• Updated github.com/aws/aws-sdk-go-v2 from v1.26.1 to v1.32.8 in go.mod.
• Updated github.com/aws/smithy-go from v1.20.2 to v1.22.1 in go.mod.
• Refreshed go.sum to match the resolved module graph.
• Kept the repo go directive at 1.21; newer AWS module lines that likely cleared more aggressively required go 1.24+, which would have been a broader change than necessary.

Validation Run

• gmake build: pass
• go vet ./src/...: pass
• snyk test --file=go.mod --package-manager=gomodules --json: pass, summary No known vulnerabilities
• docker build -f Dockerfile -t snyk-kb/vinyldns-cli-dockerfile:local .: fail due to known KB note and current Dockerfile behavior, golang:alpine image lacks bash while the Makefile sets SHELL=bash
• gmake test: error in this environment because the acceptance-test stack depends on container images without matching linux/arm64 manifests; start-api never reached readiness
• KB mismatch note: the repo-specific KB says the Dockerfile target is a monitored Snyk project, but the repo-scoped Snyk export for this run returned only go.mod findings

Remaining Findings

• No remaining high/critical findings were reported by the monitored go.mod Snyk scan after remediation.
• Dockerfile/container state remains unremediated and should be treated as follow-up work if Snyk still monitors that target independently.

Risk Notes

• The fix is limited to transitive dependency updates and does not change application source.
• Validation is partial because the KB page is still marked <NEEDS VALIDATION> and two KB-guided slices are environment-constrained on this machine.

Reviewer Notes

• This change removes the exported high-severity Go module findings by lifting the shared AWS SDK root dependency to a newer Go-1.21-compatible release.
• The code build and go vet remain clean after the dependency update.

Next Action

• Review the dependency-only AWS SDK bump and decide whether to merge as-is, then follow up separately on the Dockerfile bash issue and the arm64 acceptance-test environment gap.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[CLAassistant]

All committers have signed the CLA.