Update to latest urfave/cli 1.22.x version to address Snyk vulnerabilities

[JoshSEdwards]

Description of the Change

This change updates the CLI’s dependency on github.com/urfave/cli from v1.22.4 to v1.22.17.

The newer v1.22.17 release of urfave/cli pins gopkg.in/yaml.v2 to v2.4.0, which addresses the YAML DoS vulnerability Snyk was reporting through the transitive dependency chain.

Running go mod tidy after the upgrade also refreshed a few indirect dependencies (e.g. github.com/cpuguy83/go-md2man/v2, github.com/russross/blackfriday/v2) to versions compatible with the new urfave/cli release. No application code or CLI behavior was intentionally changed.

Why Should This Be In The Package?

This keeps the CLI’s dependencies up to date with upstream security fixes while staying on the stable v1.x API of urfave/cli (avoiding v2 breaking changes).

It removes a Snyk-reported high‑severity vulnerability in gopkg.in/yaml.v2 that is pulled in via urfave/cli, improving the security posture of the distributed binary without altering user-facing commands.

Benefits

• Security: Eliminates the vulnerable gopkg.in/yaml.v2@v2.2.2 from the dependency graph by pulling in v2.4.0 via urfave/cli v1.22.17.
• Low risk: Stays within the v1.22.x line of urfave/cli, avoiding the breaking changes in v2.
• Tooling alignment: Brings the CLI in line with upstream urfave/cli maintenance work and resolves the Snyk dashboard findings for this project.

Possible Drawbacks

Any dependency bump can introduce subtle behavior changes, even in patch/minor versions, though this change is confined to the v1.22.x series and does not alter our CLI code directly.

Indirect dependencies (like go-md2man / blackfriday) were also updated by go mod tidy, which could cause small differences in generated help output; no such differences were observed in manual testing.

Verification Process

• Build:
  • Ran make build to ensure the project compiles with the new dependency versions.
• Manual CLI smoke tests against a running VinylDNS API:
  • Verified core commands in a real environment, e.g.:
    • bin/vinyldns zones
    • bin/vinyldns groups
  • Confirmed these commands execute successfully and return expected data.
• Bats test suite:
  • Installed and ran Bats via:
    • BATS_BIN="$(go env GOPATH)/src/github.com/sstephenson/bats/bin/bats"
    • "$BATS_BIN" tests
  • Observed that failures were due to differences between my existing VinylDNS data/config (non-empty groups/zones, batch review requirements, etc.) and the clean test data the fixtures expect, not due to runtime errors or crashes introduced by the dependency update.
• CI:
  • Existing GitHub Actions workflow continues to run make / make test, which exercises the CLI against the standard Docker-based VinylDNS test environment where the fixtures are aligned with the data.
  • Note: This pulls in the .github/go.yml from Adding Endpoint for Zone Details in vinyldns-cli #109, adding Docker Compose and allowing the acceptance tests to run in GitHub Actions.

Applicable Issues

Snyk-reported YAML DoS vulnerability via gopkg.in/yaml.v2 transitively pulled in by github.com/urfave/cli@v1.22.4. After this change, snyk test shows: ✔ Tested 8 dependencies for known issues, no vulnerable paths found.

[snyk-io]

⚠️ Snyk checks are incomplete.

Status	Scanner	Critical	High	Medium	Low	Total (0)
⚠️	Open Source Security	0	0	0	0	See details
⚠️	Licenses	0	0	0	0	See details

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[arpit4ever]

LGTM

[nspadaccino]

Looks good to me