Fix SNYK-GOLANG-GOPKGINYAMLV3-2841557

[acsauk]

Hey all - I'm trying to solve https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 which I'm getting via https://github.com/aws/aws-sdk-go. Usually, I'd put a PR in to bump the dependency in the tree but as it seems the link is testify which has been submodule here due to lock testify at 1.5.1 maintaining compatibility with Go <1.12 I'm not 100% on the next steps.

Does anyone with a better understanding of this package have any pointers on how to mitigate this vulnerability?

[raymondchen625]

+1 to fixing this issue (CVE-2022-28948) related to package gopkg.in/yaml.v2.
One possible solution is to use gopkg.in/yaml.v3 v3.0.1 instead in the internal package internal/testify, release a new release like this. Then bump the version in the main go.mod.