backend: upgrade dependencies to fix Snyk security vulnerabilities

[c-julin]

Summary

• Bump go directive from 1.26.0 to 1.26.1 to fix std library vulns (crypto/x509, os, net/url, html/template)
• Upgrade golang.org/x/net v0.50.0 → v0.51.0
• Upgrade github.com/go-git/go-git/v5 v5.16.5 → v5.17.0
• Upgrade github.com/go-viper/mapstructure/v2 v2.4.0 → v2.5.0
• Upgrade github.com/golang-jwt/jwt/v5 v5.3.0 → v5.3.1

Test plan

• go build ./... passes
• govulncheck ./... reports 0 vulnerabilities

[secpanda]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[c-julin]

This is to try improve ci performance instead of downloading twice which is what we currently do

[malinskibeniamin]

@claude review check if any other security issues/concerns are there.

[claude]

Claude finished @malinskibeniamin's task in 2m 12s —— View job

---

Security Review

• Gather context and read changed files
• Analyze dependency changes for security concerns
• Check for other security issues in changed files
• Post findings

---

The PR correctly addresses all identified Snyk vulnerabilities and govulncheck reporting 0 issues is the strongest indicator that no known CVEs remain. Here are additional observations:

What's Well Done

• Go directive bump (1.26.0 → 1.26.1) correctly fixes stdlib vulnerabilities in crypto/x509, os, net/url, and html/template
• go-git/v5 v5.16.5 → v5.17.0 and its companion go-billy/v5 v5.7.0 → v5.8.0 (the billy upgrade is implicit but present in the diff) close any git-related supply chain/path-traversal issues
• golang-jwt/jwt/v5 v5.3.0 → v5.3.1 patches a known JWT parsing bug
• peter-evans/repository-dispatch in the workflow is correctly pinned to a full commit SHA (caebe2a7...), which is the secure approach

Additional Concerns Worth Noting

1. golang.org/x/crypto v0.48.0 not upgraded (backend/go.mod:224)

This indirect dependency was not bumped as part of this PR. The stdlib crypto/x509 fix comes from the Go toolchain directive, but the x/crypto module is a separate dependency. Since govulncheck passes there are currently no known CVEs, but it's worth including this in future dependency upgrade sweeps.

2. github.com/jcmturner/gokrb5/v8 v8.4.4 not upgraded (backend/go.mod:35)

This Kerberos library is actively used for Kafka SASL/GSSAPI (backend/pkg/config/kafka_sasl_gssapi.go). It is a direct dependency and remains at v8.4.4 — the latest in the v8 series, which appears unmaintained (no releases since 2022). govulncheck shows no known CVEs, but the library's maintenance status is something to keep an eye on.

3. GitHub Actions using floating version tags (.github/workflows/repository-dispatch.yml:37,41)

- uses: aws-actions/configure-aws-credentials@v4        # ← floating tag
- uses: aws-actions/aws-secretsmanager-get-secrets@v2   # ← floating tag

The peter-evans/repository-dispatch action is pinned to a commit hash, but the AWS actions use mutable version tags. If the upstream repo were compromised, a tag could be silently moved to malicious code. Pinning to commit SHAs is the recommended hardening. Fix this →

4. curl | sh in install-golangci-lint (taskfiles/backend.yaml:32) — pre-existing

curl -sSfL https://raw.githubusercontent.com/.../install.sh | sh -s -- ...

This downloads and executes a shell script without checksum verification. It is a common pattern for dev tooling but is a supply chain risk. The new install-go task in this PR improves this by preferring the system Go over a fresh download, which is a step in the right direction.

Summary

No blocking security issues introduced by this PR. The two items worth addressing separately are pinning the AWS GitHub Actions to commit SHAs (item 3 above) and monitoring jcmturner/gokrb5 for any future CVEs given its maintenance status.