fix: replace gopkg.in/yaml.v3 with go.yaml.in/yaml/v3

[sridhar-3009]

Problem

gopkg.in/yaml.v3 is unmaintained and flagged by security scanners (kubernetes-sigs/yaml#117). It is no longer receiving updates.

Fix

Replace all usages across the codebase with go.yaml.in/yaml/v3, the canonical successor package maintained by the same upstream authors.

• All Go import paths updated via batch find+replace
• go.mod updated to go.yaml.in/yaml/v3 v3.0.4

The API is identical — no code logic changes, import path only.

Closes #201

[Copilot]

Pull request overview

Replaces the unmaintained gopkg.in/yaml.v3 import path with the canonical successor go.yaml.in/yaml/v3 (v3.0.4) throughout the repository, closing #201. The change is mechanical — only import paths and the root go.mod requirement are touched; no functional logic changes.

Changes:

• Updated import "gopkg.in/yaml.v3" to import "go.yaml.in/yaml/v3" in ~110 Go source/test files across packages (arazzo, openapi, swagger, overlay, marshaller, jsonschema, linter, etc.).
• Bumped the root go.mod direct dependency from gopkg.in/yaml.v3 v3.0.1 to go.yaml.in/yaml/v3 v3.0.4.
• Sibling sub-modules' go.mod / go.sum files (e.g. cmd/openapi, openapi/linter/customrules, jsonschema/oas3/tests, openapi/linter/converter/tests) and the root go.sum were not updated in this PR.

Reviewed changes

Copilot reviewed 162 out of 162 changed files in this pull request and generated 3 comments.

File	Description
go.mod	Swap root direct dependency to go.yaml.in/yaml/v3 v3.0.4
~110 *.go files across arazzo/, openapi/, overlay/, swagger/, marshaller/, jsonschema/, linter/, sequencedmap/, values/, validation/, references/, jsonpointer/, json/, yml/, hashing/, extensions/, expression/, internal/, oq/, cmd/openapi/	Mechanical import path rewrite from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
cmd/openapi/commands/{overlay/apply.go, overlay/compare.go, openapi/bootstrap.go}	Import swap, but the cmd/openapi submodule's own go.mod still pins the old package
openapi/linter/customrules/runtime.go	Import swap, but the customrules submodule's own go.mod still pins the old package

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[TristanSpeakEasy]

Addressed in a985f2b. openapi/linter/customrules/go.mod now requires go.yaml.in/yaml/v3 v3.0.4, the module was tidied, and go.sum includes the new module hashes. Note: gopkg.in/yaml.v3 can still appear indirectly because current transitive dependencies still require it; see the PR tracking comment for follow-up.

[TristanSpeakEasy]

Addressed in a985f2b. cmd/openapi/go.mod now requires go.yaml.in/yaml/v3 v3.0.4, the module was tidied, and go.sum includes the new module hashes. Note: gopkg.in/yaml.v3 can still appear indirectly because current transitive dependencies still require it; see the PR tracking comment for follow-up.

[TristanSpeakEasy]

Addressed in a985f2b. Root and sibling module metadata were tidied: root go.sum now has go.yaml.in/yaml/v3 hashes, cmd/openapi and openapi/linter/customrules direct deps were moved to go.yaml.in/yaml/v3 v3.0.4, and the test modules now include the new module in their tidied graphs. I also updated the stale overlay/README.md reference and ran formatting. Remaining old yaml entries are transitive, not direct; see the PR tracking comment for dependency follow-up.

[TristanSpeakEasy]

Dependency migration follow-up discovered while addressing review feedback:

• Direct cleanup is pushed in a985f2b: root, cmd/openapi, openapi/linter/customrules, jsonschema/oas3/tests, and openapi/linter/converter/tests were tidied with go.yaml.in/yaml/v3 v3.0.4; overlay/README.md was also updated.
• External contributor diff review found no suspicious or unrelated code changes; the original PR diff is mechanical import-path replacement plus root module metadata.

Remaining blockers to track before this migration can fully pass builds/tests:

1. github.com/speakeasy-api/jsonpath still exposes gopkg.in/yaml.v3 in its public API.

   • Latest release: v0.6.3.
   • Checked @main pseudo-version v0.6.4-0.20260215213553-5923067bd0c5; it still imports gopkg.in/yaml.v3.
   • This causes type mismatches in overlay/jsonpath.go and marshaller/coremodel_jsonpath_test.go because Go treats *go.yaml.in/yaml/v3.Node and *gopkg.in/yaml.v3.Node as distinct types.

2. github.com/vmware-labs/yaml-jsonpath v0.3.2 also exposes gopkg.in/yaml.v3 nodes from Path.Find, causing the same mismatch in overlay/jsonpath.go.

3. gopkg.in/yaml.v3 still appears indirectly in module graphs because transitive dependencies still require it (github.com/speakeasy-api/jsonpath, github.com/vmware-labs/yaml-jsonpath, plus test/tool dependency trees such as testify, cobra, and testcontainers). Manually deleting those indirect entries is not stable; go mod tidy restores them.

Validation notes:

• Passing locally: go mod verify in all affected modules; go test ./... in openapi/linter/customrules, jsonschema/oas3/tests, and openapi/linter/converter/tests.
• Failing locally due to dependency API blockers above: root go test ./... and cmd/openapi go test ./....
• mise ci passes fmt + mod-check locally, then cannot complete because golangci-lint is not installed and the lint script hits BSD grep incompatibility (grep -P).