fix(sec): upgrade gopkg.in/yaml.v3 to 3.0.0

[chncaption]

What happened？

There are 1 security vulnerabilities found in gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b

• CVE-2022-28948

What did I do？

Upgrade gopkg.in/yaml.v3 from v3.0.0-20210107192922-496545a6307b to 3.0.0 for vulnerability fix

What did you expect to happen？

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

[vitess-bot]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has a descriptive title.
• If this is a change that users need to know about, please apply the release notes (needs details) label so that merging is blocked unless the summary release notes document is included.

If a new flag is being introduced:

• Is it really necessary to add this flag?
• Flag names should be clear and intuitive (as far as possible)
• Help text should be descriptive.
• Flag names should use dashes (-) as word separators rather than underscores (_).

If a workflow is added or modified:

• Each item in Jobs should be named in order to mark it as required.
• If the workflow should be required, the maintainer team should be notified.

Bug fixes

• There should be at least one unit or end-to-end test.
• The Pull Request description should include a link to an issue that describes the bug.

Non-trivial changes

• There should be some code comments as to why things are implemented the way they are.

New/Existing features

• Should be documented, either by modifying the existing documentation or creating new documentation.
• New features should have a link to a feature request issue or an RFC that documents the use cases, corner cases and test cases.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• vtctl command output order should be stable and awk-able.
• RPC changes should be compatible with vitess-operator
• If a flag is removed, then it should also be removed from VTop, if used there.

[frouioui]

Hello @chncaption, thank you for your first contribution to our project.

The version v3.0.0 is not the latest release of go-yaml. Can you bump the version to v3.0.1 which is the latest? That latest version fixes a similar panic (go-yaml/yaml#665) to the one that generated the CVE (go-yaml/yaml#666). It would thus be safer to upgrade go-yaml to v3.0.1.

Another thing, in order to approve and merge your Pull Request you need to sign your commit, which will make the DCO status check go green. You can find the instructions to do so here: https://github.com/vitessio/vitess/pull/11643/checks?check_run_id=9329481430.

Thank you!

[deepthi]

@chncaption we cannot accept this PR unless the commit is signed off. Can you please fix that?
Otherwise at some point the PR will go stale and get closed automatically.

[deepthi]

Fixed in #11741