Bump gopkg.in/yaml.v2 to v2.2.3

[theoretick]

What type of PR is this?

Bumps patch version to address gopkg.in/yaml.v2 vulnerability making library susceptible to billion laughs attack

• bug
• cleanup
• documentation
• feature

What this PR does / why we need it:

• Upstream fix: go-yaml/yaml@bb4e33b
• related vendor bump for docker cli vendor: Bump gopkg.in/yaml.v2 docker/cli#2117
• GitLab Gemnasium advisory for details
  https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/d769b9b5f0ae0c94bba8de1f67f19d6d0cfe630a/go/gopkg.in/yaml.v2/GMS-2019-2.yml

I took a look through the yaml loader module and I do not think the library is high risk of this flaw due to the inherent risks of untrusted user input, but it should likely be bumped to at least the fixed patch version to mitigate. While I deemed it low-risk, my apologies for the full disclosure here if not preferred. I did not find a security disclosure policy or contribution docs, but it would be excellent if a policy could be documented as a side-effect to this pull request.

Which issue(s) this PR fixes:

No open issue.

Special notes for your reviewer:

I bumped to only the minimum version to address the existing vulnerability, but happy to go to the latest patch (looks like v.2.3.0) if desired!

Testing

go test passes but no additional test cases ran.

Release Notes

- Bump dependency `gopkg.in/yaml.v2` to patch `v2.2.3`

[theoretick]

@saschagrunert @asahasrabuddhe would either of you have a chance to review this minor dependency bump?

[theoretick]

@rliebz I see there is also a check failing for Codecov, should I be concerned about that or is there any additional actions needed here? Looks like it's failing in the other PRs as well

[rliebz]

@theoretick Nope, it's not a required check. Totally fine to ignore.

[asahasrabuddhe]

LGTM