The gopkg.in/yaml.v2 package has a potential crash when parsing malicious input. Although we only use the yaml package to parse trusted configuration, update to v3 anyway.
Aaron Gable