Feature / Dependency Update #22539
Description
Background
As per the recently disclosed CVE-2025-52893, the mitchellh/mapstructure package has been identified as vulnerable. Security scanners are flagging this as a transitive dependency, which is triggering findings in our pipelines.
Proposal
There is a maintained fork of the package under go-viper/mapstructure that has already addressed this vulnerability. If the Consul team is open to it, I’d be happy to submit a PR replacing the current dependency with the patched fork.
Please let me know if this approach aligns with your standards and direction. I'm happy to assist with implementation.