Bump github.com/vektra/mockery to v3.5.5 to address security concerns

[RainbowMango]

What type of PR is this?

/kind cleanup

What this PR does / why we need it:
This PR bumps the direct dependency github.com/vektra/mockery, so that the indirect dependency github.com/go-viper/mapstructure/v2 could be bumped to address security concerns(GO-2025-3900):

go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data

-bash-5.0# go mod why github.com/go-viper/mapstructure/v2
# github.com/go-viper/mapstructure/v2
github.com/karmada-io/karmada/hack/tools
github.com/vektra/mockery/v3
github.com/vektra/mockery/v3/internal/cmd
github.com/knadh/koanf/v2
github.com/go-viper/mapstructure/v2  // require v2.4.0

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:
Upstream PRs:

• Bump github.com/go-viper/mapstructure/v2 to v2.4.0 to address security concerns vektra/mockery#1115
• fix: bump mapstructure version knadh/koanf#381

Does this PR introduce a user-facing change?:

NONE

[Copilot]

Pull Request Overview

This PR upgrades the github.com/vektra/mockery dependency from v3.5.1 to v3.5.5 to address a security vulnerability (GO-2025-3900) in the indirect dependency github.com/go-viper/mapstructure/v2 related to potential sensitive information leakage in logs when processing malformed data.

• Updates mockery from v3.5.1 to v3.5.5
• Upgrades various golang.org/x dependencies to their latest versions
• Regenerates mock files with updated generator comments

Reviewed Changes

Copilot reviewed 2 out of 104 changed files in this pull request and generated no comments.

File	Description
go.mod	Updates mockery dependency and associated transitive dependencies to address security vulnerability
pkg/estimator/service/mock_EstimatorClient.go	Regenerated mock file with updated generator comments positioning

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[gemini-code-assist]

Summary of Changes

Hello @RainbowMango, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the project's security posture and maintaining dependency hygiene by updating several key Go modules. The core change involves a transitive security fix for mapstructure via a mockery version bump, alongside broader updates to koanf and various golang.org/x libraries. These updates bring improved type handling, thread safety, and align the project with the latest Go ecosystem standards and kernel interfaces.

Highlights

• Dependency Updates: The primary change involves bumping the direct dependency github.com/vektra/mockery/v3 from version v3.5.1 to v3.5.5. This update, in turn, allows for the indirect dependency github.com/go-viper/mapstructure/v2 to be updated from v2.3.0 to v2.4.0. Additionally, github.com/knadh/koanf/v2 is updated from v2.2.1 to v2.3.0, and several golang.org/x modules (net, term, text, tools) are updated to their latest versions.
• Security Fix: The update to github.com/go-viper/mapstructure/v2 addresses a known security vulnerability (GO-2025-3900) where malformed data could potentially leak sensitive information in logs. This ensures the project benefits from the latest security patches.
• Code Generation Improvements (Mockery): Generated mock files (pkg/estimator/service/mock_EstimatorClient.go) now have their boilerplate comments reordered. Internal changes to mockery's template generation (internal/template_generator.go, template/method_scope.go) include improved type replacement logic, especially for pointer types, and Dockerfile updates to use golang:1.25-alpine.
• Mapstructure Enhancements: The mapstructure library (vendored) sees significant internal improvements, including the replacement of interface{} with any for better type safety and clarity. New decode hook functions (StringToWeakSliceHookFunc, StringToTimeLocationHookFunc) and comprehensive error wrapping for various parsing operations (strconv, url, net.IP, time) have been added in decode_hooks.go and errors.go.
• Koanf Thread Safety and Features: The koanf configuration library (vendored) now incorporates a sync.RWMutex to ensure thread-safe access to its internal configuration maps, improving concurrency safety. Its README has been updated to reflect new providers/parsers and S3 reading examples. The go.work file also indicates an update to Go 1.24.4 and toolchain 1.24.5.
• Go Modules and System Call Updates: Underlying Go module tooling (golang.org/x/mod) has been updated, including changes to how go.mod files are parsed and sorted, and how module versions are handled. The golang.org/x/sys/unix package has received numerous updates to Linux system call constants and types across various architectures, reflecting recent kernel changes. The errgroup package has also been refactored to simplify panic/Goexit propagation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly bumps github.com/vektra/mockery to v3.5.5, which in turn updates the indirect dependency github.com/go-viper/mapstructure/v2 to v2.4.0. This successfully addresses the security vulnerability GO-2025-3900 related to sensitive information leakage in logs. The changes in go.mod, go.sum, and the vendored files are consistent with this goal. The update to the generated mock file is also an expected and correct consequence of the mockery version bump. The pull request is well-documented and the changes are sound. I approve this change.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 45.73%. Comparing base (f565d13) to head (911eb05).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6761      +/-   ##
==========================================
- Coverage   45.73%   45.73%   -0.01%     
==========================================
  Files         689      689              
  Lines       57133    57133              
==========================================
- Hits        26131    26130       -1     
- Misses      29370    29371       +1     
  Partials     1632     1632              

Flag	Coverage Δ
unittests	45.73% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[whitewindmills]

thanks
/lgtm
/approve

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: whitewindmills

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [whitewindmills]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment