Harden supply chain: inline jsonpointer, migrate yaml, pin actions

- Replace go-openapi/jsonpointer with inlined RFC 6901 functions,
  eliminating jsonpointer and swag/jsonname dependencies.
- Migrate gopkg.in/yaml.v3 (archived) to go.yaml.in/yaml/v3 v3.0.4.
- Pin GitHub Actions to full SHA (checkout v6.0.2, setup-go v6.2.0)
  and remove dead step.
- Replace curl of wasm_exec.js with cp from GOROOT.
- Update Dockerfile to golang:1.24 and validate it in make target.
- Add SECURITY.md, dependabot.yml, and security docs to CLAUDE.md
  and README.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Your Name

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/v2"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/go.yml

@@ -14,13 +14,10 @@ jobs:
   Test:
     runs-on: ubuntu-latest
     steps:
-    - name: Hello
-      run: echo I am first
-    
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
       with:
         go-version: '1.24'
 

CLAUDE.md

@@ -31,6 +31,15 @@ It is focused on a human-readable diff format but has the ability to read and pr
 - `/lib` - Deprecated v1 library (read-only)
 - `main.go` - Deprecated v1 commandline (read-only)
 
+## Supply Chain Security
+
+- Dependencies MUST be minimal. Do not add new dependencies without justification.
+- GitHub Actions MUST be pinned to full commit SHA with version comment.
+- When bumping Go toolchain: update `GOTOOLCHAIN` in Makefile, `toolchain` in both go.mod
+  files, and `FROM golang:` in Dockerfile. `make validate-toolchain` checks all of these.
+- `wasm_exec.js` is copied from GOROOT at build time — no manual update needed.
+- Run `govulncheck ./...` periodically to check for stdlib and dependency vulns.
+
 ## Advice
 
 - Try and avoid creating temporary files and instead rely on modifying existing unit tests for debugging.

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23 AS build
+FROM golang:1.24 AS build
 RUN mkdir -p /go/src/github.com/josephburnett/jd
 WORKDIR /go/src/github.com/josephburnett/jd
 COPY . .

Makefile

@@ -20,6 +20,15 @@ validate-toolchain :
 		echo "  Please update GOTOOLCHAIN in Makefile to match go.mod"; \
 		exit 1; \
 	fi; \
+	GOMOD_VERSION=$$(grep '^go ' go.mod | awk '{print $$2}' | cut -d. -f1,2); \
+	DOCKER_VERSION=$$(grep '^FROM golang:' Dockerfile | head -1 | sed 's/FROM golang:\([0-9.]*\).*/\1/'); \
+	if [ "$$GOMOD_VERSION" != "$$DOCKER_VERSION" ]; then \
+		echo "Error: Dockerfile Go version does not match go.mod:"; \
+		echo "  Dockerfile: golang:$$DOCKER_VERSION"; \
+		echo "  go.mod go directive: $$GOMOD_VERSION"; \
+		echo "  Please update FROM golang: in Dockerfile to match go.mod"; \
+		exit 1; \
+	fi; \
 	echo "✓ Toolchain validation passed: $$ROOT_TOOLCHAIN"
 
 .PHONY : build
@@ -73,7 +82,7 @@ pack-web : build-web validate-toolchain
 
 .PHONY : build-web
 build-web : validate-toolchain
-	cd v2 ; curl -fsSL https://raw.githubusercontent.com/golang/go/go1.23.12/misc/wasm/wasm_exec.js -o internal/web/assets/wasm_exec.js
+	cp "$$(go env GOROOT)/lib/wasm/wasm_exec.js" v2/internal/web/assets/wasm_exec.js
 	cd v2 ; GOOS=js GOARCH=wasm go build -o internal/web/assets/jd.wasm ./internal/web/ui
 
 .PHONY : serve

README.md

@@ -565,3 +565,10 @@ kubectl get deployment example -oyaml | jd -yaml -opts='[
 kubectl patch deployment example2 --type json --patch "$(jd -t jd2patch cpu-patch)"
 ```
 
+## Security
+
+To report a vulnerability, see [SECURITY.md](SECURITY.md).
+
+This project uses minimal dependencies, pinned GitHub Actions, and automated
+dependency updates via Dependabot.
+

SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| v2.x    | Yes       |
+| v1.x    | No (deprecated) |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it by emailing
+**josephburnett@fastmail.com**.
+
+- You can expect an acknowledgment within 7 days (best effort).
+- Please include steps to reproduce and any relevant details.
+- We ask for coordinated disclosure — please do not publish details
+  before a fix is available.
+
+## Credit
+
+Contributors who report valid vulnerabilities will be credited in the
+release notes (unless they prefer to remain anonymous).

go.mod

@@ -13,8 +13,8 @@ require (
 require (
 	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 replace github.com/josephburnett/jd/v2 => ./v2

go.sum

@@ -17,6 +17,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

v2/go.mod

@@ -5,13 +5,12 @@ go 1.24.0
 toolchain go1.24.13
 
 require (
-	github.com/go-openapi/jsonpointer v0.22.4
 	github.com/stretchr/testify v1.11.1
-	gopkg.in/yaml.v3 v3.0.1
+	go.yaml.in/yaml/v3 v3.0.4
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )