fix(serializer): disable MsgpackSerializer and remove shamaton/msgpack dependency

Disable Marshal and Unmarshal in MsgpackSerializer by converting them into
stubs that return errors. This addresses a security concern in the upstream
shamaton/msgpack library (ref: shamaton/msgpack#60). The type is marked
deprecated and will be removed in a future release.

- Remove github.com/shamaton/msgpack/v3 from go.mod
- Bump github.com/hyp3rd/ewrap from v1.3.8 to v1.3.9

Author: hyp3rd

go.mod

@@ -6,11 +6,10 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/goccy/go-json v0.10.6
 	github.com/gofiber/fiber/v3 v3.1.0
-	github.com/hyp3rd/ewrap v1.3.8
+	github.com/hyp3rd/ewrap v1.3.9
 	github.com/hyp3rd/sectools v1.2.3
 	github.com/longbridgeapp/assert v1.1.0
 	github.com/redis/go-redis/v9 v9.18.0
-	github.com/shamaton/msgpack/v3 v3.1.0
 	github.com/ugorji/go/codec v1.3.1
 	go.opentelemetry.io/otel v1.43.0
 	go.opentelemetry.io/otel/metric v1.43.0

go.sum

@@ -29,8 +29,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/hyp3rd/ewrap v1.3.8 h1:36IYDgSWI5wG85G+CIwE7WvU5xi+FJvT8KWR8YVT+cA=
-github.com/hyp3rd/ewrap v1.3.8/go.mod h1:ly3lreW7OWbBaX9I4zTKqctJlf9uxNQiUD5zXl2vz4g=
+github.com/hyp3rd/ewrap v1.3.9 h1:4vtnxji/aJdnyR2dfl93R/uYcGrNdi93EbV/r5BYalk=
+github.com/hyp3rd/ewrap v1.3.9/go.mod h1:2AgfjKPZjfBxvlTrbdWrNZzxV3jqmcOHg38aKyXvxpQ=
 github.com/hyp3rd/sectools v1.2.3 h1:XElGIhLOWPJxVLyLPzfKASYjs+3yEkDN48JeSw/Wvjo=
 github.com/hyp3rd/sectools v1.2.3/go.mod h1:iwl65boK1VNhwvRNSQDItdD5xon8W1l+ox4JFTe5WbI=
 github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=

internal/libs/serializer/msgpack.go

@@ -2,31 +2,44 @@ package serializer
 
 import (
 	"github.com/hyp3rd/ewrap"
-	"github.com/shamaton/msgpack/v3"
 )
 
 // MsgpackSerializer leverages `msgpack` to serialize the items before storing them in the cache.
+//
+// Deprecated: This serializer is now a shim and will be removed in a future release for security reasons.
+// REF: https://github.com/shamaton/msgpack/pull/60
+// Please use the `Marshal` method of the `Serializer` interface instead.
 type MsgpackSerializer struct{}
 
 // Marshal serializes the given value into a byte slice.
 // @param v.
-func (*MsgpackSerializer) Marshal(v any) ([]byte, error) { // receiver omitted (unused)
-	data, err := msgpack.Marshal(&v)
-	if err != nil {
-		return nil, ewrap.Wrap(err, "failed to marshal msgpack")
-	}
+//
+// Deprecated: This method is now a shim and will be removed in a future release for security reasons.
+// REF: https://github.com/shamaton/msgpack/pull/60
+// Please use the `Marshal` method of the `Serializer` interface instead.
+func (*MsgpackSerializer) Marshal(_ any) ([]byte, error) { // receiver omitted (unused)
+	// data, err := msgpack.Marshal(&v)
+	// if err != nil {
+	// 	return nil, ewrap.Wrap(err, "failed to marshal msgpack")
+	// }
 
-	return data, nil
+	// return data, nil
+	return nil, ewrap.New("msgpack serialization is deprecated and has been disabled for security reasons")
 }
 
 // Unmarshal deserializes the given byte slice into the given value.
 // @param data
 // @param v.
-func (*MsgpackSerializer) Unmarshal(data []byte, v any) error { // receiver omitted (unused)
-	err := msgpack.Unmarshal(data, v)
-	if err != nil {
-		return ewrap.Wrap(err, "failed to unmarshal msgpack")
-	}
+//
+// Deprecated: This method is now a shim and will be removed in a future release for security reasons.
+// REF: https://github.com/shamaton/msgpack/pull/60
+// Please use the `Marshal` method of the `Serializer` interface instead.
+func (*MsgpackSerializer) Unmarshal(_ []byte, _ any) error { // receiver omitted (unused)
+	// err := msgpack.Unmarshal(data, v)
+	// if err != nil {
+	// 	return ewrap.Wrap(err, "failed to unmarshal msgpack")
+	// }
 
-	return nil
+	// return nil
+	return ewrap.New("msgpack deserialization is deprecated and has been disabled for security reasons")
 }