META-2220 - Bump rardecode to github.com/nwaples/rardecode/v2 v2.2.2

[idoz-jfrog]

No description provided.

[nomaed]

@idoz-jfrog may I ask why the minimum supported go version was changed to go1.25 in go.mod?

The reason I'm asking is that the go directive doesn't change the compiler version, it just sets the minimum version required to compile so even with the old go1.20 directive, it can still be compiled with 1.25. The only other change was upgrading to rardecode v2 which doesn't need go1.25 but it's perfectly fine with go1.21 as the minimum allowed version.

The issue is that organizations that don't have a way to upgrade to the latest version of go (for example because they base their build images on RedHat's UBI9 which currently only goes up to go1.25.3) can't upgrade your library now, which means they also can't patch this specific CVE.

If the change in go.mod is not explicitly required, would it be possible to roll it back to or at least bump it to go1.21 to be compatible with rardecode?

I'd assume that when running go get -u github.com/nwaples/rardecode && go mod tidy && go mod vendor it would automatically only bump it to go1.21 anyhow, since that's rardecode's min requirement: https://github.com/nwaples/rardecode/blob/v2.2.2/go.mod

[idoz-jfrog]

@nomaed agreed with your comment - version v3.6.3 now sets go 1.21.