chore: complete mergo migration — port remaining call sites in merge_yaml_functions.go and config_loader.go

## Summary

PR [#2201](https://github.com/cloudposse/atmos/pull/2201) replaced the hot-path deep merge implementation with a native Go implementation (`deepMergeNative`) that is ~3.5× faster. However, the `mergo` library is still used in two lower-traffic call sites:

- `pkg/merge/merge_yaml_functions.go` — YAML function merge helpers
- `pkg/devcontainer/config_loader.go` — devcontainer config loading

## Goal

1. Port `pkg/merge/merge_yaml_functions.go` to use `deepMergeNative` / `MergeWithOptions`
2. Port `pkg/devcontainer/config_loader.go` to use the native merge
3. Remove `dario.cat/mergo` from `go.mod` / `go.sum` entirely (eliminates CVE surface)

## Why

Until these sites are ported, a future CVE in `mergo` could still affect atmos. The dependency should be dropped once no call sites remain.

## References

- PR #2201 — native deep merge hot-path
- Blog post: [3.5× faster deep merge](https://cloudposse.github.io/atmos/blog/faster-deep-merge)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: complete mergo migration — port remaining call sites in merge_yaml_functions.go and config_loader.go #2242

Summary

Goal

Why

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

chore: complete mergo migration — port remaining call sites in merge_yaml_functions.go and config_loader.go #2242

Description

Summary

Goal

Why

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions