Bump github.com/docker/compose/v2 to latest to address vulnerability BDSA-2025-14971

[jetinbtw]

Hi Confluent team 👋,

Our project uses github.com/confluentinc/confluent-kafka-go/v2 v2.12.0, and during our Black Duck license/security scan, we observed a High Severity Security Policy Rule violation caused by a transitive dependency on Docker Compose v2.28.1.

Black Duck Advisory: BDSA-2025-14971

Description:
Docker Compose is vulnerable to path traversal due to improper input validation in the handling of remote OCI compose artifacts.
This can allow an attacker to escape the cache directory and overwrite arbitrary files on the machine running Docker Compose, even when executing read-only commands like docker compose config or docker compose ps.

Impacted component (as seen in go mod graph):
github.com/confluentinc/confluent-kafka-go/v2@v2.12.0
└── github.com/docker/compose/v2@v2.28.1

🧰 Suggested fix
Please update the dependency to a non-vulnerable version of Docker Compose, which addresses BDSA-2025-14971.
Example change in go.mod:
require (
github.com/docker/compose/v2 v{latest}
)

🧠 Additional context
The vulnerability isn’t yet in NVD but is officially tracked by Synopsys Black Duck’s security advisory team.
Even though this dependency might not be directly used at runtime, most enterprise CI/CD security policies block builds with unresolved High severity findings.
Upgrading ensures compliance with common SCA policies and helps downstream consumers stay secure.

🙏 Thanks
Thanks for maintaining this library — it’s widely used in production systems, and we appreciate your help in keeping its dependency tree clean and secure.