ref(modernize): modernize go code (#6114)

.golangci.yaml

@@ -24,6 +24,7 @@ linters:
     - govet
     - ineffassign
     - misspell
+    - modernize # A suite of analyzers that suggest simplifications to Go code, using modern language and library features. https://golangci-lint.run/docs/linters/configuration/#modernize
     - nakedret
     - nolintlint
     - prealloc
@@ -74,6 +75,9 @@ linters:
     #        - QF1008
     misspell:
       locale: US
+    modernize:
+      disable:
+        - omitzero
   exclusions:
     rules:
       # Exclude some linters from running on tests files.

apis/externalsecrets/v1/fakes/pushremoteref.go

@@ -18,6 +18,7 @@ limitations under the License.
 package fakes
 
 import (
+	"maps"
 	"sync"
 
 	v1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
@@ -109,9 +110,7 @@ func (fake *PushRemoteRef) Invocations() map[string][][]any {
 	fake.getRemoteKeyMutex.RLock()
 	defer fake.getRemoteKeyMutex.RUnlock()
 	copiedInvocations := map[string][][]any{}
-	for key, value := range fake.invocations {
-		copiedInvocations[key] = value
-	}
+	maps.Copy(copiedInvocations, fake.invocations)
 	return copiedInvocations
 }
 

apis/externalsecrets/v1/register.go

@@ -42,7 +42,7 @@ var (
 
 // ExternalSecret type metadata.
 var (
-	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
+	ExtSecretKind             = reflect.TypeFor[ExternalSecret]().Name()
 	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
 	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
 	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
@@ -50,7 +50,7 @@ var (
 
 // ClusterExternalSecret type metadata.
 var (
-	ClusterExtSecretKind             = reflect.TypeOf(ClusterExternalSecret{}).Name()
+	ClusterExtSecretKind             = reflect.TypeFor[ClusterExternalSecret]().Name()
 	ClusterExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterExtSecretKind}.String()
 	ClusterExtSecretKindAPIVersion   = ClusterExtSecretKind + "." + SchemeGroupVersion.String()
 	ClusterExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ClusterExtSecretKind)
@@ -58,7 +58,7 @@ var (
 
 // SecretStore type metadata.
 var (
-	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
+	SecretStoreKind             = reflect.TypeFor[SecretStore]().Name()
 	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
 	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
 	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
@@ -66,7 +66,7 @@ var (
 
 // ClusterSecretStore type metadata.
 var (
-	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
+	ClusterSecretStoreKind             = reflect.TypeFor[ClusterSecretStore]().Name()
 	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
 	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
 	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)

apis/externalsecrets/v1alpha1/register.go

@@ -41,7 +41,7 @@ var (
 
 var (
 	// PushSecretKind is the kind name used for PushSecret resources.
-	PushSecretKind = reflect.TypeOf(PushSecret{}).Name()
+	PushSecretKind = reflect.TypeFor[PushSecret]().Name()
 	// PushSecretGroupKind is the group/kind used for PushSecret resources.
 	PushSecretGroupKind = schema.GroupKind{Group: Group, Kind: PushSecretKind}.String()
 	// PushSecretKindAPIVersion is the kind/apiVersion used for PushSecret resources.
@@ -52,7 +52,7 @@ var (
 
 var (
 	// ClusterPushSecretKind is the kind name used for ClusterPushSecret resources.
-	ClusterPushSecretKind = reflect.TypeOf(ClusterPushSecret{}).Name()
+	ClusterPushSecretKind = reflect.TypeFor[ClusterPushSecret]().Name()
 	// ClusterPushSecretGroupKind is the group/kind used for ClusterPushSecret resources.
 	ClusterPushSecretGroupKind = schema.GroupKind{Group: Group, Kind: ClusterPushSecretKind}.String()
 	// ClusterPushSecretKindAPIVersion is the kind/apiVersion used for ClusterPushSecret resources.

apis/externalsecrets/v1beta1/fakes/pushremoteref.go

@@ -18,6 +18,7 @@ limitations under the License.
 package fakes
 
 import (
+	"maps"
 	"sync"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
@@ -109,9 +110,7 @@ func (fake *PushRemoteRef) Invocations() map[string][][]any {
 	fake.getRemoteKeyMutex.RLock()
 	defer fake.getRemoteKeyMutex.RUnlock()
 	copiedInvocations := map[string][][]any{}
-	for key, value := range fake.invocations {
-		copiedInvocations[key] = value
-	}
+	maps.Copy(copiedInvocations, fake.invocations)
 	return copiedInvocations
 }
 

apis/externalsecrets/v1beta1/register.go

@@ -42,7 +42,7 @@ var (
 
 // ExternalSecret type metadata.
 var (
-	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
+	ExtSecretKind             = reflect.TypeFor[ExternalSecret]().Name()
 	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
 	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
 	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
@@ -50,7 +50,7 @@ var (
 
 // ClusterExternalSecret type metadata.
 var (
-	ClusterExtSecretKind             = reflect.TypeOf(ClusterExternalSecret{}).Name()
+	ClusterExtSecretKind             = reflect.TypeFor[ClusterExternalSecret]().Name()
 	ClusterExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterExtSecretKind}.String()
 	ClusterExtSecretKindAPIVersion   = ClusterExtSecretKind + "." + SchemeGroupVersion.String()
 	ClusterExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ClusterExtSecretKind)
@@ -58,7 +58,7 @@ var (
 
 // SecretStore type metadata.
 var (
-	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
+	SecretStoreKind             = reflect.TypeFor[SecretStore]().Name()
 	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
 	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
 	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
@@ -66,7 +66,7 @@ var (
 
 // ClusterSecretStore type metadata.
 var (
-	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
+	ClusterSecretStoreKind             = reflect.TypeFor[ClusterSecretStore]().Name()
 	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
 	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
 	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)

apis/generators/v1alpha1/register.go

@@ -42,37 +42,37 @@ var (
 
 var (
 	// ECRAuthorizationTokenKind is the kind name for ECRAuthorizationToken resource.
-	ECRAuthorizationTokenKind = reflect.TypeOf(ECRAuthorizationToken{}).Name()
+	ECRAuthorizationTokenKind = reflect.TypeFor[ECRAuthorizationToken]().Name()
 	// STSSessionTokenKind is the kind name for STSSessionToken resource.
-	STSSessionTokenKind = reflect.TypeOf(STSSessionToken{}).Name()
+	STSSessionTokenKind = reflect.TypeFor[STSSessionToken]().Name()
 	// GCRAccessTokenKind is the kind name for GCRAccessToken resource.
-	GCRAccessTokenKind = reflect.TypeOf(GCRAccessToken{}).Name()
+	GCRAccessTokenKind = reflect.TypeFor[GCRAccessToken]().Name()
 	// ACRAccessTokenKind is the kind name for ACRAccessToken resource.
-	ACRAccessTokenKind = reflect.TypeOf(ACRAccessToken{}).Name()
+	ACRAccessTokenKind = reflect.TypeFor[ACRAccessToken]().Name()
 	// PasswordKind is the kind name for Password resource.
-	PasswordKind = reflect.TypeOf(Password{}).Name()
+	PasswordKind = reflect.TypeFor[Password]().Name()
 	// SSHKeyKind is the kind name for SSHKey resource.
-	SSHKeyKind = reflect.TypeOf(SSHKey{}).Name()
+	SSHKeyKind = reflect.TypeFor[SSHKey]().Name()
 	// WebhookKind is the kind name for Webhook resource.
-	WebhookKind = reflect.TypeOf(Webhook{}).Name()
+	WebhookKind = reflect.TypeFor[Webhook]().Name()
 	// FakeKind is the kind name for Fake resource.
-	FakeKind = reflect.TypeOf(Fake{}).Name()
+	FakeKind = reflect.TypeFor[Fake]().Name()
 	// VaultDynamicSecretKind is the kind name for VaultDynamicSecret resource.
-	VaultDynamicSecretKind = reflect.TypeOf(VaultDynamicSecret{}).Name()
+	VaultDynamicSecretKind = reflect.TypeFor[VaultDynamicSecret]().Name()
 	// GithubAccessTokenKind is the kind name for GithubAccessToken resource.
-	GithubAccessTokenKind = reflect.TypeOf(GithubAccessToken{}).Name()
+	GithubAccessTokenKind = reflect.TypeFor[GithubAccessToken]().Name()
 	// QuayAccessTokenKind is the kind name for QuayAccessToken resource.
-	QuayAccessTokenKind = reflect.TypeOf(QuayAccessToken{}).Name()
+	QuayAccessTokenKind = reflect.TypeFor[QuayAccessToken]().Name()
 	// UUIDKind is the kind name for UUID resource.
-	UUIDKind = reflect.TypeOf(UUID{}).Name()
+	UUIDKind = reflect.TypeFor[UUID]().Name()
 	// GrafanaKind is the kind name for Grafana resource.
-	GrafanaKind = reflect.TypeOf(Grafana{}).Name()
+	GrafanaKind = reflect.TypeFor[Grafana]().Name()
 	// MFAKind is the kind name for MFA resource.
-	MFAKind = reflect.TypeOf(MFA{}).Name()
+	MFAKind = reflect.TypeFor[MFA]().Name()
 	// ClusterGeneratorKind is the kind name for ClusterGenerator resource.
-	ClusterGeneratorKind = reflect.TypeOf(ClusterGenerator{}).Name()
+	ClusterGeneratorKind = reflect.TypeFor[ClusterGenerator]().Name()
 	// CloudsmithAccessTokenKind is the kind name for CloudsmithAccessToken resource.
-	CloudsmithAccessTokenKind = reflect.TypeOf(CloudsmithAccessToken{}).Name()
+	CloudsmithAccessTokenKind = reflect.TypeFor[CloudsmithAccessToken]().Name()
 )
 
 func init() {

generators/v1/acr/acr_test.go

@@ -74,7 +74,7 @@ func TestGenerate(t *testing.T) {
 			name: "return acr access token if scope is defined",
 			args: args{
 				jsonSpec: &apiextensions.JSON{
-					Raw: []byte(fmt.Sprintf(`apiVersion: generators.external-secrets.io/v1alpha1
+					Raw: fmt.Appendf(nil, `apiVersion: generators.external-secrets.io/v1alpha1
 kind: ACRAccessToken
 spec:
   tenantId: %s
@@ -89,7 +89,7 @@ spec:
           key: clientsecret
         clientId:
           name: az-secret
-          key: clientid`, testUsername, testURL)),
+          key: clientid`, testUsername, testURL),
 				},
 				crClient: clientfake.NewClientBuilder().WithObjects(&v1.Secret{
 					ObjectMeta: metav1.ObjectMeta{
@@ -133,7 +133,7 @@ spec:
 			name: "return acr refresh token if scope is not defined",
 			args: args{
 				jsonSpec: &apiextensions.JSON{
-					Raw: []byte(fmt.Sprintf(`apiVersion: generators.external-secrets.io/v1alpha1
+					Raw: fmt.Appendf(nil, `apiVersion: generators.external-secrets.io/v1alpha1
 kind: ACRAccessToken
 spec:
   tenantId: %s
@@ -147,7 +147,7 @@ spec:
           key: clientsecret
         clientId:
           name: az-secret
-          key: clientid`, testUsername, testURL)),
+          key: clientid`, testUsername, testURL),
 				},
 				crClient: clientfake.NewClientBuilder().WithObjects(&v1.Secret{
 					ObjectMeta: metav1.ObjectMeta{

generators/v1/ecr/ecr_test.go

@@ -32,7 +32,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	utilpointer "k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -94,8 +93,8 @@ func TestGenerate(t *testing.T) {
 					return &ecr.GetAuthorizationTokenOutput{
 						AuthorizationData: []ecrtypes.AuthorizationData{
 							{
-								AuthorizationToken: utilpointer.To(base64.StdEncoding.EncodeToString([]byte("uuser:pass"))),
-								ProxyEndpoint:      utilpointer.To("foo"),
+								AuthorizationToken: new(base64.StdEncoding.EncodeToString([]byte("uuser:pass"))),
+								ProxyEndpoint:      new("foo"),
 								ExpiresAt:          &t,
 							},
 						},
@@ -134,7 +133,7 @@ spec:
 					t := time.Unix(5678, 0)
 					return &ecrpublic.GetAuthorizationTokenOutput{
 						AuthorizationData: &ecrpublictypes.AuthorizationData{
-							AuthorizationToken: utilpointer.To(base64.StdEncoding.EncodeToString([]byte("pubuser:pubpass"))),
+							AuthorizationToken: new(base64.StdEncoding.EncodeToString([]byte("pubuser:pubpass"))),
 							ExpiresAt:          &t,
 						},
 					}, nil

generators/v1/ecr/go.mod

@@ -12,7 +12,6 @@ require (
 	k8s.io/api v0.35.0
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 	sigs.k8s.io/yaml v1.6.0
 )
@@ -84,6 +83,7 @@ require (
 	k8s.io/client-go v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

generators/v1/github/github.go

@@ -97,7 +97,7 @@ func (g *Generator) generate(
 		return nil, nil, fmt.Errorf("error creating request: %w", err)
 	}
 
-	payload := make(map[string]interface{})
+	payload := make(map[string]any)
 	if gh.Permissions != nil {
 		payload["permissions"] = gh.Permissions
 	}

generators/v1/github/github_test.go

@@ -116,7 +116,7 @@ func TestGenerate(t *testing.T) {
 					},
 				}).Build(),
 				jsonSpec: &apiextensions.JSON{
-					Raw: []byte(fmt.Sprintf(`apiVersion: generators.external-secrets.io/v1alpha1
+					Raw: fmt.Appendf(nil, `apiVersion: generators.external-secrets.io/v1alpha1
 kind: GithubToken
 spec:
   appID: "0000000"
@@ -131,7 +131,7 @@ spec:
       secretRef:
         name: "testName"
         namespace: "foo"
-        key: "privateKey"`, server.URL)),
+        key: "privateKey"`, server.URL),
 				},
 			},
 			want: map[string][]byte{
@@ -157,7 +157,7 @@ spec:
 					},
 				}).Build(),
 				jsonSpec: &apiextensions.JSON{
-					Raw: []byte(fmt.Sprintf(`apiVersion: generators.external-secrets.io/v1alpha1
+					Raw: fmt.Appendf(nil, `apiVersion: generators.external-secrets.io/v1alpha1
 kind: GithubToken
 spec:
   appID: "0000000"
@@ -172,7 +172,7 @@ spec:
       secretRef:
         name: "testName"
         namespace: "foo"
-        key: "privateKey"`, badServer.URL)),
+        key: "privateKey"`, badServer.URL),
 				},
 			},
 			assertErr: func(t *testing.T, err error) {

generators/v1/grafana/go.mod

@@ -8,7 +8,6 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/grafana/grafana-openapi-client-go v0.0.0-20250925215610-d92957c70d5c
 	k8s.io/apiextensions-apiserver v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -83,6 +82,7 @@ require (
 	k8s.io/client-go v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

generators/v1/grafana/grafana.go

@@ -29,7 +29,6 @@ import (
 	grafanasa "github.com/grafana/grafana-openapi-client-go/client/service_accounts"
 	"github.com/grafana/grafana-openapi-client-go/models"
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
@@ -67,7 +66,7 @@ func (w *Grafana) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kc
 	if err != nil {
 		return nil, nil, err
 	}
-	state.ServiceAccount.ServiceAccountTokenID = ptr.To(res.Payload.ID)
+	state.ServiceAccount.ServiceAccountTokenID = new(res.Payload.ID)
 	return tokenResponse(state, res.Payload.Key)
 }
 
@@ -151,7 +150,7 @@ func setGrafanaClientCredentials(ctx context.Context, gen *genv1alpha1.Grafana,
 
 func createOrGetServiceAccount(cl *grafanaclient.GrafanaHTTPAPI, gen *genv1alpha1.Grafana) (*genv1alpha1.GrafanaServiceAccountTokenState, error) {
 	saList, err := cl.ServiceAccounts.SearchOrgServiceAccountsWithPaging(&grafanasa.SearchOrgServiceAccountsWithPagingParams{
-		Query: ptr.To(gen.Spec.ServiceAccount.Name),
+		Query: new(gen.Spec.ServiceAccount.Name),
 	})
 	if err != nil {
 		return nil, err
@@ -179,7 +178,7 @@ func createOrGetServiceAccount(cl *grafanaclient.GrafanaHTTPAPI, gen *genv1alpha
 
 	return &genv1alpha1.GrafanaServiceAccountTokenState{
 		ServiceAccount: genv1alpha1.GrafanaStateServiceAccount{
-			ServiceAccountID:    ptr.To(res.Payload.ID),
+			ServiceAccountID:    new(res.Payload.ID),
 			ServiceAccountLogin: &res.Payload.Login,
 		},
 	}, nil

generators/v1/quay/quay.go

@@ -135,7 +135,7 @@ func getQuayRobotToken(ctx context.Context, fedToken, robotAccount, url string,
 		return "", err
 	}
 
-	var result map[string]interface{}
+	var result map[string]any
 
 	err = json.Unmarshal(body, &result)
 	if err != nil {

generators/v1/vault/vault_test.go

@@ -272,7 +272,7 @@ spec:
 					func(cl *fake.VaultClient) {
 						cl.MockLogical.ReadWithDataWithContextFn = func(ctx context.Context, path string, data map[string][]string) (*vaultapi.Secret, error) {
 							return &vaultapi.Secret{
-								Data: map[string]interface{}{
+								Data: map[string]any{
 									"key": "value",
 								},
 							}, nil
@@ -363,7 +363,7 @@ spec:
 						cl.MockLogical.ReadWithDataWithContextFn = func(ctx context.Context, path string, data map[string][]string) (*vaultapi.Secret, error) {
 							return &vaultapi.Secret{
 								LeaseID: "123",
-								Data: map[string]interface{}{
+								Data: map[string]any{
 									"key": "value",
 								},
 							}, nil

pkg/controllers/clusterexternalsecret/cesmetrics/cesmetrics.go

@@ -18,6 +18,8 @@ limitations under the License.
 package cesmetrics
 
 import (
+	"maps"
+
 	"github.com/prometheus/client_golang/prometheus"
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
@@ -73,9 +75,7 @@ func UpdateClusterExternalSecretCondition(ces *esv1.ClusterExternalSecret, condi
 
 	cesInfo := make(map[string]string)
 	cesInfo["name"] = ces.Name
-	for k, v := range ces.Labels {
-		cesInfo[k] = v
-	}
+	maps.Copy(cesInfo, ces.Labels)
 	conditionLabels := ctrlmetrics.RefineConditionMetricLabels(cesInfo)
 	clusterExternalSecretCondition := GetGaugeVec(ClusterExternalSecretStatusConditionKey)
 

pkg/controllers/clusterpushsecret/cpsmetrics/cpsmetrics.go

@@ -18,6 +18,8 @@ limitations under the License.
 package cpsmetrics
 
 import (
+	"maps"
+
 	"github.com/prometheus/client_golang/prometheus"
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
@@ -72,9 +74,7 @@ func UpdateClusterPushSecretCondition(ces *v1alpha1.ClusterPushSecret, condition
 
 	cesInfo := make(map[string]string)
 	cesInfo["name"] = ces.Name
-	for k, v := range ces.Labels {
-		cesInfo[k] = v
-	}
+	maps.Copy(cesInfo, ces.Labels)
 	conditionLabels := ctrlmetrics.RefineConditionMetricLabels(cesInfo)
 	ClusterPushSecretCondition := GetGaugeVec(ClusterPushSecretStatusConditionKey)
 

pkg/controllers/common/common.go

@@ -26,7 +26,6 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/client-go/util/workqueue"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -105,7 +104,7 @@ func BuildControllerOptions(concurrent int) controller.Options {
 	return controller.Options{
 		MaxConcurrentReconciles: concurrent,
 		RateLimiter:             BuildRateLimiter(),
-		UsePriorityQueue:        ptr.To(false),
+		UsePriorityQueue:        new(false),
 	}
 }
 

pkg/controllers/externalsecret/esmetrics/esmetrics.go

@@ -18,6 +18,8 @@ limitations under the License.
 package esmetrics
 
 import (
+	"maps"
+
 	"github.com/prometheus/client_golang/prometheus"
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
@@ -89,9 +91,7 @@ func UpdateExternalSecretCondition(es *esv1.ExternalSecret, condition *esv1.Exte
 	esInfo := make(map[string]string)
 	esInfo["name"] = es.Name
 	esInfo["namespace"] = es.Namespace
-	for k, v := range es.Labels {
-		esInfo[k] = v
-	}
+	maps.Copy(esInfo, es.Labels)
 	conditionLabels := ctrlmetrics.RefineConditionMetricLabels(esInfo)
 	externalSecretCondition := GetGaugeVec(ExternalSecretStatusConditionKey)
 

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -489,7 +489,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 
 		// set the immutable flag on the secret if requested by the ExternalSecret
 		if externalSecret.Spec.Target.Immutable {
-			secret.Immutable = ptr.To(true)
+			secret.Immutable = new(true)
 		}
 
 		// only apply the template if the secret is mutable or if the secret is new (has no UID)

pkg/controllers/externalsecret/externalsecret_controller_manifest.go

@@ -19,6 +19,7 @@ package externalsecret
 import (
 	"context"
 	"fmt"
+	"maps"
 
 	"github.com/go-logr/logr"
 	v1 "k8s.io/api/core/v1"
@@ -183,9 +184,9 @@ func (r *Reconciler) applyTemplateToManifest(ctx context.Context, es *esv1.Exter
 		obj.SetNamespace(es.Namespace)
 		switch gvk.Kind {
 		case "ConfigMap", "Secret":
-			obj.Object["data"] = map[string]interface{}{}
+			obj.Object["data"] = map[string]any{}
 		default:
-			obj.Object["spec"] = map[string]interface{}{}
+			obj.Object["spec"] = map[string]any{}
 		}
 	}
 
@@ -199,12 +200,8 @@ func (r *Reconciler) applyTemplateToManifest(ctx context.Context, es *esv1.Exter
 	}
 
 	if es.Spec.Target.Template != nil {
-		for k, v := range es.Spec.Target.Template.Metadata.Labels {
-			labels[k] = v
-		}
-		for k, v := range es.Spec.Target.Template.Metadata.Annotations {
-			annotations[k] = v
-		}
+		maps.Copy(labels, es.Spec.Target.Template.Metadata.Labels)
+		maps.Copy(annotations, es.Spec.Target.Template.Metadata.Annotations)
 	}
 
 	labels[esv1.LabelManaged] = esv1.LabelManagedValue

pkg/controllers/externalsecret/externalsecret_controller_manifest_test.go

@@ -30,7 +30,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/scheme"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
@@ -312,7 +311,7 @@ func TestCreateSimpleManifest(t *testing.T) {
 				"config": []byte("my-config"),
 			},
 			validate: func(t *testing.T, obj *unstructured.Unstructured) {
-				spec, ok := obj.Object["spec"].(map[string]interface{})
+				spec, ok := obj.Object["spec"].(map[string]any)
 				require.True(t, ok, "spec should be map[string]interface{}")
 				data, ok := spec["data"].(map[string]string)
 				require.True(t, ok, "spec.data should be map[string]string")
@@ -325,7 +324,7 @@ func TestCreateSimpleManifest(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Reconciler{}
 			obj := &unstructured.Unstructured{
-				Object: make(map[string]interface{}),
+				Object: make(map[string]any),
 			}
 			obj.SetKind(tt.kind)
 
@@ -454,14 +453,14 @@ func TestGetGenericResource(t *testing.T) {
 
 	// Create a ConfigMap to find
 	existingConfigMap := &unstructured.Unstructured{
-		Object: map[string]interface{}{
+		Object: map[string]any{
 			"apiVersion": "v1",
 			"kind":       "ConfigMap",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":      "test-cm",
 				"namespace": "default",
 			},
-			"data": map[string]interface{}{
+			"data": map[string]any{
 				"key": "value",
 			},
 		},
@@ -572,7 +571,7 @@ func TestApplyTemplateToManifest_LiteralWithDeployment(t *testing.T) {
 					TemplateFrom: []esv1.TemplateFrom{
 						{
 							Target: "spec",
-							Literal: ptr.To(`
+							Literal: new(`
 replicas: {{ .replicas }}
 selector:
   matchLabels:
@@ -653,7 +652,7 @@ func TestApplyTemplateToManifest_MergeBehavior(t *testing.T) {
 					TemplateFrom: []esv1.TemplateFrom{
 						{
 							Target:  "spec.slack",
-							Literal: ptr.To(`api_url: {{ .url }}`),
+							Literal: new(`api_url: {{ .url }}`),
 						},
 					},
 				},
@@ -662,18 +661,18 @@ func TestApplyTemplateToManifest_MergeBehavior(t *testing.T) {
 	}
 
 	existingResource := &unstructured.Unstructured{
-		Object: map[string]interface{}{
+		Object: map[string]any{
 			"apiVersion": "notification.toolkit.fluxcd.io/v1beta1",
 			"kind":       "Provider",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":            "test-slack-config",
 				"namespace":       "default",
 				"resourceVersion": "12345",
 				"uid":             "test-uid-123",
 			},
-			"spec": map[string]interface{}{
+			"spec": map[string]any{
 				"type": "slack",
-				"slack": map[string]interface{}{
+				"slack": map[string]any{
 					"channel":  "general",
 					"username": "bot",
 				},
@@ -725,33 +724,33 @@ func TestGenericTargetContentHash(t *testing.T) {
 		{
 			name: "hashes spec field",
 			obj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"spec": map[string]interface{}{"key": "val"},
+				Object: map[string]any{
+					"spec": map[string]any{"key": "val"},
 				},
 			},
 		},
 		{
 			name: "hashes data field when no spec",
 			obj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"data": map[string]interface{}{"key": "val"},
+				Object: map[string]any{
+					"data": map[string]any{"key": "val"},
 				},
 			},
 		},
 		{
 			name: "prefers spec over data",
 			obj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"spec": map[string]interface{}{"a": "1"},
-					"data": map[string]interface{}{"b": "2"},
+				Object: map[string]any{
+					"spec": map[string]any{"a": "1"},
+					"data": map[string]any{"b": "2"},
 				},
 			},
 		},
 		{
 			name: "errors when neither spec nor data",
 			obj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"status": map[string]interface{}{"ready": true},
+				Object: map[string]any{
+					"status": map[string]any{"ready": true},
 				},
 			},
 			wantErr: true,
@@ -772,11 +771,11 @@ func TestGenericTargetContentHash(t *testing.T) {
 	}
 
 	t.Run("spec preferred over data produces spec hash", func(t *testing.T) {
-		specData := map[string]interface{}{"a": "1"}
+		specData := map[string]any{"a": "1"}
 		obj := &unstructured.Unstructured{
-			Object: map[string]interface{}{
+			Object: map[string]any{
 				"spec": specData,
-				"data": map[string]interface{}{"b": "2"},
+				"data": map[string]any{"b": "2"},
 			},
 		}
 		hash, err := genericTargetContentHash(obj)
@@ -796,7 +795,7 @@ func TestIsGenericTargetValid(t *testing.T) {
 		}
 	}
 
-	makeTarget := func(uid string, labels map[string]string, annotations map[string]string, obj map[string]interface{}) *unstructured.Unstructured {
+	makeTarget := func(uid string, labels map[string]string, annotations map[string]string, obj map[string]any) *unstructured.Unstructured {
 		u := &unstructured.Unstructured{Object: obj}
 		if uid != "" {
 			u.SetUID(types.UID(uid))
@@ -819,15 +818,15 @@ func TestIsGenericTargetValid(t *testing.T) {
 	})
 
 	t.Run("empty UID is invalid", func(t *testing.T) {
-		obj := &unstructured.Unstructured{Object: map[string]interface{}{}}
+		obj := &unstructured.Unstructured{Object: map[string]any{}}
 		valid, err := isGenericTargetValid(obj, makeES(esv1.CreatePolicyOwner))
 		require.NoError(t, err)
 		assert.False(t, valid)
 	})
 
 	t.Run("not managed is invalid", func(t *testing.T) {
-		obj := makeTarget("some-uid", map[string]string{}, nil, map[string]interface{}{
-			"spec": map[string]interface{}{"key": "val"},
+		obj := makeTarget("some-uid", map[string]string{}, nil, map[string]any{
+			"spec": map[string]any{"key": "val"},
 		})
 		valid, err := isGenericTargetValid(obj, makeES(esv1.CreatePolicyOwner))
 		require.NoError(t, err)
@@ -839,7 +838,7 @@ func TestIsGenericTargetValid(t *testing.T) {
 			"some-uid",
 			map[string]string{esv1.LabelManaged: esv1.LabelManagedValue},
 			map[string]string{esv1.AnnotationDataHash: "wrong-hash"},
-			map[string]interface{}{"spec": map[string]interface{}{"key": "val"}},
+			map[string]any{"spec": map[string]any{"key": "val"}},
 		)
 		valid, err := isGenericTargetValid(obj, makeES(esv1.CreatePolicyOwner))
 		require.NoError(t, err)
@@ -847,13 +846,13 @@ func TestIsGenericTargetValid(t *testing.T) {
 	})
 
 	t.Run("matching hash is valid", func(t *testing.T) {
-		specData := map[string]interface{}{"key": "val"}
+		specData := map[string]any{"key": "val"}
 		hash := esutils.ObjectHash(specData)
 		obj := makeTarget(
 			"some-uid",
 			map[string]string{esv1.LabelManaged: esv1.LabelManagedValue},
 			map[string]string{esv1.AnnotationDataHash: hash},
-			map[string]interface{}{"spec": specData},
+			map[string]any{"spec": specData},
 		)
 		valid, err := isGenericTargetValid(obj, makeES(esv1.CreatePolicyOwner))
 		require.NoError(t, err)
@@ -865,7 +864,7 @@ func TestIsGenericTargetValid(t *testing.T) {
 			"some-uid",
 			map[string]string{esv1.LabelManaged: esv1.LabelManagedValue},
 			nil,
-			map[string]interface{}{"status": map[string]interface{}{}},
+			map[string]any{"status": map[string]any{}},
 		)
 		_, err := isGenericTargetValid(obj, makeES(esv1.CreatePolicyOwner))
 		assert.Error(t, err)

pkg/controllers/externalsecret/informer_manager.go

@@ -158,19 +158,19 @@ type enqueueHandler struct {
 	log            logr.Logger
 }
 
-func (h *enqueueHandler) OnAdd(obj interface{}, _ bool) {
+func (h *enqueueHandler) OnAdd(obj any, _ bool) {
 	h.enqueue(obj)
 }
 
-func (h *enqueueHandler) OnUpdate(_, newObj interface{}) {
+func (h *enqueueHandler) OnUpdate(_, newObj any) {
 	h.enqueue(newObj)
 }
 
-func (h *enqueueHandler) OnDelete(obj interface{}) {
+func (h *enqueueHandler) OnDelete(obj any) {
 	h.enqueue(obj)
 }
 
-func (h *enqueueHandler) enqueue(obj interface{}) {
+func (h *enqueueHandler) enqueue(obj any) {
 	// Extract metadata
 	meta, ok := obj.(metav1.Object)
 	if !ok {

pkg/controllers/externalsecret/suite_test.go

@@ -136,7 +136,7 @@ var _ = AfterSuite(func() {
 		// Need to sleep if the first stop fails due to a bug:
 		// https://github.com/kubernetes-sigs/controller-runtime/issues/1571
 		sleepTime := 1 * time.Millisecond
-		for i := 0; i < 12; i++ { // Exponentially sleep up to ~4s
+		for range 12 { // Exponentially sleep up to ~4s
 			if err = testEnv.Stop(); err == nil {
 				return
 			}

pkg/controllers/metrics/labels.go

@@ -18,6 +18,7 @@ limitations under the License.
 package metrics
 
 import (
+	"maps"
 	"regexp"
 
 	"github.com/prometheus/client_golang/prometheus"
@@ -85,9 +86,7 @@ func SetUpLabelNames(addKubeStandardLabels bool) {
 func RefineLabels(promLabels prometheus.Labels, newLabels map[string]string) prometheus.Labels {
 	var refinement = prometheus.Labels{}
 
-	for k, v := range promLabels {
-		refinement[k] = v
-	}
+	maps.Copy(refinement, promLabels)
 
 	for k, v := range newLabels {
 		cleanKey := nonAlphanumericRegex.ReplaceAllString(k, "_")

pkg/controllers/pushsecret/psmetrics/psmetrics.go

@@ -18,6 +18,8 @@ limitations under the License.
 package psmetrics
 
 import (
+	"maps"
+
 	"github.com/prometheus/client_golang/prometheus"
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
@@ -67,9 +69,7 @@ func UpdatePushSecretCondition(ps *esapi.PushSecret, condition *esapi.PushSecret
 	psInfo := make(map[string]string)
 	psInfo["name"] = ps.Name
 	psInfo["namespace"] = ps.Namespace
-	for k, v := range ps.Labels {
-		psInfo[k] = v
-	}
+	maps.Copy(psInfo, ps.Labels)
 	conditionLabels := ctrlmetrics.RefineConditionMetricLabels(psInfo)
 	pushSecretCondition := GetGaugeVec(PushSecretStatusConditionKey)
 

pkg/controllers/secretstore/metrics/metrics.go

@@ -18,6 +18,8 @@ limitations under the License.
 package metrics
 
 import (
+	"maps"
+
 	"github.com/prometheus/client_golang/prometheus"
 	v1 "k8s.io/api/core/v1"
 
@@ -36,9 +38,7 @@ func UpdateStatusCondition(ss esapi.GenericStore, condition esapi.SecretStoreSta
 	ssInfo := make(map[string]string)
 	ssInfo["name"] = ss.GetName()
 	ssInfo["namespace"] = ss.GetNamespace()
-	for k, v := range ss.GetLabels() {
-		ssInfo[k] = v
-	}
+	maps.Copy(ssInfo, ss.GetLabels())
 	conditionLabels := ctrlmetrics.RefineConditionMetricLabels(ssInfo)
 	secretStoreCondition := gaugeVecGetter(StatusConditionKey)
 

pkg/controllers/webhookconfig/webhookconfig_test.go

@@ -263,7 +263,7 @@ func makeValidatingWebhookConfig() *admissionregistration.ValidatingWebhookConfi
 					Service: &admissionregistration.ServiceReference{
 						Name:      "noop",
 						Namespace: "noop",
-						Path:      pointer.To("/validate-secretstore"),
+						Path:      new("/validate-secretstore"),
 					},
 				},
 			},
@@ -276,7 +276,7 @@ func makeValidatingWebhookConfig() *admissionregistration.ValidatingWebhookConfi
 					Service: &admissionregistration.ServiceReference{
 						Name:      "noop",
 						Namespace: "noop",
-						Path:      pointer.To("/validate-clustersecretstore"),
+						Path:      new("/validate-clustersecretstore"),
 					},
 				},
 			},
@@ -326,7 +326,7 @@ func makeEndpointSlice() *discoveryv1.EndpointSlice {
 		Endpoints: []discoveryv1.Endpoint{
 			{
 				Addresses:  []string{"1.2.3.4"},
-				Conditions: discoveryv1.EndpointConditions{Ready: pointer.To(true)},
+				Conditions: discoveryv1.EndpointConditions{Ready: new(true)},
 			},
 		},
 	}

providers/v1/akeyless/akeyless_api.go

@@ -64,9 +64,9 @@ type Tokener interface {
 // Kubernetes service account token, and cloud provider-specific methods.
 func (a *akeylessBase) GetToken(ctx context.Context, accessID, accType, accTypeParam string, k8sAuth *esv1.AkeylessKubernetesAuth) (string, error) {
 	authBody := akeyless.NewAuthWithDefaults()
-	authBody.AccessId = akeyless.PtrString(accessID)
+	authBody.AccessId = new(accessID)
 	if accType == "api_key" || accType == "access_key" {
-		authBody.AccessKey = akeyless.PtrString(accTypeParam)
+		authBody.AccessKey = new(accTypeParam)
 	} else if accType == "k8s" {
 		jwtString, err := a.getK8SServiceAccountJWT(ctx, k8sAuth)
 		if err != nil {
@@ -74,16 +74,16 @@ func (a *akeylessBase) GetToken(ctx context.Context, accessID, accType, accTypeP
 		}
 		jwtStringBase64 := base64.StdEncoding.EncodeToString([]byte(jwtString))
 		K8SAuthConfigName := accTypeParam
-		authBody.AccessType = akeyless.PtrString(accType)
-		authBody.K8sServiceAccountToken = akeyless.PtrString(jwtStringBase64)
-		authBody.K8sAuthConfigName = akeyless.PtrString(K8SAuthConfigName)
+		authBody.AccessType = new(accType)
+		authBody.K8sServiceAccountToken = new(jwtStringBase64)
+		authBody.K8sAuthConfigName = new(K8SAuthConfigName)
 	} else {
 		cloudID, err := a.getCloudID(accType, accTypeParam)
 		if err != nil {
 			return "", errors.New("Require Cloud ID " + err.Error())
 		}
-		authBody.AccessType = akeyless.PtrString(accType)
-		authBody.CloudId = akeyless.PtrString(cloudID)
+		authBody.AccessType = new(accType)
+		authBody.CloudId = new(cloudID)
 	}
 
 	authOut, res, err := a.RestAPI.Auth(ctx).Body(*authBody).Execute()

providers/v1/aws/go.mod

@@ -21,7 +21,6 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -106,6 +105,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/aws/parameterstore/parameterstore.go

@@ -31,7 +31,6 @@ import (
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
@@ -219,18 +218,18 @@ func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret,
 
 	for k, v := range meta.Spec.Tags {
 		tags = append(tags, ssmTypes.Tag{
-			Key:   ptr.To(k),
-			Value: ptr.To(v),
+			Key:   new(k),
+			Value: new(v),
 		})
 	}
 
 	secretName := pm.prefix + data.GetRemoteKey()
 	secretRequest := ssm.PutParameterInput{
-		Name:        ptr.To(pm.prefix + data.GetRemoteKey()),
-		Value:       ptr.To(string(value)),
+		Name:        new(pm.prefix + data.GetRemoteKey()),
+		Value:       new(string(value)),
 		Type:        meta.Spec.SecretType,
-		Overwrite:   ptr.To(true),
-		Description: ptr.To(meta.Spec.Description),
+		Overwrite:   new(true),
+		Description: new(meta.Spec.Description),
 	}
 
 	if meta.Spec.SecretType == "SecureString" {
@@ -240,7 +239,7 @@ func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret,
 	if meta.Spec.Tier.Type == ssmTypes.ParameterTierAdvanced {
 		secretRequest.Tier = meta.Spec.Tier.Type
 		if meta.Spec.Tier.Policies != nil {
-			secretRequest.Policies = ptr.To(string(meta.Spec.Tier.Policies.Raw))
+			secretRequest.Policies = new(string(meta.Spec.Tier.Policies.Raw))
 		}
 	}
 
@@ -467,9 +466,9 @@ func (pm *ParameterStore) findByTags(ctx context.Context, ref esv1.ExternalSecre
 	filters := make([]ssmTypes.ParameterStringFilter, 0)
 	for k, v := range ref.Tags {
 		filters = append(filters, ssmTypes.ParameterStringFilter{
-			Key:    ptr.To(fmt.Sprintf("tag:%s", k)),
+			Key:    new(fmt.Sprintf("tag:%s", k)),
 			Values: []string{v},
-			Option: ptr.To("Equals"),
+			Option: new("Equals"),
 		})
 	}
 
@@ -511,7 +510,7 @@ func (pm *ParameterStore) findByTags(ctx context.Context, ref esv1.ExternalSecre
 
 func (pm *ParameterStore) fetchAndSet(ctx context.Context, data map[string][]byte, name string) error {
 	out, err := pm.client.GetParameter(ctx, &ssm.GetParameterInput{
-		Name:           ptr.To(name),
+		Name:           new(name),
 		WithDecryption: aws.Bool(true),
 	})
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSGetParameter, err)
@@ -703,8 +702,8 @@ func computeTagsToUpdate(tags, metaTags map[string]string) ([]ssmTypes.Tag, bool
 			}
 		}
 		result = append(result, ssmTypes.Tag{
-			Key:   ptr.To(k),
-			Value: ptr.To(v),
+			Key:   new(k),
+			Value: new(v),
 		})
 	}
 	return result, modified

providers/v1/aws/parameterstore/parameterstore_test.go

@@ -31,7 +31,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	fakeps "github.com/external-secrets/external-secrets/providers/v1/aws/parameterstore/fake"
@@ -627,8 +626,8 @@ func TestPushSecret(t *testing.T) {
 					DescribeParametersFn: fakeps.NewDescribeParametersFn(&ssm.DescribeParametersOutput{}, nil),
 					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(&ssm.ListTagsForResourceOutput{
 						TagList: []ssmtypes.Tag{managedByESO,
-							{Key: ptr.To("team"), Value: ptr.To("no-longer-needed")},
-							{Key: ptr.To("rotation"), Value: ptr.To("10m")},
+							{Key: new("team"), Value: new("no-longer-needed")},
+							{Key: new("rotation"), Value: new("10m")},
 						},
 					}, nil),
 					RemoveTagsFromResourceFn: fakeps.NewRemoveTagsFromResourceFn(&ssm.RemoveTagsFromResourceOutput{}, nil, func(input *ssm.RemoveTagsFromResourceInput) {
@@ -638,8 +637,8 @@ func TestPushSecret(t *testing.T) {
 					AddTagsToResourceFn: fakeps.NewAddTagsToResourceFn(&ssm.AddTagsToResourceOutput{}, nil, func(input *ssm.AddTagsToResourceInput) {
 						assert.Len(t, input.Tags, 3)
 						assert.Contains(t, input.Tags, ssmtypes.Tag{Key: &managedBy, Value: &externalSecrets})
-						assert.Contains(t, input.Tags, ssmtypes.Tag{Key: ptr.To("env"), Value: ptr.To("sandbox")})
-						assert.Contains(t, input.Tags, ssmtypes.Tag{Key: ptr.To("rotation"), Value: ptr.To("1h")})
+						assert.Contains(t, input.Tags, ssmtypes.Tag{Key: new("env"), Value: new("sandbox")})
+						assert.Contains(t, input.Tags, ssmtypes.Tag{Key: new("rotation"), Value: new("1h")})
 					}),
 				},
 			},
@@ -1228,8 +1227,8 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				"key2": "value2",
 			},
 			expected: []ssmtypes.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("value1")},
-				{Key: ptr.To("key2"), Value: ptr.To("value2")},
+				{Key: new("key1"), Value: new("value1")},
+				{Key: new("key2"), Value: new("value2")},
 			},
 			modified: false,
 		},
@@ -1245,9 +1244,9 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				managedBy: externalSecrets,
 			},
 			expected: []ssmtypes.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("value1")},
-				{Key: ptr.To("key2"), Value: ptr.To("value2")},
-				{Key: ptr.To(managedBy), Value: ptr.To(externalSecrets)},
+				{Key: new("key1"), Value: new("value1")},
+				{Key: new("key2"), Value: new("value2")},
+				{Key: new(managedBy), Value: new(externalSecrets)},
 			},
 			modified: false,
 		},
@@ -1261,8 +1260,8 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				"key2": "value2",
 			},
 			expected: []ssmtypes.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("value1")},
-				{Key: ptr.To("key2"), Value: ptr.To("value2")},
+				{Key: new("key1"), Value: new("value1")},
+				{Key: new("key2"), Value: new("value2")},
 			},
 			modified: true,
 		},
@@ -1275,7 +1274,7 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				"key1": "newValue",
 			},
 			expected: []ssmtypes.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("newValue")},
+				{Key: new("key1"), Value: new("newValue")},
 			},
 			modified: true,
 		},
@@ -1293,7 +1292,7 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				"key1": "value1",
 			},
 			expected: []ssmtypes.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("value1")},
+				{Key: new("key1"), Value: new("value1")},
 			},
 			modified: true,
 		},

providers/v1/aws/provider_test.go

@@ -26,7 +26,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	pointer "k8s.io/utils/ptr"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
@@ -277,7 +276,7 @@ func TestValidateStore(t *testing.T) {
 									SecretRef: &esv1.AWSAuthSecretRef{
 										AccessKeyID: esmeta.SecretKeySelector{
 											Name:      "foobar",
-											Namespace: pointer.To("unacceptable"),
+											Namespace: new("unacceptable"),
 										},
 									},
 								},
@@ -301,7 +300,7 @@ func TestValidateStore(t *testing.T) {
 									SecretRef: &esv1.AWSAuthSecretRef{
 										SecretAccessKey: esmeta.SecretKeySelector{
 											Name:      "foobar",
-											Namespace: pointer.To("unacceptable"),
+											Namespace: new("unacceptable"),
 										},
 									},
 								},
@@ -403,7 +402,7 @@ func TestValidateStore(t *testing.T) {
 									JWTAuth: &esv1.AWSJWTAuth{
 										ServiceAccountRef: &esmeta.ServiceAccountSelector{
 											Name:      "foobar",
-											Namespace: pointer.To("unacceptable"),
+											Namespace: new("unacceptable"),
 										},
 									},
 								},

providers/v1/aws/secretsmanager/fake/fake.go

@@ -28,7 +28,6 @@ import (
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
-	"k8s.io/utils/ptr"
 )
 
 // Client implements the aws secretsmanager interface.
@@ -89,7 +88,7 @@ func (sm *Client) DeleteSecret(ctx context.Context, input *awssm.DeleteSecretInp
 func NewDeleteSecretFn(output *awssm.DeleteSecretOutput, err error) DeleteSecretFn {
 	return func(_ context.Context, input *awssm.DeleteSecretInput, opts ...func(*awssm.Options)) (*awssm.DeleteSecretOutput, error) {
 		if input.ForceDeleteWithoutRecovery != nil && *input.ForceDeleteWithoutRecovery {
-			output.DeletionDate = ptr.To(time.Now())
+			output.DeletionDate = new(time.Now())
 		}
 		return output, err
 	}

providers/v1/aws/secretsmanager/secretsmanager.go

@@ -35,7 +35,6 @@ import (
 	"github.com/tidwall/sjson"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	utilpointer "k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -494,9 +493,9 @@ func (sm *SecretsManager) retrievePayload(secretOut *awssm.GetSecretValueOutput)
 
 func (sm *SecretsManager) escapeDotsIfRequired(currentRefProperty, payload string) string {
 	// We need to search if a given key with a . exists before using gjson operations.
-	idx := strings.Index(currentRefProperty, ".")
+	found := strings.Contains(currentRefProperty, ".")
 	refProperty := currentRefProperty
-	if idx > -1 {
+	if found {
 		refProperty = strings.ReplaceAll(currentRefProperty, ".", "\\.")
 		val := gjson.Get(payload, refProperty)
 		if !val.Exists() {
@@ -566,8 +565,8 @@ func (sm *SecretsManager) createSecretWithContext(ctx context.Context, secretNam
 
 	for k, v := range mdata.Spec.Tags {
 		tags = append(tags, types.Tag{
-			Key:   utilpointer.To(k),
-			Value: utilpointer.To(v),
+			Key:   new(k),
+			Value: new(v),
 		})
 	}
 
@@ -575,9 +574,9 @@ func (sm *SecretsManager) createSecretWithContext(ctx context.Context, secretNam
 		Name:               &secretName,
 		SecretBinary:       value,
 		Tags:               tags,
-		Description:        utilpointer.To(mdata.Spec.Description),
-		ClientRequestToken: utilpointer.To(initialVersion),
-		KmsKeyId:           utilpointer.To(mdata.Spec.KMSKeyID),
+		Description:        new(mdata.Spec.Description),
+		ClientRequestToken: new(initialVersion),
+		KmsKeyId:           new(mdata.Spec.KMSKeyID),
 	}
 	if mdata.Spec.SecretPushFormat == SecretPushFormatString {
 		input.SecretBinary = nil
@@ -757,8 +756,8 @@ func (sm *SecretsManager) constructSecretValue(ctx context.Context, key, ver str
 	}
 
 	var getSecretValueInput *awssm.GetSecretValueInput
-	if strings.HasPrefix(ver, "uuid/") {
-		versionID := strings.TrimPrefix(ver, "uuid/")
+	if after, ok := strings.CutPrefix(ver, "uuid/"); ok {
+		versionID := after
 		getSecretValueInput = &awssm.GetSecretValueInput{
 			SecretId:  &key,
 			VersionId: &versionID,
@@ -958,8 +957,8 @@ func computeTagsToUpdate(tags, metaTags map[string]string) ([]types.Tag, bool) {
 			}
 		}
 		result = append(result, types.Tag{
-			Key:   utilpointer.To(k),
-			Value: utilpointer.To(v),
+			Key:   new(k),
+			Value: new(v),
 		})
 	}
 	return result, modified

providers/v1/aws/secretsmanager/secretsmanager_test.go

@@ -36,7 +36,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
@@ -468,8 +467,8 @@ func TestSetSecret(t *testing.T) {
 			Value: &externalSecrets,
 		},
 		{
-			Key:   ptr.To("taname1"),
-			Value: ptr.To("tagvalue1"),
+			Key:   new("taname1"),
+			Value: new("tagvalue1"),
 		},
 	}
 
@@ -1023,14 +1022,14 @@ func TestSetSecret(t *testing.T) {
 						ARN: &arn,
 						Tags: []types.Tag{
 							{Key: &managedBy, Value: &externalSecrets},
-							{Key: ptr.To("team"), Value: ptr.To("paradox")},
+							{Key: new("team"), Value: new("paradox")},
 						},
 					}, nil),
 					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil),
 					TagResourceFn: fakesm.NewTagResourceFn(&awssm.TagResourceOutput{}, nil, func(input *awssm.TagResourceInput) {
 						assert.Len(t, input.Tags, 2)
 						assert.Contains(t, input.Tags, types.Tag{Key: &managedBy, Value: &externalSecrets})
-						assert.Contains(t, input.Tags, types.Tag{Key: ptr.To("env"), Value: ptr.To("sandbox")})
+						assert.Contains(t, input.Tags, types.Tag{Key: new("env"), Value: new("sandbox")})
 					}),
 					UntagResourceFn: fakesm.NewUntagResourceFn(&awssm.UntagResourceOutput{}, nil, func(input *awssm.UntagResourceInput) {
 						assert.Len(t, input.TagKeys, 1)
@@ -1299,7 +1298,7 @@ func TestPushSecretTagsUpdatedWhenValueUnchanged(t *testing.T) {
 	require.NotNil(t, capturedTagInput, "TagResourceInput should be captured")
 	assert.Len(t, capturedTagInput.Tags, 2)
 	assert.Contains(t, capturedTagInput.Tags, types.Tag{Key: &managedBy, Value: &externalSecrets})
-	assert.Contains(t, capturedTagInput.Tags, types.Tag{Key: ptr.To("newTag"), Value: ptr.To("newValue")})
+	assert.Contains(t, capturedTagInput.Tags, types.Tag{Key: new("newTag"), Value: new("newValue")})
 }
 
 func TestPushSecretResourcePolicyUpdatedWhenValueUnchanged(t *testing.T) {
@@ -1730,7 +1729,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				Name: &esv1.FindName{
 					RegExp: secretName,
 				},
-				Path: ptr.To(secretPath),
+				Path: new(secretPath),
 			},
 			secretName:    secretName,
 			secretVersion: secretVersion,
@@ -1742,7 +1741,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				return &awssm.BatchGetSecretValueOutput{
 					SecretValues: []types.SecretValueEntry{
 						{
-							Name:          ptr.To(secretName),
+							Name:          new(secretName),
 							VersionStages: []string{secretVersion},
 							SecretBinary:  []byte(secretValue),
 						},
@@ -1760,7 +1759,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				Name: &esv1.FindName{
 					RegExp: secretName,
 				},
-				Path: ptr.To(secretPath),
+				Path: new(secretPath),
 			},
 			secretName:    secretName,
 			secretVersion: secretVersion,
@@ -1769,7 +1768,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				return &awssm.BatchGetSecretValueOutput{
 					SecretValues: []types.SecretValueEntry{
 						{
-							Name: ptr.To(secretName),
+							Name: new(secretName),
 						},
 					},
 				}, errBoom
@@ -1801,7 +1800,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				return &awssm.ListSecretsOutput{
 					SecretList: []types.SecretListEntry{
 						{
-							Name: ptr.To("other-secret"),
+							Name: new("other-secret"),
 						},
 					},
 				}, nil
@@ -1810,7 +1809,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				return &awssm.BatchGetSecretValueOutput{
 					SecretValues: []types.SecretValueEntry{
 						{
-							Name: ptr.To("other-secret"),
+							Name: new("other-secret"),
 						},
 					},
 				}, nil
@@ -1846,7 +1845,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				return &awssm.BatchGetSecretValueOutput{
 					SecretValues: []types.SecretValueEntry{
 						{
-							Name:          ptr.To(secretName),
+							Name:          new(secretName),
 							VersionStages: []string{secretVersion},
 							SecretBinary:  []byte(secretValue),
 						},
@@ -1869,18 +1868,18 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 			listSecretsFn: func(_ context.Context, input *awssm.ListSecretsInput, _ ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error) {
 				allSecrets := []types.SecretListEntry{
 					{
-						Name: ptr.To(secretName),
+						Name: new(secretName),
 						Tags: []types.Tag{
-							{Key: ptr.To("foo"), Value: ptr.To("bar")},
+							{Key: new("foo"), Value: new("bar")},
 						},
 					},
 					{
-						Name: ptr.To(fmt.Sprintf("%ssomeothertext", secretName)),
+						Name: new(fmt.Sprintf("%ssomeothertext", secretName)),
 					},
 					{
-						Name: ptr.To("unmatched-secret"),
+						Name: new("unmatched-secret"),
 						Tags: []types.Tag{
-							{Key: ptr.To("foo"), Value: ptr.To("bar")},
+							{Key: new("foo"), Value: new("bar")},
 						},
 					},
 				}
@@ -1932,20 +1931,20 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 			getSecretValueFn: func(_ context.Context, input *awssm.GetSecretValueInput, _ ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error) {
 				if *input.SecretId == secretName {
 					return &awssm.GetSecretValueOutput{
-						Name:          ptr.To(secretName),
+						Name:          new(secretName),
 						VersionStages: []string{secretVersion},
 						SecretBinary:  []byte(secretValue),
 					}, nil
 				}
 				if *input.SecretId == "unmatched-secret" {
 					return &awssm.GetSecretValueOutput{
-						Name:          ptr.To("unmatched-secret"),
+						Name:          new("unmatched-secret"),
 						VersionStages: []string{secretVersion},
 						SecretBinary:  []byte("othervalue"),
 					}, nil
 				}
 				return &awssm.GetSecretValueOutput{
-					Name:          ptr.To(fmt.Sprintf("%ssomeothertext", secretName)),
+					Name:          new(fmt.Sprintf("%ssomeothertext", secretName)),
 					VersionStages: []string{secretVersion},
 					SecretBinary:  []byte("someothervalue"),
 				}, nil
@@ -1967,7 +1966,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				return &awssm.BatchGetSecretValueOutput{
 					SecretValues: []types.SecretValueEntry{
 						{
-							Name:          ptr.To(secretName),
+							Name:          new(secretName),
 							VersionStages: []string{secretVersion},
 							SecretBinary:  []byte(secretValue),
 						},
@@ -2279,8 +2278,8 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				"key2": "value2",
 			},
 			expected: []types.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("value1")},
-				{Key: ptr.To("key2"), Value: ptr.To("value2")},
+				{Key: new("key1"), Value: new("value1")},
+				{Key: new("key2"), Value: new("value2")},
 			},
 			modified: false,
 		},
@@ -2296,9 +2295,9 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				managedBy: externalSecrets,
 			},
 			expected: []types.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("value1")},
-				{Key: ptr.To("key2"), Value: ptr.To("value2")},
-				{Key: ptr.To(managedBy), Value: ptr.To(externalSecrets)},
+				{Key: new("key1"), Value: new("value1")},
+				{Key: new("key2"), Value: new("value2")},
+				{Key: new(managedBy), Value: new(externalSecrets)},
 			},
 			modified: false,
 		},
@@ -2312,8 +2311,8 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				"key2": "value2",
 			},
 			expected: []types.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("value1")},
-				{Key: ptr.To("key2"), Value: ptr.To("value2")},
+				{Key: new("key1"), Value: new("value1")},
+				{Key: new("key2"), Value: new("value2")},
 			},
 			modified: true,
 		},
@@ -2326,7 +2325,7 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				"key1": "newValue",
 			},
 			expected: []types.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("newValue")},
+				{Key: new("key1"), Value: new("newValue")},
 			},
 			modified: true,
 		},
@@ -2344,7 +2343,7 @@ func TestComputeTagsToUpdate(t *testing.T) {
 				"key1": "value1",
 			},
 			expected: []types.Tag{
-				{Key: ptr.To("key1"), Value: ptr.To("value1")},
+				{Key: new("key1"), Value: new("value1")},
 			},
 			modified: true,
 		},
@@ -2393,8 +2392,8 @@ func TestPatchTags(t *testing.T) {
 			expectUntag:  false,
 			expectTag:    true,
 			assertsTag: func(input *awssm.TagResourceInput) {
-				assert.Contains(t, input.Tags, types.Tag{Key: ptr.To(managedBy), Value: ptr.To(externalSecrets)})
-				assert.Contains(t, input.Tags, types.Tag{Key: ptr.To("a"), Value: ptr.To("2")})
+				assert.Contains(t, input.Tags, types.Tag{Key: new(managedBy), Value: new(externalSecrets)})
+				assert.Contains(t, input.Tags, types.Tag{Key: new("a"), Value: new("2")})
 			},
 			assertsUntag: func(input *awssm.UntagResourceInput) {
 				assert.Fail(t, "Expected UntagResource to not be called")
@@ -2420,9 +2419,9 @@ func TestPatchTags(t *testing.T) {
 			expectUntag:  false,
 			expectTag:    true,
 			assertsTag: func(input *awssm.TagResourceInput) {
-				assert.Contains(t, input.Tags, types.Tag{Key: ptr.To(managedBy), Value: ptr.To(externalSecrets)})
-				assert.Contains(t, input.Tags, types.Tag{Key: ptr.To("a"), Value: ptr.To("1")})
-				assert.Contains(t, input.Tags, types.Tag{Key: ptr.To("b"), Value: ptr.To("2")})
+				assert.Contains(t, input.Tags, types.Tag{Key: new(managedBy), Value: new(externalSecrets)})
+				assert.Contains(t, input.Tags, types.Tag{Key: new("a"), Value: new("1")})
+				assert.Contains(t, input.Tags, types.Tag{Key: new("b"), Value: new("2")})
 			},
 			assertsUntag: func(input *awssm.UntagResourceInput) {
 				assert.Fail(t, "Expected UntagResource to not be called")
@@ -2445,10 +2444,10 @@ func TestPatchTags(t *testing.T) {
 			}
 
 			sm := &SecretsManager{client: fakeClient}
-			metaMap := map[string]interface{}{
+			metaMap := map[string]any{
 				"apiVersion": "kubernetes.external-secrets.io/v1alpha1",
 				"kind":       "PushSecretMetadata",
-				"spec": map[string]interface{}{
+				"spec": map[string]any{
 					"description": "adding managed-by tag explicitly",
 					"tags":        tt.metaTags,
 				},

providers/v1/azure/keyvault/keyvault.go

@@ -55,7 +55,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	kcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	pointer "k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -573,10 +572,10 @@ func (a *Azure) setKeyVaultSecret(ctx context.Context, secretName string, value
 	secretParams := keyvault.SecretSetParameters{
 		Value: &val,
 		Tags: map[string]*string{
-			managedBy: pointer.To(managerLabel),
+			managedBy: new(managerLabel),
 		},
 		SecretAttributes: &keyvault.SecretAttributes{
-			Enabled: pointer.To(true),
+			Enabled: new(true),
 		},
 	}
 
@@ -618,7 +617,7 @@ func (a *Azure) setKeyVaultCertificate(ctx context.Context, secretName string, v
 	params := keyvault.CertificateImportParameters{
 		Base64EncodedCertificate: &val,
 		Tags: map[string]*string{
-			managedBy: pointer.To(managerLabel),
+			managedBy: new(managerLabel),
 		},
 	}
 
@@ -679,7 +678,7 @@ func (a *Azure) setKeyVaultKey(ctx context.Context, secretName string, value []b
 		Key:           &azkey,
 		KeyAttributes: &keyvault.KeyAttributes{},
 		Tags: map[string]*string{
-			managedBy: pointer.To(managerLabel),
+			managedBy: new(managerLabel),
 		},
 	}
 
@@ -903,8 +902,8 @@ func getProperty(secret, property, key string) ([]byte, error) {
 	}
 	res := gjson.Get(secret, property)
 	if !res.Exists() {
-		idx := strings.Index(property, ".")
-		if idx < 0 {
+		found := strings.Contains(property, ".")
+		if !found {
 			return nil, fmt.Errorf(errPropNotExist, property, key)
 		}
 		escaped := strings.ReplaceAll(property, ".", "\\.")

providers/v1/azure/keyvault/keyvault_auth_test.go

@@ -385,7 +385,7 @@ func TestAuth(t *testing.T) {
 			provider: &esv1.AzureKVProvider{
 				AuthType: &authType,
 				VaultURL: &vaultURL,
-				TenantID: pointer.To("mytenant"),
+				TenantID: new("mytenant"),
 			},
 		},
 		{
@@ -395,7 +395,7 @@ func TestAuth(t *testing.T) {
 			provider: &esv1.AzureKVProvider{
 				AuthType:      &authType,
 				VaultURL:      &vaultURL,
-				TenantID:      pointer.To("mytenant"),
+				TenantID:      new("mytenant"),
 				AuthSecretRef: &esv1.AzureKVAuth{},
 			},
 		},
@@ -406,7 +406,7 @@ func TestAuth(t *testing.T) {
 			provider: &esv1.AzureKVProvider{
 				AuthType: &authType,
 				VaultURL: &vaultURL,
-				TenantID: pointer.To("mytenant"),
+				TenantID: new("mytenant"),
 				AuthSecretRef: &esv1.AzureKVAuth{
 					ClientSecret: &v1.SecretKeySelector{Name: "password"},
 					ClientID:     &v1.SecretKeySelector{Name: "password"},
@@ -425,10 +425,10 @@ func TestAuth(t *testing.T) {
 			provider: &esv1.AzureKVProvider{
 				AuthType: &authType,
 				VaultURL: &vaultURL,
-				TenantID: pointer.To("mytenant"),
+				TenantID: new("mytenant"),
 				AuthSecretRef: &esv1.AzureKVAuth{
-					ClientSecret: &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo")},
-					ClientID:     &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo")},
+					ClientSecret: &v1.SecretKeySelector{Name: "password", Namespace: new("foo")},
+					ClientID:     &v1.SecretKeySelector{Name: "password", Namespace: new("foo")},
 				},
 			},
 		},
@@ -453,10 +453,10 @@ func TestAuth(t *testing.T) {
 			provider: &esv1.AzureKVProvider{
 				AuthType: &authType,
 				VaultURL: &vaultURL,
-				TenantID: pointer.To("mytenant"),
+				TenantID: new("mytenant"),
 				AuthSecretRef: &esv1.AzureKVAuth{
-					ClientSecret: &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "secret"},
-					ClientID:     &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "id"},
+					ClientSecret: &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "secret"},
+					ClientID:     &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "id"},
 				},
 			},
 		},
@@ -483,11 +483,11 @@ func TestAuth(t *testing.T) {
 			provider: &esv1.AzureKVProvider{
 				AuthType: &authType,
 				VaultURL: &vaultURL,
-				TenantID: pointer.To("mytenant"),
+				TenantID: new("mytenant"),
 				AuthSecretRef: &esv1.AzureKVAuth{
-					ClientID:          &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "id"},
-					ClientCertificate: &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "certificate"},
-					ClientSecret:      &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "secret"},
+					ClientID:          &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "id"},
+					ClientCertificate: &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "certificate"},
+					ClientSecret:      &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "secret"},
 				},
 			},
 		},
@@ -513,10 +513,10 @@ func TestAuth(t *testing.T) {
 			provider: &esv1.AzureKVProvider{
 				AuthType: &authType,
 				VaultURL: &vaultURL,
-				TenantID: pointer.To("mytenant"),
+				TenantID: new("mytenant"),
 				AuthSecretRef: &esv1.AzureKVAuth{
-					ClientID:          &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "id"},
-					ClientCertificate: &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "certificate"},
+					ClientID:          &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "id"},
+					ClientCertificate: &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "certificate"},
 				},
 			},
 		},
@@ -541,10 +541,10 @@ func TestAuth(t *testing.T) {
 			provider: &esv1.AzureKVProvider{
 				AuthType: &authType,
 				VaultURL: &vaultURL,
-				TenantID: pointer.To("mytenant"),
+				TenantID: new("mytenant"),
 				AuthSecretRef: &esv1.AzureKVAuth{
-					ClientID:          &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "id"},
-					ClientCertificate: &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "certificate"},
+					ClientID:          &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "id"},
+					ClientCertificate: &v1.SecretKeySelector{Name: "password", Namespace: new("foo"), Key: "certificate"},
 				},
 			},
 		},

providers/v1/azure/keyvault/keyvault_dual_sdk_test.go

@@ -45,13 +45,13 @@ func TestFeatureFlagRouting(t *testing.T) {
 		},
 		{
 			name:         "explicit_legacy_sdk",
-			useAzureSDK:  ptr.To(false),
+			useAzureSDK:  new(false),
 			expectNewSDK: false,
 			description:  "When UseAzureSDK is explicitly false, should use legacy SDK",
 		},
 		{
 			name:         "explicit_new_sdk",
-			useAzureSDK:  ptr.To(true),
+			useAzureSDK:  new(true),
 			expectNewSDK: true,
 			description:  "When UseAzureSDK is true, should use new SDK",
 		},
@@ -61,8 +61,8 @@ func TestFeatureFlagRouting(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			// Create test provider with the specified feature flag
 			provider := &esv1.AzureKVProvider{
-				VaultURL:    ptr.To("https://test-vault.vault.azure.net/"),
-				TenantID:    ptr.To("test-tenant"),
+				VaultURL:    new("https://test-vault.vault.azure.net/"),
+				TenantID:    new("test-tenant"),
 				AuthType:    ptr.To(esv1.AzureServicePrincipal),
 				UseAzureSDK: tc.useAzureSDK,
 				AuthSecretRef: &esv1.AzureKVAuth{
@@ -115,13 +115,13 @@ func TestClientInitialization(t *testing.T) {
 	}{
 		{
 			name:                "legacy_client_init",
-			useAzureSDK:         ptr.To(false),
+			useAzureSDK:         new(false),
 			expectedErrorPrefix: "", // May succeed or fail with auth errors, but should not panic
 			description:         "Legacy client initialization should not panic",
 		},
 		{
 			name:                "new_sdk_client_init",
-			useAzureSDK:         ptr.To(true),
+			useAzureSDK:         new(true),
 			expectedErrorPrefix: "", // May succeed or fail with auth errors, but should not panic
 			description:         "New SDK client initialization should not panic",
 		},
@@ -130,8 +130,8 @@ func TestClientInitialization(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			provider := &esv1.AzureKVProvider{
-				VaultURL:    ptr.To("https://test-vault.vault.azure.net/"),
-				TenantID:    ptr.To("test-tenant"),
+				VaultURL:    new("https://test-vault.vault.azure.net/"),
+				TenantID:    new("test-tenant"),
 				AuthType:    ptr.To(esv1.AzureServicePrincipal),
 				UseAzureSDK: tc.useAzureSDK,
 				AuthSecretRef: &esv1.AzureKVAuth{
@@ -193,13 +193,13 @@ func TestConfigurationValidation(t *testing.T) {
 		},
 		{
 			name:        "false_feature_flag",
-			useAzureSDK: ptr.To(false),
+			useAzureSDK: new(false),
 			expectValid: true,
 			description: "False feature flag should be valid (legacy SDK)",
 		},
 		{
 			name:        "true_feature_flag",
-			useAzureSDK: ptr.To(true),
+			useAzureSDK: new(true),
 			expectValid: true,
 			description: "True feature flag should be valid (new SDK)",
 		},
@@ -208,8 +208,8 @@ func TestConfigurationValidation(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			provider := &esv1.AzureKVProvider{
-				VaultURL:    ptr.To("https://test-vault.vault.azure.net/"),
-				TenantID:    ptr.To("test-tenant"),
+				VaultURL:    new("https://test-vault.vault.azure.net/"),
+				TenantID:    new("test-tenant"),
 				AuthType:    ptr.To(esv1.AzureServicePrincipal),
 				UseAzureSDK: tc.useAzureSDK,
 				AuthSecretRef: &esv1.AzureKVAuth{
@@ -253,8 +253,8 @@ func TestConfigurationValidation(t *testing.T) {
 func TestBackwardCompatibility(t *testing.T) {
 	// Test that existing configurations without UseAzureSDK still work
 	provider := &esv1.AzureKVProvider{
-		VaultURL: ptr.To("https://test-vault.vault.azure.net/"),
-		TenantID: ptr.To("test-tenant"),
+		VaultURL: new("https://test-vault.vault.azure.net/"),
+		TenantID: new("test-tenant"),
 		AuthType: ptr.To(esv1.AzureServicePrincipal),
 		// UseAzureSDK intentionally omitted to test backward compatibility
 		AuthSecretRef: &esv1.AzureKVAuth{
@@ -309,19 +309,19 @@ func TestAzureStackCloudConfiguration(t *testing.T) {
 	}{
 		{
 			name:        "azure_stack_with_new_sdk_and_config",
-			useAzureSDK: ptr.To(true),
+			useAzureSDK: new(true),
 			envType:     esv1.AzureEnvironmentAzureStackCloud,
 			customConfig: &esv1.AzureCustomCloudConfig{
 				ActiveDirectoryEndpoint: "https://login.microsoftonline.com/",
-				KeyVaultEndpoint:        ptr.To("https://vault.local.azurestack.external/"),
-				KeyVaultDNSSuffix:       ptr.To(".vault.local.azurestack.external"),
+				KeyVaultEndpoint:        new("https://vault.local.azurestack.external/"),
+				KeyVaultDNSSuffix:       new(".vault.local.azurestack.external"),
 			},
 			expectError: false,
 			description: "Azure Stack with new SDK and custom config should be valid",
 		},
 		{
 			name:          "azure_stack_without_custom_config",
-			useAzureSDK:   ptr.To(true),
+			useAzureSDK:   new(true),
 			envType:       esv1.AzureEnvironmentAzureStackCloud,
 			customConfig:  nil,
 			expectError:   true,
@@ -330,7 +330,7 @@ func TestAzureStackCloudConfiguration(t *testing.T) {
 		},
 		{
 			name:        "azure_stack_with_legacy_sdk",
-			useAzureSDK: ptr.To(false),
+			useAzureSDK: new(false),
 			envType:     esv1.AzureEnvironmentAzureStackCloud,
 			customConfig: &esv1.AzureCustomCloudConfig{
 				ActiveDirectoryEndpoint: "https://login.microsoftonline.com/",
@@ -352,10 +352,10 @@ func TestAzureStackCloudConfiguration(t *testing.T) {
 		},
 		{
 			name:        "azure_stack_missing_aad_endpoint",
-			useAzureSDK: ptr.To(true),
+			useAzureSDK: new(true),
 			envType:     esv1.AzureEnvironmentAzureStackCloud,
 			customConfig: &esv1.AzureCustomCloudConfig{
-				KeyVaultEndpoint: ptr.To("https://vault.custom.cloud/"),
+				KeyVaultEndpoint: new("https://vault.custom.cloud/"),
 			},
 			expectError:   true,
 			expectedError: "activeDirectoryEndpoint is required in CustomCloudConfig",
@@ -363,7 +363,7 @@ func TestAzureStackCloudConfiguration(t *testing.T) {
 		},
 		{
 			name:        "custom_config_with_china_cloud",
-			useAzureSDK: ptr.To(true),
+			useAzureSDK: new(true),
 			envType:     esv1.AzureEnvironmentChinaCloud,
 			customConfig: &esv1.AzureCustomCloudConfig{
 				ActiveDirectoryEndpoint: "https://login.partner.microsoftonline.cn/",
@@ -373,7 +373,7 @@ func TestAzureStackCloudConfiguration(t *testing.T) {
 		},
 		{
 			name:         "public_cloud_without_custom_config",
-			useAzureSDK:  ptr.To(true),
+			useAzureSDK:  new(true),
 			envType:      esv1.AzureEnvironmentPublicCloud,
 			customConfig: nil,
 			expectError:  false,
@@ -384,8 +384,8 @@ func TestAzureStackCloudConfiguration(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			provider := &esv1.AzureKVProvider{
-				VaultURL:          ptr.To("https://test-vault.vault.azure.net/"),
-				TenantID:          ptr.To("test-tenant"),
+				VaultURL:          new("https://test-vault.vault.azure.net/"),
+				TenantID:          new("test-tenant"),
 				AuthType:          ptr.To(esv1.AzureServicePrincipal),
 				UseAzureSDK:       tc.useAzureSDK,
 				EnvironmentType:   tc.envType,
@@ -467,11 +467,11 @@ func TestGetCloudConfiguration(t *testing.T) {
 			name: "china_cloud_with_custom_endpoint",
 			provider: &esv1.AzureKVProvider{
 				EnvironmentType: esv1.AzureEnvironmentChinaCloud,
-				UseAzureSDK:     ptr.To(true),
+				UseAzureSDK:     new(true),
 				CustomCloudConfig: &esv1.AzureCustomCloudConfig{
 					ActiveDirectoryEndpoint: "https://login.partner.microsoftonline.cn/",
-					KeyVaultEndpoint:        ptr.To("https://vault.azure.cn/"),
-					ResourceManagerEndpoint: ptr.To("https://management.chinacloudapi.cn/"),
+					KeyVaultEndpoint:        new("https://vault.azure.cn/"),
+					ResourceManagerEndpoint: new("https://management.chinacloudapi.cn/"),
 				},
 			},
 			expectError: false,
@@ -481,10 +481,10 @@ func TestGetCloudConfiguration(t *testing.T) {
 			name: "azure_stack_with_config",
 			provider: &esv1.AzureKVProvider{
 				EnvironmentType: esv1.AzureEnvironmentAzureStackCloud,
-				UseAzureSDK:     ptr.To(true),
+				UseAzureSDK:     new(true),
 				CustomCloudConfig: &esv1.AzureCustomCloudConfig{
 					ActiveDirectoryEndpoint: "https://login.local.azurestack.external/",
-					KeyVaultEndpoint:        ptr.To("https://vault.local.azurestack.external/"),
+					KeyVaultEndpoint:        new("https://vault.local.azurestack.external/"),
 				},
 			},
 			expectError: false,
@@ -494,7 +494,7 @@ func TestGetCloudConfiguration(t *testing.T) {
 			name: "azure_stack_without_new_sdk",
 			provider: &esv1.AzureKVProvider{
 				EnvironmentType: esv1.AzureEnvironmentAzureStackCloud,
-				UseAzureSDK:     ptr.To(false),
+				UseAzureSDK:     new(false),
 				CustomCloudConfig: &esv1.AzureCustomCloudConfig{
 					ActiveDirectoryEndpoint: "https://login.local.azurestack.external/",
 				},
@@ -507,7 +507,7 @@ func TestGetCloudConfiguration(t *testing.T) {
 			name: "azure_stack_without_config",
 			provider: &esv1.AzureKVProvider{
 				EnvironmentType: esv1.AzureEnvironmentAzureStackCloud,
-				UseAzureSDK:     ptr.To(true),
+				UseAzureSDK:     new(true),
 			},
 			expectError:   true,
 			expectedError: "CustomCloudConfig is required when EnvironmentType is AzureStackCloud",

providers/v1/azure/keyvault/keyvault_new_sdk.go

@@ -23,12 +23,12 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"maps"
 	"regexp"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates"
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
@@ -75,7 +75,7 @@ func (a *Azure) setKeyVaultSecretWithNewSDK(ctx context.Context, secretName stri
 
 	// Prepare tags for new SDK
 	secretTags := map[string]*string{
-		managedBy: to.Ptr(managerLabel),
+		managedBy: new(managerLabel),
 	}
 	for k, v := range tags {
 		secretTags[k] = &v
@@ -132,7 +132,7 @@ func (a *Azure) setKeyVaultCertificateWithNewSDK(ctx context.Context, secretName
 
 	// Prepare tags for new SDK
 	certTags := map[string]*string{
-		managedBy: to.Ptr(managerLabel),
+		managedBy: new(managerLabel),
 	}
 	for k, v := range tags {
 		certTags[k] = &v
@@ -192,7 +192,7 @@ func (a *Azure) setKeyVaultKeyWithNewSDK(ctx context.Context, secretName string,
 
 	// Prepare tags for new SDK
 	keyTags := map[string]*string{
-		managedBy: to.Ptr(managerLabel),
+		managedBy: new(managerLabel),
 	}
 	for k, v := range tags {
 		keyTags[k] = &v
@@ -201,7 +201,7 @@ func (a *Azure) setKeyVaultKeyWithNewSDK(ctx context.Context, secretName string,
 	params := azkeys.ImportKeyParameters{
 		Key: &azkey,
 		KeyAttributes: &azkeys.KeyAttributes{
-			Enabled: to.Ptr(true),
+			Enabled: new(true),
 		},
 		Tags: keyTags,
 	}
@@ -385,9 +385,7 @@ func buildCustomCloudConfiguration(config *esv1.AzureCustomCloudConfig, baseConf
 		Services:                     map[cloud.ServiceName]cloud.ServiceConfiguration{},
 	}
 
-	for k, v := range baseConfig.Services {
-		cloudConfig.Services[k] = v
-	}
+	maps.Copy(cloudConfig.Services, baseConfig.Services)
 
 	// Set Active Directory endpoint with custom value (required)
 	cloudConfig.ActiveDirectoryAuthorityHost = config.ActiveDirectoryEndpoint

providers/v1/azure/keyvault/keyvault_test.go

@@ -32,7 +32,6 @@ import (
 	"gopkg.in/yaml.v2"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	pointer "k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -181,9 +180,9 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
-			Value: pointer.To("foo"),
+			Value: new("foo"),
 		}
 		smtc.deleteSecretOutput = keyvault.DeletedSecretBundle{}
 	}
@@ -201,7 +200,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 			RemoteKey: secretName,
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
-			Value: pointer.To("foo"),
+			Value: new("foo"),
 		}
 		smtc.expectError = errNotManaged
 		smtc.deleteErr = autorest.DetailedError{StatusCode: 500, Method: "DELETE", Message: "Shouldnt happen"}
@@ -221,9 +220,9 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
-			Value: pointer.To("foo"),
+			Value: new("foo"),
 		}
 		smtc.expectError = errNoPermission
 		smtc.deleteErr = autorest.DetailedError{StatusCode: 403, Method: "DELETE", Message: errNoPermission}
@@ -243,7 +242,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 		smtc.deleteCertificateOutput = keyvault.DeletedCertificateBundle{}
@@ -279,7 +278,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 		smtc.expectError = "No certificate delete Permissions"
@@ -300,7 +299,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 		smtc.deleteKeyOutput = keyvault.DeletedKeyBundle{}
@@ -336,7 +335,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 		smtc.expectError = errNoPermission
@@ -374,7 +373,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 	}
 
 	sm := Azure{
-		provider: &esv1.AzureKVProvider{VaultURL: pointer.To(fakeURL)},
+		provider: &esv1.AzureKVProvider{VaultURL: new(fakeURL)},
 	}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
@@ -430,7 +429,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 			Value: &goodSecret,
 		}
@@ -443,7 +442,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 			Value: &goodSecret,
 		}
@@ -470,7 +469,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 			Value: &goodSecret,
 			Attributes: &keyvault.SecretAttributes{
@@ -479,7 +478,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.setSecretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 			Value: &goodSecret,
 			Attributes: &keyvault.SecretAttributes{
@@ -495,7 +494,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To("nope"),
+				managedBy: new("nope"),
 			},
 			Value: &goodSecret,
 		}
@@ -512,8 +511,8 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
-				tagKey:    pointer.To(tagValue),
+				managedBy: new(externalSecrets),
+				tagKey:    new(tagValue),
 			},
 			Value: &goodSecret,
 		}
@@ -528,7 +527,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 			Value: &wholeSecretString,
 		}
@@ -592,7 +591,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(managerLabel),
+				managedBy: new(managerLabel),
 			},
 			Key: &keyvault.JSONWebKey{},
 		}
@@ -605,7 +604,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(managerLabel),
+				managedBy: new(managerLabel),
 			},
 			Key: &keyvault.JSONWebKey{},
 		}
@@ -620,7 +619,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(managerLabel),
+				managedBy: new(managerLabel),
 			},
 			Key: &keyvault.JSONWebKey{},
 		}
@@ -635,7 +634,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(managerLabel),
+				managedBy: new(managerLabel),
 			},
 			Key: &keyvault.JSONWebKey{},
 		}
@@ -650,7 +649,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(managerLabel),
+				managedBy: new(managerLabel),
 			},
 			Key: &keyvault.JSONWebKey{},
 		}
@@ -677,7 +676,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To("internal-secrets"),
+				managedBy: new("internal-secrets"),
 			},
 			Key: &keyvault.JSONWebKey{},
 		}
@@ -694,8 +693,8 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		}
 		smtc.keyOutput = keyvault.KeyBundle{
 			Tags: map[string]*string{
-				managedBy: pointer.To(managerLabel),
-				tagKey:    pointer.To(tagValue),
+				managedBy: new(managerLabel),
+				tagKey:    new(tagValue),
 			},
 			Key: &keyvault.JSONWebKey{},
 		}
@@ -735,9 +734,9 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 	}
@@ -748,9 +747,9 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 	}
@@ -761,9 +760,9 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 	}
@@ -777,9 +776,9 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 	}
@@ -794,9 +793,9 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 	}
@@ -811,9 +810,9 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 	}
@@ -826,9 +825,9 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 		smtc.expectError = "could not import certificate certname: error"
@@ -847,7 +846,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		smtc.certOutput = keyvault.CertificateBundle{
 			Cer: &cert,
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
+				managedBy: new(externalSecrets),
 			},
 		}
 	}
@@ -859,9 +858,9 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To("foobar"),
+				managedBy: new("foobar"),
 			},
 		}
 		smtc.expectError = "certificate certname: not managed by external-secrets"
@@ -874,7 +873,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 		}
 		smtc.expectError = "certificate certname: not managed by external-secrets"
 	}
@@ -889,10 +888,10 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			},
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 			Tags: map[string]*string{
-				managedBy: pointer.To(externalSecrets),
-				tagKey:    pointer.To(tagValue),
+				managedBy: new(externalSecrets),
+				tagKey:    new(tagValue),
 			},
 		}
 	}
@@ -904,7 +903,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 		}
 		smtc.expectError = "value from secret is not a valid certificate: could not parse certificate value as PKCS#12, DER or PEM"
 	}
@@ -921,7 +920,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.certOutput = keyvault.CertificateBundle{
-			X509Thumbprint: pointer.To("123"),
+			X509Thumbprint: new("123"),
 		}
 		smtc.expectError = errAPI
 	}
@@ -966,7 +965,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 	}
 
 	sm := Azure{
-		provider: &esv1.AzureKVProvider{VaultURL: pointer.To(fakeURL)},
+		provider: &esv1.AzureKVProvider{VaultURL: new(fakeURL)},
 	}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
@@ -1375,7 +1374,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 	}
 
 	sm := Azure{
-		provider: &esv1.AzureKVProvider{VaultURL: pointer.To(fakeURL)},
+		provider: &esv1.AzureKVProvider{VaultURL: new(fakeURL)},
 	}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
@@ -1534,7 +1533,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 	}
 
 	sm := Azure{
-		provider: &esv1.AzureKVProvider{VaultURL: pointer.To(fakeURL)},
+		provider: &esv1.AzureKVProvider{VaultURL: new(fakeURL)},
 	}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
@@ -1677,7 +1676,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	}
 
 	sm := Azure{
-		provider: &esv1.AzureKVProvider{VaultURL: pointer.To(fakeURL)},
+		provider: &esv1.AzureKVProvider{VaultURL: new(fakeURL)},
 	}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
@@ -1786,7 +1785,7 @@ func TestValidateStore(t *testing.T) {
 							AzureKV: &esv1.AzureKVProvider{
 								AuthSecretRef: &esv1.AzureKVAuth{
 									ClientID: &v1.SecretKeySelector{
-										Namespace: pointer.To("invalid"),
+										Namespace: new("invalid"),
 									},
 								},
 							},
@@ -1805,7 +1804,7 @@ func TestValidateStore(t *testing.T) {
 							AzureKV: &esv1.AzureKVProvider{
 								AuthSecretRef: &esv1.AzureKVAuth{
 									ClientSecret: &v1.SecretKeySelector{
-										Namespace: pointer.To("invalid"),
+										Namespace: new("invalid"),
 									},
 								},
 							},
@@ -1844,9 +1843,9 @@ func TestAzureKeyVaultSecretExists(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				"managed-by": pointer.To(externalSecrets),
+				"managed-by": new(externalSecrets),
 			},
-			Value: pointer.To("foo"),
+			Value: new("foo"),
 		}
 		smtc.expectedExistence = true
 	}
@@ -1857,9 +1856,9 @@ func TestAzureKeyVaultSecretExists(t *testing.T) {
 		}
 		smtc.secretOutput = keyvault.SecretBundle{
 			Tags: map[string]*string{
-				"someTag": pointer.To("someUselessValue"),
+				"someTag": new("someUselessValue"),
 			},
-			Value: pointer.To("foo"),
+			Value: new("foo"),
 		}
 		smtc.expectedExistence = true
 	}
@@ -1880,7 +1879,7 @@ func TestAzureKeyVaultSecretExists(t *testing.T) {
 	}
 
 	sm := Azure{
-		provider: &esv1.AzureKVProvider{VaultURL: pointer.To(fakeURL)},
+		provider: &esv1.AzureKVProvider{VaultURL: new(fakeURL)},
 	}
 
 	for k, tc := range testCases {

providers/v1/barbican/fake/mock.go

@@ -122,8 +122,8 @@ func (p MockPagination) LastMarker() (string, error) {
 	return "", nil
 }
 
-func (p MockPagination) GetBody() interface{} {
-	return map[string]interface{}{
+func (p MockPagination) GetBody() any {
+	return map[string]any{
 		"secrets": p.secrets,
 	}
 }

providers/v1/beyondtrust/go.mod

@@ -13,7 +13,6 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -96,6 +95,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/beyondtrust/provider.go

@@ -455,7 +455,7 @@ func (p *Provider) PushSecret(_ context.Context, secret *v1.Secret, psd esv1.Pus
 		return fmt.Errorf("Error getting metadata: %w", err)
 	}
 
-	var metaDataObject map[string]interface{}
+	var metaDataObject map[string]any
 	err = json.Unmarshal(data, &metaDataObject)
 	if err != nil {
 		return fmt.Errorf("Error in parameters: %w", err)
@@ -476,7 +476,7 @@ func (p *Provider) PushSecret(_ context.Context, secret *v1.Secret, psd esv1.Pus
 }
 
 // CreateSecret creates a secret in BeyondTrust Password Safe.
-func (p *Provider) CreateSecret(secret string, data map[string]interface{}, signAppinResponse entities.SignAppinResponse) error {
+func (p *Provider) CreateSecret(secret string, data map[string]any, signAppinResponse entities.SignAppinResponse) error {
 	logger := logging.NewLogrLogger(&ESOLogger)
 	secretObj, err := secrets.NewSecretObj(p.authenticate, logger, maxFileSecretSizeBytes, false)
 
@@ -519,7 +519,7 @@ func (p *Provider) CreateSecret(secret string, data map[string]interface{}, sign
 		Notes:       notes,
 	}
 
-	var configMap map[string]interface{}
+	var configMap map[string]any
 	switch strings.ToUpper(secretType) {
 	case "CREDENTIAL":
 
@@ -539,7 +539,7 @@ func (p *Provider) CreateSecret(secret string, data map[string]interface{}, sign
 			Owners:                  ownerDetailsGroupID,
 		}
 
-		configMap = map[string]interface{}{
+		configMap = map[string]any{
 			"3.0": secretCredentialDetailsConfig30,
 			"3.1": secretCredentialDetailsConfig31,
 		}
@@ -562,7 +562,7 @@ func (p *Provider) CreateSecret(secret string, data map[string]interface{}, sign
 			Owners:                  ownerDetailsGroupID,
 		}
 
-		configMap = map[string]interface{}{
+		configMap = map[string]any{
 			"3.0": secretFileDetailsConfig30,
 			"3.1": secretFileDetailsConfig31,
 		}
@@ -583,7 +583,7 @@ func (p *Provider) CreateSecret(secret string, data map[string]interface{}, sign
 			Owners:                  ownerDetailsGroupID,
 		}
 
-		configMap = map[string]interface{}{
+		configMap = map[string]any{
 			"3.0": secretTextDetailsConfig30,
 			"3.1": secretTextDetailsConfig31,
 		}

providers/v1/beyondtrust/provider_test.go

@@ -35,7 +35,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-	"k8s.io/utils/ptr"
 	kubeclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
@@ -376,7 +375,7 @@ func TestLoadConfigSecret_NamespacedStoreCannotCrossNamespace(t *testing.T) {
 	}).Build()
 	ref := &esv1.BeyondTrustProviderSecretRef{
 		SecretRef: &esmeta.SecretKeySelector{
-			Namespace: ptr.To("foo"),
+			Namespace: new("foo"),
 			Name:      "creds",
 			Key:       "key",
 		},

providers/v1/bitwarden/client.go

@@ -283,7 +283,7 @@ func (p *Provider) parseYamlSecretData(data []byte) (map[string][]byte, error) {
 			}
 			secretData[k] = bytes.TrimSpace(d)
 		default:
-			secretData[k] = []byte(fmt.Sprintf("%v", t)) // Convert to string and then []byte
+			secretData[k] = fmt.Appendf(nil, "%v", t) // Convert to string and then []byte
 		}
 	}
 

providers/v1/cloudru/secretmanager/client.go

@@ -75,7 +75,7 @@ func (c *Client) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemot
 	// {"key": "value", another: "value"}
 	//
 	// but it will return "" when accessing to a property `another` (no quotes)
-	if err = json.Unmarshal(secret, &map[string]interface{}{}); err != nil {
+	if err = json.Unmarshal(secret, &map[string]any{}); err != nil {
 		return nil, fmt.Errorf("expecting the secret %q in JSON format, could not access property %q", ref.Key, ref.Property)
 	}
 

providers/v1/conjur/client_get.go

@@ -29,7 +29,7 @@ import (
 	"github.com/external-secrets/external-secrets/runtime/find"
 )
 
-type conjurResource map[string]interface{}
+type conjurResource map[string]any
 
 // resourceFilterFunc is a function that filters resources.
 // It takes a resource as input and returns the name of the resource if it should be included.
@@ -115,7 +115,7 @@ func (c *Client) findSecretsFromName(ctx context.Context, ref esv1.FindName) (ma
 func (c *Client) findSecretsFromTags(ctx context.Context, tags map[string]string) (map[string][]byte, error) {
 	var resourceFilterFunc = func(candidate conjurResource) (string, error) {
 		name := trimConjurResourceName(candidate["id"].(string))
-		annotations, ok := candidate["annotations"].([]interface{})
+		annotations, ok := candidate["annotations"].([]any)
 		if !ok {
 			// No annotations, skip
 			return "", nil
@@ -210,10 +210,10 @@ func trimConjurResourceName(id string) string {
 
 // Convert annotations from objects with "name", "policy", "value" keys (as returned by the Conjur API)
 // to a key/value map for easier comparison in code.
-func formatAnnotations(annotations []interface{}) (map[string]string, error) {
+func formatAnnotations(annotations []any) (map[string]string, error) {
 	formattedAnnotations := make(map[string]string)
 	for _, annot := range annotations {
-		annot, ok := annot.(map[string]interface{})
+		annot, ok := annot.(map[string]any)
 		if !ok {
 			return nil, fmt.Errorf("could not parse annotation: %v", annot)
 		}

providers/v1/conjur/conjur_api.go

@@ -25,7 +25,7 @@ import (
 type SecretsClient interface {
 	RetrieveSecret(secret string) (result []byte, err error)
 	RetrieveBatchSecrets(variableIDs []string) (map[string][]byte, error)
-	Resources(filter *conjurapi.ResourceFilter) (resources []map[string]interface{}, err error)
+	Resources(filter *conjurapi.ResourceFilter) (resources []map[string]any, err error)
 }
 
 // SecretsClientFactory is an interface for creating a Conjur client.

providers/v1/conjur/fake/fake.go

@@ -53,15 +53,15 @@ func (mc *ConjurMockClient) RetrieveBatchSecrets(variableIDs []string) (map[stri
 	return secrets, nil
 }
 
-func (mc *ConjurMockClient) Resources(filter *conjurapi.ResourceFilter) (resources []map[string]interface{}, err error) {
+func (mc *ConjurMockClient) Resources(filter *conjurapi.ResourceFilter) (resources []map[string]any, err error) {
 	policyID := "conjur:policy:root"
 	if filter.Offset == 0 {
 		// First "page" of secrets: 2 static ones and 98 random ones
-		secrets := []map[string]interface{}{ //nolint:prealloc // static init + dynamic append
+		secrets := []map[string]any{ //nolint:prealloc // static init + dynamic append
 			{
 				"id": "conjur:variable:secret1",
-				"annotations": []interface{}{
-					map[string]interface{}{
+				"annotations": []any{
+					map[string]any{
 						"name":  "conjur/kind",
 						"value": "dummy",
 					},
@@ -70,13 +70,13 @@ func (mc *ConjurMockClient) Resources(filter *conjurapi.ResourceFilter) (resourc
 			{
 				"id":    "conjur:variable:secret2",
 				"owner": "conjur:policy:admin1",
-				"annotations": []interface{}{
-					map[string]interface{}{
+				"annotations": []any{
+					map[string]any{
 						"name":   "Description",
 						"policy": policyID,
 						"value":  "Lorem ipsum dolor sit amet",
 					},
-					map[string]interface{}{
+					map[string]any{
 						"name":   "conjur/kind",
 						"policy": policyID,
 						"value":  "password",
@@ -102,9 +102,9 @@ func (mc *ConjurMockClient) Resources(filter *conjurapi.ResourceFilter) (resourc
 	return generateRandomSecrets(50), nil
 }
 
-func generateRandomSecrets(count int) []map[string]interface{} {
-	var secrets []map[string]interface{}
-	for i := 0; i < count; i++ {
+func generateRandomSecrets(count int) []map[string]any {
+	secrets := make([]map[string]any, 0, count)
+	for range count {
 		//nolint:gosec
 		randomNumber := rand.Intn(10000)
 		secrets = append(secrets, generateRandomSecret(randomNumber))
@@ -112,10 +112,10 @@ func generateRandomSecrets(count int) []map[string]interface{} {
 	return secrets
 }
 
-func generateRandomSecret(num int) map[string]interface{} {
-	return map[string]interface{}{
+func generateRandomSecret(num int) map[string]any {
+	return map[string]any{
 		"id": fmt.Sprintf("conjur:variable:random/var_%d", num),
-		"annotations": []map[string]interface{}{
+		"annotations": []map[string]any{
 			{
 				"name":  "random_number",
 				"value": fmt.Sprintf("%d", num),

providers/v1/delinea/provider_test.go

@@ -30,7 +30,6 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
 func TestDoesConfigDependOnNamespace(t *testing.T) {
@@ -362,7 +361,7 @@ func makeSecretRefUsingRef(name, key string) *esv1.DelineaProviderSecretRef {
 
 func makeSecretRefUsingNamespacedRef(namespace, name, key string) *esv1.DelineaProviderSecretRef {
 	return &esv1.DelineaProviderSecretRef{
-		SecretRef: &v1.SecretKeySelector{Namespace: esutils.Ptr(namespace), Name: name, Key: key},
+		SecretRef: &v1.SecretKeySelector{Namespace: new(namespace), Name: name, Key: key},
 	}
 }
 

providers/v1/fake/fake_test.go

@@ -27,7 +27,6 @@ import (
 	"github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
@@ -191,7 +190,7 @@ func TestGetAllSecrets(t *testing.T) {
 			desc: "unsupported operator",
 			data: []esv1.FakeProviderData{},
 			ref: esv1.ExternalSecretFind{
-				Path: ptr.To("some-path"),
+				Path: new("some-path"),
 			},
 			expectedErr: "unsupported find operator",
 		},

providers/v1/fake/go.mod

@@ -10,7 +10,6 @@ require (
 	github.com/tidwall/gjson v1.18.0
 	k8s.io/api v0.35.0
 	k8s.io/apimachinery v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -89,6 +88,7 @@ require (
 	k8s.io/client-go v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/fortanix/go.mod

@@ -3,7 +3,6 @@ module github.com/external-secrets/external-secrets/providers/v1/fortanix
 go 1.26.1
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1
 	github.com/external-secrets/external-secrets/apis v0.0.0
 	github.com/external-secrets/external-secrets/runtime v0.0.0
 	github.com/fortanix/sdkms-client-go v0.4.1

providers/v1/fortanix/go.sum

@@ -1,7 +1,5 @@
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 h1:5YTBM8QDVIBN3sxBil89WfdAAqDZbyJTgh688DSxX5w=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=

providers/v1/fortanix/provider_test.go

@@ -20,7 +20,6 @@ import (
 	"errors"
 	"testing"
 
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
@@ -136,7 +135,7 @@ func TestValidateStore(t *testing.T) {
 					SecretRef: &v1.SecretKeySelector{
 						Key:       "key",
 						Name:      "name",
-						Namespace: to.Ptr("namespace"),
+						Namespace: new("namespace"),
 					},
 				},
 			},

providers/v1/gcp/go.mod

@@ -23,7 +23,6 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -113,6 +112,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/gcp/secretmanager/client_test.go

@@ -35,7 +35,6 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	pointer "k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
@@ -1591,7 +1590,7 @@ func TestValidateStore(t *testing.T) {
 					SecretRef: &esv1.GCPSMAuthSecretRef{
 						SecretAccessKey: v1.SecretKeySelector{
 							Name:      "foo",
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -1605,7 +1604,7 @@ func TestValidateStore(t *testing.T) {
 					WorkloadIdentity: &esv1.GCPWorkloadIdentity{
 						ServiceAccountRef: v1.ServiceAccountSelector{
 							Name:      "foo",
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},

providers/v1/gcp/secretmanager/workload_identity_federation_test.go

@@ -72,12 +72,12 @@ var (
 )
 
 func createValidK8sExternalAccountConfig(audience string) string {
-	config := map[string]interface{}{
+	config := map[string]any{
 		"type":               externalAccountCredentialType,
 		"audience":           audience,
 		"subject_token_type": workloadIdentitySubjectTokenType,
 		"token_url":          workloadIdentityTokenURL,
-		"credential_source": map[string]interface{}{
+		"credential_source": map[string]any{
 			"file": "/var/run/secrets/oidc_token",
 		},
 		"token_info_url": workloadIdentityTokenInfoURL,
@@ -87,13 +87,13 @@ func createValidK8sExternalAccountConfig(audience string) string {
 }
 
 func createValidAWSExternalAccountConfig(audience string) string {
-	config := map[string]interface{}{
+	config := map[string]any{
 		"type":                              externalAccountCredentialType,
 		"audience":                          audience,
 		"subject_token_type":                workloadIdentitySubjectTokenType,
 		"token_url":                         workloadIdentityTokenURL,
 		"service_account_impersonation_url": testServiceAccountImpersonationURL,
-		"credential_source": map[string]interface{}{
+		"credential_source": map[string]any{
 			"environment_id":           "aws1",
 			"url":                      testAwsTokenIPV4URL,
 			"region_url":               testAwsRegionIPv4URL,
@@ -105,7 +105,7 @@ func createValidAWSExternalAccountConfig(audience string) string {
 }
 
 func createInvalidTypeExternalAccountConfig() string {
-	config := map[string]interface{}{
+	config := map[string]any{
 		"type":     "service_account",
 		"audience": testAudience,
 	}
@@ -114,12 +114,12 @@ func createInvalidTypeExternalAccountConfig() string {
 }
 
 func createInvalidK8sExternalAccountConfigWithUnallowedTokenFilePath(audience string) string {
-	config := map[string]interface{}{
+	config := map[string]any{
 		"type":               externalAccountCredentialType,
 		"audience":           audience,
 		"subject_token_type": workloadIdentitySubjectTokenType,
 		"token_url":          workloadIdentityTokenURL,
-		"credential_source": map[string]interface{}{
+		"credential_source": map[string]any{
 			"file": autoMountedServiceAccountTokenPath,
 		},
 		"token_info_url": workloadIdentityTokenInfoURL,
@@ -129,12 +129,12 @@ func createInvalidK8sExternalAccountConfigWithUnallowedTokenFilePath(audience st
 }
 
 func createInvalidK8sExternalAccountConfigWithUnallowedTokenURL(audience string) string {
-	config := map[string]interface{}{
+	config := map[string]any{
 		"type":               externalAccountCredentialType,
 		"audience":           audience,
 		"subject_token_type": workloadIdentitySubjectTokenType,
 		"token_url":          "https://example.com",
-		"credential_source": map[string]interface{}{
+		"credential_source": map[string]any{
 			"file": "/var/run/secrets/oidc_token",
 		},
 		"token_info_url": workloadIdentityTokenInfoURL,

providers/v1/github/client_test.go

@@ -45,7 +45,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
@@ -152,8 +151,8 @@ func TestPushSecret(t *testing.T) {
 				Name: "foo",
 			}, nil, nil),
 			getPublicKeyFn: withGetPublicKeyFn(&github.PublicKey{
-				Key:   ptr.To("broken"),
-				KeyID: ptr.To("123"),
+				Key:   new("broken"),
+				KeyID: new("123"),
 			}, nil, nil),
 			wantErr: errors.New("unable to decode public key"),
 		},
@@ -163,8 +162,8 @@ func TestPushSecret(t *testing.T) {
 				Name: "foo",
 			}, nil, nil),
 			getPublicKeyFn: withGetPublicKeyFn(&github.PublicKey{
-				Key:   ptr.To("Cg=="),
-				KeyID: ptr.To("123"),
+				Key:   new("Cg=="),
+				KeyID: new("123"),
 			}, nil, nil),
 			secret: &corev1.Secret{
 				Data: map[string][]byte{
@@ -184,8 +183,8 @@ func TestPushSecret(t *testing.T) {
 				Name: "foo",
 			}, nil, nil),
 			getPublicKeyFn: withGetPublicKeyFn(&github.PublicKey{
-				Key:   ptr.To("Zm9vYmFyCg=="),
-				KeyID: ptr.To("123"),
+				Key:   new("Zm9vYmFyCg=="),
+				KeyID: new("123"),
 			}, nil, nil),
 			secret: &corev1.Secret{
 				Data: map[string][]byte{
@@ -206,8 +205,8 @@ func TestPushSecret(t *testing.T) {
 				Name: "foo",
 			}, nil, nil),
 			getPublicKeyFn: withGetPublicKeyFn(&github.PublicKey{
-				Key:   ptr.To("Zm9vYmFyCg=="),
-				KeyID: ptr.To("123"),
+				Key:   new("Zm9vYmFyCg=="),
+				KeyID: new("123"),
 			}, nil, nil),
 			secret: &corev1.Secret{
 				Data: map[string][]byte{

providers/v1/github/go.mod

@@ -11,7 +11,6 @@ require (
 	golang.org/x/crypto v0.47.0
 	k8s.io/api v0.35.0
 	k8s.io/apimachinery v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -74,6 +73,7 @@ require (
 	k8s.io/client-go v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/ibm/provider.go

@@ -345,7 +345,7 @@ func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1.Ex
 }
 
 // Returns a secret of type kv or custom credentials and supports json path.
-func getKVOrCustomCredentialsSecret(ref esv1.ExternalSecretDataRemoteRef, credentialsData map[string]interface{}) ([]byte, error) {
+func getKVOrCustomCredentialsSecret(ref esv1.ExternalSecretDataRemoteRef, credentialsData map[string]any) ([]byte, error) {
 	payloadJSONByte, err := json.Marshal(credentialsData)
 	if err != nil {
 		return nil, fmt.Errorf("marshaling payload from secret failed. %w", err)
@@ -751,7 +751,7 @@ func (ibm *providerIBM) NewClient(ctx context.Context, store esv1.GenericStore,
 // populateSecretMap populates the secretMap with metadata information that is pulled from IBM provider.
 func populateSecretMap(secretMap map[string][]byte, secretDataMap map[string]any) map[string][]byte {
 	for key, value := range secretDataMap {
-		secretMap[key] = []byte(fmt.Sprintf("%v", value))
+		secretMap[key] = fmt.Appendf(nil, "%v", value)
 	}
 	return secretMap
 }

providers/v1/ibm/provider_test.go

@@ -27,7 +27,6 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/IBM/go-sdk-core/v5/core"
 	sm "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2"
 	"github.com/go-openapi/strfmt"
 	corev1 "k8s.io/api/core/v1"
@@ -100,15 +99,15 @@ func makeValidRef() *esv1.ExternalSecretDataRemoteRef {
 
 func makeValidAPIInput() *sm.GetSecretOptions {
 	return &sm.GetSecretOptions{
-		ID: utilpointer.To(secretUUID),
+		ID: new(secretUUID),
 	}
 }
 
 func makeValidAPIOutput() sm.SecretIntf {
 	secret := &sm.Secret{
 		SecretType: utilpointer.To(sm.Secret_SecretType_Arbitrary),
-		Name:       utilpointer.To("testyname"),
-		ID:         utilpointer.To(secretUUID),
+		Name:       new("testyname"),
+		ID:         new(secretUUID),
 	}
 	var i sm.SecretIntf = secret
 	return i
@@ -225,13 +224,13 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretString := func(smtc *secretManagerTestCase) {
 		secret := &sm.ArbitrarySecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Arbitrary),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Payload:    &secretString,
 		}
 		smtc.name = "good case: default version is set"
 		smtc.apiOutput = secret
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.expectedSecret = secretString
 	}
 
@@ -239,13 +238,13 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setCustomKey := func(smtc *secretManagerTestCase) {
 		secret := &sm.ArbitrarySecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Arbitrary),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Payload:    &secretString,
 		}
 		smtc.name = "good case: custom version set"
 		smtc.ref.Key = "arbitrary/" + secretUUID
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.expectedSecret = secretString
 	}
@@ -254,11 +253,11 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	badArbitSecret := func(smtc *secretManagerTestCase) {
 		secret := &sm.ArbitrarySecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Arbitrary),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 		}
 		smtc.name = "bad case: arbitrary type without property"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretUUID
 		smtc.expectError = "key payload does not exist in secret " + secretUUID
@@ -269,13 +268,13 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	badSecretUserPass := func(smtc *secretManagerTestCase) {
 		secret := &sm.UsernamePasswordSecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_UsernamePassword),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Username:   &secretUsername,
 			Password:   &secretPassword,
 		}
 		smtc.name = "bad case: username_password type without property"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretUserPass
 		smtc.expectError = "remoteRef.property required for secret type username_password"
@@ -286,13 +285,13 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 		return func(smtc *secretManagerTestCase) {
 			secret := &sm.UsernamePasswordSecret{
 				SecretType: utilpointer.To(sm.Secret_SecretType_UsernamePassword),
-				Name:       utilpointer.To("testyname"),
-				ID:         utilpointer.To(secretUUID),
+				Name:       new("testyname"),
+				ID:         new(secretUUID),
 				Username:   &secretUsername,
 				Password:   &secretPassword,
 			}
 			smtc.name = name
-			smtc.apiInput.ID = utilpointer.To(secretUUID)
+			smtc.apiInput.ID = new(secretUUID)
 			smtc.apiOutput = secret
 			smtc.ref.Key = "username_password/" + secretName
 			smtc.ref.Property = property
@@ -310,11 +309,11 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 		return func(smtc *secretManagerTestCase) {
 			secret := &sm.IAMCredentialsSecret{
 				SecretType: utilpointer.To(sm.Secret_SecretType_IamCredentials),
-				Name:       utilpointer.To("testyname"),
-				ID:         utilpointer.To(secretUUID),
-				ApiKey:     utilpointer.To(secretAPIKey),
+				Name:       new("testyname"),
+				ID:         new(secretUUID),
+				ApiKey:     new(secretAPIKey),
 			}
-			smtc.apiInput.ID = utilpointer.To(secretUUID)
+			smtc.apiInput.ID = new(secretUUID)
 			smtc.name = name
 			smtc.apiOutput = secret
 			smtc.ref.Key = iamCredentialsSecret + secretName
@@ -329,9 +328,9 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 		return func(smtc *secretManagerTestCase) {
 			secret := &sm.IAMCredentialsSecret{
 				SecretType: utilpointer.To(sm.Secret_SecretType_IamCredentials),
-				Name:       utilpointer.To("testyname"),
-				ID:         utilpointer.To(secretUUID),
-				ApiKey:     utilpointer.To(secretAPIKey),
+				Name:       new("testyname"),
+				ID:         new(secretUUID),
+				ApiKey:     new(secretAPIKey),
 			}
 			smtc.getByNameInput.Name = &secretName
 			smtc.getByNameInput.SecretGroupName = &groupName
@@ -354,11 +353,11 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 		return func(smtc *secretManagerTestCase) {
 			secret := &sm.ServiceCredentialsSecret{
 				SecretType:  utilpointer.To(sm.Secret_SecretType_ServiceCredentials),
-				Name:        utilpointer.To("testyname"),
-				ID:          utilpointer.To(secretUUID),
+				Name:        new("testyname"),
+				ID:          new(secretUUID),
 				Credentials: dummySrvCreds,
 			}
-			smtc.apiInput.ID = utilpointer.To(secretUUID)
+			smtc.apiInput.ID = new(secretUUID)
 			smtc.name = name
 			smtc.apiOutput = secret
 			smtc.ref.Key = "service_credentials/" + secretName
@@ -371,7 +370,7 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	funcSetCertSecretTest := func(secret sm.SecretIntf, name, certType string, good bool) func(*secretManagerTestCase) {
 		return func(smtc *secretManagerTestCase) {
 			smtc.name = name
-			smtc.apiInput.ID = utilpointer.To(secretUUID)
+			smtc.apiInput.ID = new(secretUUID)
 			smtc.apiOutput = secret
 			smtc.ref.Key = certType + "/" + secretUUID
 			if good {
@@ -386,11 +385,11 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	// good case: imported_cert type with property
 	importedCert := &sm.ImportedCertificate{
 		SecretType:   utilpointer.To(sm.Secret_SecretType_ImportedCert),
-		Name:         utilpointer.To("testyname"),
-		ID:           utilpointer.To(secretUUID),
-		Certificate:  utilpointer.To(secretCertificate),
-		Intermediate: utilpointer.To("intermediate"),
-		PrivateKey:   utilpointer.To("private_key"),
+		Name:         new("testyname"),
+		ID:           new(secretUUID),
+		Certificate:  new(secretCertificate),
+		Intermediate: new("intermediate"),
+		PrivateKey:   new("private_key"),
 	}
 	setSecretCert := funcSetCertSecretTest(importedCert, "good case: imported_cert type with property", sm.Secret_SecretType_ImportedCert, true)
 
@@ -398,12 +397,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	importedCertNoPvtKey := func(smtc *secretManagerTestCase) {
 		secret := &sm.ImportedCertificate{
 			SecretType:  utilpointer.To(sm.Secret_SecretType_ImportedCert),
-			Name:        utilpointer.To("testyname"),
-			ID:          utilpointer.To(secretUUID),
-			Certificate: utilpointer.To(secretCertificate),
+			Name:        new("testyname"),
+			ID:          new(secretUUID),
+			Certificate: new(secretCertificate),
 		}
 		smtc.name = "good case: imported cert without private key"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "imported_cert/" + secretUUID
 		smtc.ref.Property = "private_key"
@@ -416,11 +415,11 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	// good case: public_cert type with property
 	publicCert := &sm.PublicCertificate{
 		SecretType:   utilpointer.To(sm.Secret_SecretType_PublicCert),
-		Name:         utilpointer.To("testyname"),
-		ID:           utilpointer.To(secretUUID),
-		Certificate:  utilpointer.To(secretCertificate),
-		Intermediate: utilpointer.To("intermediate"),
-		PrivateKey:   utilpointer.To("private_key"),
+		Name:         new("testyname"),
+		ID:           new(secretUUID),
+		Certificate:  new(secretCertificate),
+		Intermediate: new("intermediate"),
+		PrivateKey:   new("private_key"),
 	}
 	setSecretPublicCert := funcSetCertSecretTest(publicCert, "good case: public_cert type with property", sm.Secret_SecretType_PublicCert, true)
 
@@ -430,10 +429,10 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	// good case: private_cert type with property
 	privateCert := &sm.PrivateCertificate{
 		SecretType:  utilpointer.To(sm.Secret_SecretType_PublicCert),
-		Name:        utilpointer.To("testyname"),
-		ID:          utilpointer.To(secretUUID),
-		Certificate: utilpointer.To(secretCertificate),
-		PrivateKey:  utilpointer.To("private_key"),
+		Name:        new("testyname"),
+		ID:          new(secretUUID),
+		Certificate: new(secretCertificate),
+		PrivateKey:  new("private_key"),
 	}
 	setSecretPrivateCert := funcSetCertSecretTest(privateCert, "good case: private_cert type with property", sm.Secret_SecretType_PrivateCert, true)
 
@@ -453,12 +452,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	badSecretKV := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Data:       secretDataKV,
 		}
 		smtc.name = "bad case: kv type with key which is not in payload"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKV
 		smtc.ref.Property = "other-key"
@@ -469,12 +468,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretKV := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Data:       secretDataKV,
 		}
 		smtc.name = "good case: kv type with property"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKV
 		smtc.ref.Property = "key1"
@@ -485,12 +484,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretKVWithKey := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Data:       secretDataKVComplex,
 		}
 		smtc.name = "good case: kv type with property, returns specific value"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKV
 		smtc.ref.Property = "key2"
@@ -501,12 +500,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretKVWithKeyPath := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Data:       secretDataKVComplex,
 		}
 		smtc.name = "good case: kv type with property and path, returns specific value"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKV
 		smtc.ref.Property = "keyC.keyC2"
@@ -517,12 +516,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretKVWithKeyDot := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Data:       secretDataKVComplex,
 		}
 		smtc.name = "good case: kv type with property and dot, returns specific value"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKV
 		smtc.ref.Property = "special.log"
@@ -533,12 +532,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretKVWithOutKey := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			Data:       secretDataKVComplex,
 		}
 		smtc.name = "good case: kv type without property, returns all"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKV
 		smtc.expectedSecret = secretKVComplex
@@ -557,12 +556,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	badSecretCustomCredentials := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
-			Name:               utilpointer.To("testyname"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("testyname"),
+			ID:                 new(secretUUID),
 			CredentialsContent: customCredentialsSecretCredentialsContent,
 		}
 		smtc.name = "bad case: custom credentials type with key which is not in payload"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretCustomCredentials
 		smtc.ref.Property = "other-key"
@@ -573,12 +572,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretCustomCredentials := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
-			Name:               utilpointer.To("testyname"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("testyname"),
+			ID:                 new(secretUUID),
 			CredentialsContent: customCredentialsSecretCredentialsContent,
 		}
 		smtc.name = "good case: custom_credentials type with property"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretCustomCredentials
 		smtc.ref.Property = "key1"
@@ -589,12 +588,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretCustomCredentialsWithKey := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
-			Name:               utilpointer.To("testyname"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("testyname"),
+			ID:                 new(secretUUID),
 			CredentialsContent: customCredentialsSecretCredentialsContentComplex,
 		}
 		smtc.name = "good case: custom_credentials type with property, returns specific value"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretCustomCredentials
 		smtc.ref.Property = "key2"
@@ -605,12 +604,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretCustomCredentialsWithKeyPath := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
-			Name:               utilpointer.To("testyname"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("testyname"),
+			ID:                 new(secretUUID),
 			CredentialsContent: customCredentialsSecretCredentialsContentComplex,
 		}
 		smtc.name = "good case: custom_credentials type with property and path, returns specific value"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretCustomCredentials
 		smtc.ref.Property = "keyC.keyC2"
@@ -621,12 +620,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretCustomCredentialsWithKeyDot := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
-			Name:               utilpointer.To("testyname"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("testyname"),
+			ID:                 new(secretUUID),
 			CredentialsContent: customCredentialsSecretCredentialsContentComplex,
 		}
 		smtc.name = "good case: custom_credentials type with property and dot, returns specific value"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretCustomCredentials
 		smtc.ref.Property = "special.log"
@@ -637,12 +636,12 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 	setSecretCustomCredentialsWithOutKey := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
-			Name:               utilpointer.To("testyname"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("testyname"),
+			ID:                 new(secretUUID),
 			CredentialsContent: customCredentialsSecretCredentialsContentComplex,
 		}
 		smtc.name = "good case: custom_credentials type without property, returns all"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretCustomCredentials
 		smtc.expectedSecret = customCredentialsSecretComplex
@@ -724,13 +723,13 @@ func TestGetSecretMap(t *testing.T) {
 	setArbitrary := func(smtc *secretManagerTestCase) {
 		payload := `{"foo":"bar"}`
 		secret := &sm.ArbitrarySecret{
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_Arbitrary),
 			Payload:    &payload,
 		}
 		smtc.name = "good case: arbitrary"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretUUID
 		smtc.expectedData["arbitrary"] = []byte(payload)
@@ -739,14 +738,14 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: username_password
 	setSecretUserPass := func(smtc *secretManagerTestCase) {
 		secret := &sm.UsernamePasswordSecret{
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_UsernamePassword),
 			Username:   &secretUsername,
 			Password:   &secretPassword,
 		}
 		smtc.name = "good case: username_password"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "username_password/" + secretUUID
 		smtc.expectedData["username"] = []byte(secretUsername)
@@ -756,13 +755,13 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: iam_credentials
 	setSecretIam := func(smtc *secretManagerTestCase) {
 		secret := &sm.IAMCredentialsSecret{
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_IamCredentials),
-			ApiKey:     utilpointer.To(secretAPIKey),
+			ApiKey:     new(secretAPIKey),
 		}
 		smtc.name = "good case: iam_credentials"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = iamCredentialsSecret + secretUUID
 		smtc.expectedData["apikey"] = []byte(secretAPIKey)
@@ -771,14 +770,14 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: iam_credentials by name using new mechanism
 	setSecretIamByName := func(smtc *secretManagerTestCase) {
 		secret := &sm.IAMCredentialsSecret{
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_IamCredentials),
-			ApiKey:     utilpointer.To(secretAPIKey),
+			ApiKey:     new(secretAPIKey),
 		}
 		smtc.name = "good case: iam_credentials by name using new mechanism"
-		smtc.getByNameInput.Name = utilpointer.To("testyname")
-		smtc.getByNameInput.SecretGroupName = utilpointer.To("groupName")
+		smtc.getByNameInput.Name = new("testyname")
+		smtc.getByNameInput.SecretGroupName = new("groupName")
 		smtc.getByNameInput.SecretType = utilpointer.To(sm.Secret_SecretType_IamCredentials)
 
 		smtc.getByNameOutput = secret
@@ -790,12 +789,12 @@ func TestGetSecretMap(t *testing.T) {
 	// bad case: iam_credentials of a destroyed secret
 	badSecretIam := func(smtc *secretManagerTestCase) {
 		secret := &sm.IAMCredentialsSecret{
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_IamCredentials),
 		}
 		smtc.name = "bad case: iam_credentials of a destroyed secret"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = iamCredentialsSecret + secretUUID
 		smtc.expectError = "key api_key does not exist in secret " + secretUUID
@@ -804,7 +803,7 @@ func TestGetSecretMap(t *testing.T) {
 	funcCertTest := func(secret sm.SecretIntf, name, certType string) func(*secretManagerTestCase) {
 		return func(smtc *secretManagerTestCase) {
 			smtc.name = name
-			smtc.apiInput.ID = utilpointer.To(secretUUID)
+			smtc.apiInput.ID = new(secretUUID)
 			smtc.apiOutput = secret
 			smtc.ref.Key = certType + "/" + secretUUID
 			smtc.expectedData["certificate"] = []byte(secretCertificate)
@@ -816,51 +815,51 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: service_credentials
 	setSecretSrvCreds := func(smtc *secretManagerTestCase) {
 		secret := &sm.ServiceCredentialsSecret{
-			Name:        utilpointer.To("testyname"),
-			ID:          utilpointer.To(secretUUID),
+			Name:        new("testyname"),
+			ID:          new(secretUUID),
 			SecretType:  utilpointer.To(sm.Secret_SecretType_IamCredentials),
 			Credentials: dummySrvCreds,
 		}
 		smtc.name = "good case: service_credentials"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "service_credentials/" + secretUUID
-		smtc.expectedData["credentials"] = []byte(fmt.Sprintf("%+v", map[string]string{"apikey": secretAPIKey}))
+		smtc.expectedData["credentials"] = fmt.Appendf(nil, "%+v", map[string]string{"apikey": secretAPIKey})
 	}
 
 	// good case: imported_cert
 	importedCert := &sm.ImportedCertificate{
 		SecretType:   utilpointer.To(sm.Secret_SecretType_ImportedCert),
-		Name:         utilpointer.To("testyname"),
-		ID:           utilpointer.To(secretUUID),
-		Certificate:  utilpointer.To(secretCertificate),
-		Intermediate: utilpointer.To(secretIntermediate),
-		PrivateKey:   utilpointer.To(secretPrivateKey),
+		Name:         new("testyname"),
+		ID:           new(secretUUID),
+		Certificate:  new(secretCertificate),
+		Intermediate: new(secretIntermediate),
+		PrivateKey:   new(secretPrivateKey),
 	}
 	setSecretCert := funcCertTest(importedCert, "good case: imported_cert", sm.Secret_SecretType_ImportedCert)
 
 	// good case: public_cert
 	publicCert := &sm.PublicCertificate{
 		SecretType:   utilpointer.To(sm.Secret_SecretType_PublicCert),
-		Name:         utilpointer.To("testyname"),
-		ID:           utilpointer.To(secretUUID),
-		Certificate:  utilpointer.To(secretCertificate),
-		Intermediate: utilpointer.To(secretIntermediate),
-		PrivateKey:   utilpointer.To(secretPrivateKey),
+		Name:         new("testyname"),
+		ID:           new(secretUUID),
+		Certificate:  new(secretCertificate),
+		Intermediate: new(secretIntermediate),
+		PrivateKey:   new(secretPrivateKey),
 	}
 	setSecretPublicCert := funcCertTest(publicCert, "good case: public_cert", sm.Secret_SecretType_PublicCert)
 
 	// good case: private_cert
 	setSecretPrivateCert := func(smtc *secretManagerTestCase) {
 		secret := &sm.PrivateCertificate{
-			Name:        utilpointer.To("testyname"),
-			ID:          utilpointer.To(secretUUID),
+			Name:        new("testyname"),
+			ID:          new(secretUUID),
 			SecretType:  utilpointer.To(sm.Secret_SecretType_PrivateCert),
 			Certificate: &secretCertificate,
 			PrivateKey:  &secretPrivateKey,
 		}
 		smtc.name = "good case: private_cert"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "private_cert/" + secretUUID
 		smtc.expectedData["certificate"] = []byte(secretCertificate)
@@ -871,15 +870,15 @@ func TestGetSecretMap(t *testing.T) {
 	setArbitraryWithMetadata := func(smtc *secretManagerTestCase) {
 		payload := `{"foo":"bar"}`
 		secret := &sm.ArbitrarySecret{
-			CreatedBy:  utilpointer.To("testCreatedBy"),
+			CreatedBy:  new("testCreatedBy"),
 			CreatedAt:  &strfmt.DateTime{},
-			Downloaded: utilpointer.To(false),
+			Downloaded: new(false),
 			Labels:     []string{"abc", "def", "xyz"},
-			LocksTotal: utilpointer.To(int64(20)),
+			LocksTotal: new(int64(20)),
 			Payload:    &payload,
 		}
 		smtc.name = "good case: arbitrary with metadata"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretUUID
 		smtc.ref.MetadataPolicy = esv1.ExternalSecretMetadataPolicyFetch
@@ -903,15 +902,15 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: iam_credentials with metadata
 	setSecretIamWithMetadata := func(smtc *secretManagerTestCase) {
 		secret := &sm.IAMCredentialsSecret{
-			CreatedBy:  utilpointer.To("testCreatedBy"),
+			CreatedBy:  new("testCreatedBy"),
 			CreatedAt:  &strfmt.DateTime{},
-			Downloaded: utilpointer.To(false),
+			Downloaded: new(false),
 			Labels:     []string{"abc", "def", "xyz"},
-			LocksTotal: utilpointer.To(int64(20)),
-			ApiKey:     utilpointer.To(secretAPIKey),
+			LocksTotal: new(int64(20)),
+			ApiKey:     new(secretAPIKey),
 		}
 		smtc.name = "good case: iam_credentials with metadata"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = iamCredentialsSecret + secretUUID
 		smtc.ref.MetadataPolicy = esv1.ExternalSecretMetadataPolicyFetch
@@ -937,16 +936,16 @@ func TestGetSecretMap(t *testing.T) {
 	// "good case: username_password with metadata
 	setSecretUserPassWithMetadata := func(smtc *secretManagerTestCase) {
 		secret := &sm.UsernamePasswordSecret{
-			CreatedBy:  utilpointer.To("testCreatedBy"),
+			CreatedBy:  new("testCreatedBy"),
 			CreatedAt:  &strfmt.DateTime{},
-			Downloaded: utilpointer.To(false),
+			Downloaded: new(false),
 			Labels:     []string{"abc", "def", "xyz"},
-			LocksTotal: utilpointer.To(int64(20)),
+			LocksTotal: new(int64(20)),
 			Username:   &secretUsername,
 			Password:   &secretPassword,
 		}
 		smtc.name = "good case: username_password with metadata"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "username_password/" + secretUUID
 		smtc.expectedData["username"] = []byte(secretUsername)
@@ -973,17 +972,17 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: imported_cert with metadata
 	setimportedCertWithMetadata := func(smtc *secretManagerTestCase) {
 		secret := &sm.ImportedCertificate{
-			CreatedBy:    utilpointer.To("testCreatedBy"),
+			CreatedBy:    new("testCreatedBy"),
 			CreatedAt:    &strfmt.DateTime{},
-			Downloaded:   utilpointer.To(false),
+			Downloaded:   new(false),
 			Labels:       []string{"abc", "def", "xyz"},
-			LocksTotal:   utilpointer.To(int64(20)),
-			Certificate:  utilpointer.To(secretCertificate),
-			Intermediate: utilpointer.To(secretIntermediate),
-			PrivateKey:   utilpointer.To(secretPrivateKey),
+			LocksTotal:   new(int64(20)),
+			Certificate:  new(secretCertificate),
+			Intermediate: new(secretIntermediate),
+			PrivateKey:   new(secretPrivateKey),
 		}
 		smtc.name = "good case: imported_cert with metadata"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "imported_cert" + "/" + secretUUID
 
@@ -1009,16 +1008,16 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: imported_cert without a private_key
 	setimportedCertWithNoPvtKey := func(smtc *secretManagerTestCase) {
 		secret := &sm.ImportedCertificate{
-			CreatedBy:    utilpointer.To("testCreatedBy"),
+			CreatedBy:    new("testCreatedBy"),
 			CreatedAt:    &strfmt.DateTime{},
-			Downloaded:   utilpointer.To(false),
+			Downloaded:   new(false),
 			Labels:       []string{"abc", "def", "xyz"},
-			LocksTotal:   utilpointer.To(int64(20)),
-			Certificate:  utilpointer.To(secretCertificate),
-			Intermediate: utilpointer.To(secretIntermediate),
+			LocksTotal:   new(int64(20)),
+			Certificate:  new(secretCertificate),
+			Intermediate: new(secretIntermediate),
 		}
 		smtc.name = "good case: imported_cert without private key"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "imported_cert/" + secretUUID
 
@@ -1032,17 +1031,17 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: public_cert with metadata
 	setPublicCertWithMetadata := func(smtc *secretManagerTestCase) {
 		secret := &sm.PublicCertificate{
-			CreatedBy:    utilpointer.To("testCreatedBy"),
+			CreatedBy:    new("testCreatedBy"),
 			CreatedAt:    &strfmt.DateTime{},
-			Downloaded:   utilpointer.To(false),
+			Downloaded:   new(false),
 			Labels:       []string{"abc", "def", "xyz"},
-			LocksTotal:   utilpointer.To(int64(20)),
-			Certificate:  utilpointer.To(secretCertificate),
-			Intermediate: utilpointer.To(secretIntermediate),
-			PrivateKey:   utilpointer.To(secretPrivateKey),
+			LocksTotal:   new(int64(20)),
+			Certificate:  new(secretCertificate),
+			Intermediate: new(secretIntermediate),
+			PrivateKey:   new(secretPrivateKey),
 		}
 		smtc.name = "good case: public_cert with metadata"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "public_cert" + "/" + secretUUID
 
@@ -1071,17 +1070,17 @@ func TestGetSecretMap(t *testing.T) {
 	setPrivateCertWithMetadata := func(smtc *secretManagerTestCase) {
 		expirationDate := &strfmt.DateTime{}
 		secret := &sm.PrivateCertificate{
-			CreatedBy:      utilpointer.To("testCreatedBy"),
+			CreatedBy:      new("testCreatedBy"),
 			CreatedAt:      &strfmt.DateTime{},
-			Downloaded:     utilpointer.To(false),
+			Downloaded:     new(false),
 			Labels:         []string{"abc", "def", "xyz"},
-			LocksTotal:     utilpointer.To(int64(20)),
-			Certificate:    utilpointer.To(secretCertificate),
-			PrivateKey:     utilpointer.To(secretPrivateKey),
+			LocksTotal:     new(int64(20)),
+			Certificate:    new(secretCertificate),
+			PrivateKey:     new(secretPrivateKey),
 			ExpirationDate: expirationDate,
 		}
 		smtc.name = "good case: private_cert with metadata"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "private_cert" + "/" + secretUUID
 		smtc.ref.MetadataPolicy = esv1.ExternalSecretMetadataPolicyFetch
@@ -1112,15 +1111,15 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: kv with property and metadata
 	setSecretKVWithMetadata := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
-			CreatedBy:  utilpointer.To("testCreatedBy"),
+			CreatedBy:  new("testCreatedBy"),
 			CreatedAt:  &strfmt.DateTime{},
-			Downloaded: utilpointer.To(false),
+			Downloaded: new(false),
 			Labels:     []string{"abc", "def", "xyz"},
-			LocksTotal: utilpointer.To(int64(20)),
+			LocksTotal: new(int64(20)),
 			Data:       secretComplex,
 		}
 		smtc.name = "good case: kv, with property and with metadata"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "kv/" + secretUUID
 		smtc.ref.MetadataPolicy = esv1.ExternalSecretMetadataPolicyFetch
@@ -1146,15 +1145,15 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: custom_credentials with property and metadata
 	setSecretCustomCredentialsWithMetadata := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
-			CreatedBy:          utilpointer.To("testCreatedBy"),
+			CreatedBy:          new("testCreatedBy"),
 			CreatedAt:          &strfmt.DateTime{},
-			Downloaded:         utilpointer.To(false),
+			Downloaded:         new(false),
 			Labels:             []string{"abc", "def", "xyz"},
-			LocksTotal:         utilpointer.To(int64(20)),
+			LocksTotal:         new(int64(20)),
 			CredentialsContent: secretComplex,
 		}
 		smtc.name = "good case: custom_credentials, with property and with metadata"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = "custom_credentials/" + secretUUID
 		smtc.ref.MetadataPolicy = esv1.ExternalSecretMetadataPolicyFetch
@@ -1181,15 +1180,15 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: iam_credentials without metadata
 	setSecretIamWithoutMetadata := func(smtc *secretManagerTestCase) {
 		secret := &sm.IAMCredentialsSecret{
-			CreatedBy:  utilpointer.To("testCreatedBy"),
+			CreatedBy:  new("testCreatedBy"),
 			CreatedAt:  &strfmt.DateTime{},
-			Downloaded: utilpointer.To(false),
+			Downloaded: new(false),
 			Labels:     []string{"abc", "def", "xyz"},
-			LocksTotal: utilpointer.To(int64(20)),
-			ApiKey:     utilpointer.To(secretAPIKey),
+			LocksTotal: new(int64(20)),
+			ApiKey:     new(secretAPIKey),
 		}
 		smtc.name = "good case: iam_credentials without metadata"
-		smtc.apiInput.ID = utilpointer.To(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = iamCredentialsSecret + secretUUID
 		smtc.ref.MetadataPolicy = esv1.ExternalSecretMetadataPolicyNone
@@ -1202,13 +1201,13 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: kv, no property, return entire payload as key:value pairs
 	setSecretKV := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
 			Data:       secretComplex,
 		}
 		smtc.name = "good case: kv, no property, return entire payload as key:value pairs"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKeyKV
 		smtc.expectedData["key1"] = []byte("val1")
@@ -1219,13 +1218,13 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: kv, with property
 	setSecretKVWithProperty := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
-			Name:       utilpointer.To("d5deb37a-7883-4fe2-a5e7-3c15420adc76"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("d5deb37a-7883-4fe2-a5e7-3c15420adc76"),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
 			Data:       secretComplex,
 		}
 		smtc.name = "good case: kv, with property"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.ref.Property = "keyC"
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKeyKV
@@ -1235,13 +1234,13 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: kv, with property and path
 	setSecretKVWithPathAndProperty := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
-			Name:       utilpointer.To(secretUUID),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new(secretUUID),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
 			Data:       secretComplex,
 		}
 		smtc.name = "good case: kv, with property and path"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.ref.Property = "keyC.keyC1"
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKeyKV
@@ -1252,13 +1251,13 @@ func TestGetSecretMap(t *testing.T) {
 	// bad case: kv, with property and path
 	badSecretKVWithUnknownProperty := func(smtc *secretManagerTestCase) {
 		secret := &sm.KVSecret{
-			Name:       utilpointer.To("testyname"),
-			ID:         utilpointer.To(secretUUID),
+			Name:       new("testyname"),
+			ID:         new(secretUUID),
 			SecretType: utilpointer.To(sm.Secret_SecretType_Kv),
 			Data:       secretComplex,
 		}
 		smtc.name = "bad case: kv, with property and path"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.ref.Property = "unknown.property"
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKeyKV
@@ -1269,13 +1268,13 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: custom_credentials, no property, return entire payload as key:value pairs
 	setSecretCustomCredentials := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
-			Name:               utilpointer.To("testyname"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("testyname"),
+			ID:                 new(secretUUID),
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
 			CredentialsContent: secretComplex,
 		}
 		smtc.name = "good case: custom_credentials, no property, return entire payload as key:value pairs"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKeyCustomCredentials
 		smtc.expectedData["key1"] = []byte("val1")
@@ -1286,13 +1285,13 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: custom_credentials, with property
 	setSecretCustomCredentialsWithProperty := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
-			Name:               utilpointer.To("d5deb37a-7883-4fe2-a5e7-3c15420adc76"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("d5deb37a-7883-4fe2-a5e7-3c15420adc76"),
+			ID:                 new(secretUUID),
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
 			CredentialsContent: secretComplex,
 		}
 		smtc.name = "good case: custom_credentials, with property"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.ref.Property = "keyC"
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKeyCustomCredentials
@@ -1302,13 +1301,13 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: custom_credentials, with property and path
 	setSecretCustomCredentialsWithPathAndProperty := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
-			Name:               utilpointer.To(secretUUID),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new(secretUUID),
+			ID:                 new(secretUUID),
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
 			CredentialsContent: secretComplex,
 		}
 		smtc.name = "good case: custom_credentials, with property and path"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.ref.Property = "keyC.keyC1"
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKeyCustomCredentials
@@ -1319,13 +1318,13 @@ func TestGetSecretMap(t *testing.T) {
 	// bad case: custom_credentials, with property and path
 	badSecretCustomCredentialsWithUnknownProperty := func(smtc *secretManagerTestCase) {
 		secret := &sm.CustomCredentialsSecret{
-			Name:               utilpointer.To("testyname"),
-			ID:                 utilpointer.To(secretUUID),
+			Name:               new("testyname"),
+			ID:                 new(secretUUID),
 			SecretType:         utilpointer.To(sm.Secret_SecretType_CustomCredentials),
 			CredentialsContent: secretComplex,
 		}
 		smtc.name = "bad case: custom_credentials, with property and path"
-		smtc.apiInput.ID = core.StringPtr(secretUUID)
+		smtc.apiInput.ID = new(secretUUID)
 		smtc.ref.Property = "unknown.property"
 		smtc.apiOutput = secret
 		smtc.ref.Key = secretKeyCustomCredentials

providers/v1/keepersecurity/client_test.go

@@ -789,8 +789,8 @@ func TestClientPushSecret(t *testing.T) {
 }
 
 func generateRecords() []*ksm.Record {
-	var records []*ksm.Record
-	for i := 0; i < 3; i++ {
+	records := make([]*ksm.Record, 0, 3)
+	for i := range 3 {
 		var record ksm.Record
 		if i == 0 {
 			record = ksm.Record{

providers/v1/kubernetes/auth_test.go

@@ -25,7 +25,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/rest"
-	pointer "k8s.io/utils/ptr"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	fclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
@@ -136,7 +135,7 @@ func TestSetAuth(t *testing.T) {
 						Token: &esv1.TokenAuth{
 							BearerToken: v1.SecretKeySelector{
 								Name:      "foobar",
-								Namespace: pointer.To("shouldnotberelevant"),
+								Namespace: new("shouldnotberelevant"),
 								Key:       "token",
 							},
 						},
@@ -186,7 +185,7 @@ func TestSetAuth(t *testing.T) {
 						Token: &esv1.TokenAuth{
 							BearerToken: v1.SecretKeySelector{
 								Name:      "foobar",
-								Namespace: pointer.To("shouldnotberelevant"),
+								Namespace: new("shouldnotberelevant"),
 								Key:       "token",
 							},
 						},
@@ -261,7 +260,7 @@ func TestSetAuth(t *testing.T) {
 						Token: &esv1.TokenAuth{
 							BearerToken: v1.SecretKeySelector{
 								Name:      "foobar",
-								Namespace: pointer.To("shouldnotberelevant"),
+								Namespace: new("shouldnotberelevant"),
 								Key:       "token",
 							},
 						},
@@ -339,7 +338,7 @@ func TestSetAuth(t *testing.T) {
 					Auth: &esv1.KubernetesAuth{
 						ServiceAccount: &v1.ServiceAccountSelector{
 							Name:      "my-sa",
-							Namespace: pointer.To("shouldnotberelevant"),
+							Namespace: new("shouldnotberelevant"),
 						},
 					},
 				},
@@ -371,7 +370,7 @@ func TestSetAuth(t *testing.T) {
 					Auth: &esv1.KubernetesAuth{
 						ServiceAccount: &v1.ServiceAccountSelector{
 							Name:      "my-sa",
-							Namespace: pointer.To("shouldnotberelevant"),
+							Namespace: new("shouldnotberelevant"),
 						},
 					},
 				},
@@ -395,7 +394,7 @@ func TestSetAuth(t *testing.T) {
 				store: &esv1.KubernetesProvider{
 					AuthRef: &v1.SecretKeySelector{
 						Name:      "foobar",
-						Namespace: pointer.To("default"),
+						Namespace: new("default"),
 						Key:       "config",
 					},
 				},

providers/v1/kubernetes/client.go

@@ -22,6 +22,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"maps"
 	"strings"
 
 	"github.com/tidwall/gjson"
@@ -177,9 +178,7 @@ func (c *Client) mergePushSecretData(remoteRef esv1.PushSecretData, pushMeta *me
 
 	// case 1: push the whole secret
 	if remoteRef.GetProperty() == "" {
-		for k, v := range localSecret.Data {
-			remoteSecret.Data[k] = v
-		}
+		maps.Copy(remoteSecret.Data, localSecret.Data)
 		return nil
 	}
 
@@ -290,8 +289,8 @@ func getPropertyMap(key, property string, tmpMap map[string][]byte) (map[string]
 	var retMap map[string][]byte
 	jsonStr := string(byteArr)
 	// We need to search if a given key with a . exists before using gjson operations.
-	idx := strings.Index(property, ".")
-	if idx > -1 {
+	found := strings.Contains(property, ".")
+	if found {
 		refProperty := strings.ReplaceAll(property, ".", "\\.")
 		retMap, err = getMapFromValues(refProperty, jsonStr)
 		if err != nil {

providers/v1/kubernetes/go.mod

@@ -12,7 +12,6 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -90,6 +89,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/kubernetes/metadata.go

@@ -20,6 +20,7 @@ package kubernetes
 
 import (
 	"fmt"
+	"maps"
 
 	v1 "k8s.io/api/core/v1"
 
@@ -71,12 +72,8 @@ func mergeSourceMetadata(localSecret *v1.Secret, pushMeta *metadata.PushSecretMe
 
 	switch pushMeta.Spec.SourceMergePolicy {
 	case "", sourceMergePolicyMerge:
-		for k, v := range pushMeta.Spec.Labels {
-			labels[k] = v
-		}
-		for k, v := range pushMeta.Spec.Annotations {
-			annotations[k] = v
-		}
+		maps.Copy(labels, pushMeta.Spec.Labels)
+		maps.Copy(annotations, pushMeta.Spec.Annotations)
 	case sourceMergePolicyReplace:
 		labels = pushMeta.Spec.Labels
 		annotations = pushMeta.Spec.Annotations
@@ -109,12 +106,8 @@ func mergeTargetMetadata(
 
 	switch targetMergePolicy {
 	case "", targetMergePolicyMerge:
-		for k, v := range sourceLabels {
-			labels[k] = v
-		}
-		for k, v := range sourceAnnotations {
-			annotations[k] = v
-		}
+		maps.Copy(labels, sourceLabels)
+		maps.Copy(annotations, sourceAnnotations)
 	case targetMergePolicyReplace:
 		labels = sourceLabels
 		annotations = sourceAnnotations

providers/v1/kubernetes/provider_test.go

@@ -25,7 +25,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	clientgofake "k8s.io/client-go/kubernetes/fake"
-	pointer "k8s.io/utils/ptr"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	fclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
@@ -121,7 +120,7 @@ func TestNewClient(t *testing.T) {
 							Kubernetes: &esv1.KubernetesProvider{
 								AuthRef: &v1.SecretKeySelector{
 									Name:      "foo",
-									Namespace: pointer.To("default"),
+									Namespace: new("default"),
 									Key:       "config",
 								},
 							},
@@ -195,7 +194,7 @@ func TestNewClient(t *testing.T) {
 									Token: &esv1.TokenAuth{
 										BearerToken: v1.SecretKeySelector{
 											Name:      "foo",
-											Namespace: pointer.To("default"),
+											Namespace: new("default"),
 											Key:       "token",
 										},
 									},
@@ -230,7 +229,7 @@ func TestNewClient(t *testing.T) {
 									Token: &esv1.TokenAuth{
 										BearerToken: v1.SecretKeySelector{
 											Name:      "foo",
-											Namespace: pointer.To("default"),
+											Namespace: new("default"),
 											Key:       "token",
 										},
 									},

providers/v1/kubernetes/validate_test.go

@@ -24,7 +24,6 @@ import (
 
 	authv1 "k8s.io/api/authorization/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	pointer "k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -190,7 +189,7 @@ func TestValidateStore(t *testing.T) {
 							Server: esv1.KubernetesServer{
 								CAProvider: &esv1.CAProvider{
 									Name:      "foobar",
-									Namespace: pointer.To("noop"),
+									Namespace: new("noop"),
 								},
 							},
 						},
@@ -236,7 +235,7 @@ func TestValidateStore(t *testing.T) {
 									ClientCert: v1.SecretKeySelector{
 										Name:      "foobar",
 										Key:       "foobar",
-										Namespace: pointer.To("noop"),
+										Namespace: new("noop"),
 									},
 								},
 							},
@@ -305,7 +304,7 @@ func TestValidateStore(t *testing.T) {
 									BearerToken: v1.SecretKeySelector{
 										Name:      "foobar",
 										Key:       "foobar",
-										Namespace: pointer.To("nop"),
+										Namespace: new("nop"),
 									},
 								},
 							},
@@ -327,7 +326,7 @@ func TestValidateStore(t *testing.T) {
 							Auth: &esv1.KubernetesAuth{
 								ServiceAccount: &v1.ServiceAccountSelector{
 									Name:      "foobar",
-									Namespace: pointer.To("foobar"),
+									Namespace: new("foobar"),
 								},
 							},
 						},

providers/v1/nebius/common/sdk/mysterybox/grpc_client_test.go

@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"errors"
+	"maps"
 	"testing"
 
 	mbox "github.com/nebius/gosdk/proto/nebius/mysterybox/v1"
@@ -159,9 +160,7 @@ func TestGetSecret(t *testing.T) {
 			}
 
 			expected := make(map[string][]byte, len(tt.expected))
-			for k, v := range tt.expected {
-				expected[k] = v
-			}
+			maps.Copy(expected, tt.expected)
 
 			tassert.Equal(t, len(payload.Entries), len(expected))
 			for _, entry := range payload.Entries {

providers/v1/nebius/mysterybox/provider.go

@@ -240,7 +240,7 @@ func (p *Provider) initMysteryboxClientsCache() error {
 	var cache *lru.Cache
 	cache, err = lru.NewWithEvict(
 		mysteryboxConnectionsCacheSize,
-		func(key, _ interface{}) {
+		func(key, _ any) {
 			p.Logger.V(1).Info("Evicting a Nebius MysteryBox client", "apiDomain", key.(ClientCacheKey).APIDomain)
 
 			// We intentionally do not call Close() on the evicted client here.

providers/v1/nebius/mysterybox/provider_test.go

@@ -664,7 +664,7 @@ func TestCreateOrGetMysteryboxClient_Concurrent_SingleClient(t *testing.T) {
 	start := make(chan struct{})
 
 	errs := make([]error, goroutines)
-	for i := 0; i < goroutines; i++ {
+	for i := range goroutines {
 		go func(ix int) {
 			defer wg.Done()
 			<-start
@@ -816,7 +816,7 @@ func TestNewClient_Concurrent_SameConfig_SingleClient_DifferentTokens(t *testing
 	clients := make([]esv1.SecretsClient, goroutines)
 	errs := make([]error, goroutines)
 
-	for i := 0; i < goroutines; i++ {
+	for i := range goroutines {
 		go func(ix int) {
 			defer wg.Done()
 			<-start
@@ -827,7 +827,7 @@ func TestNewClient_Concurrent_SameConfig_SingleClient_DifferentTokens(t *testing
 	close(start)
 	wg.Wait()
 
-	for i := 0; i < goroutines; i++ {
+	for i := range goroutines {
 		tassert.NoError(t, errs[i], "NewClient error: %w", errs[i])
 		msc := clients[i].(*SecretsClient)
 		got, err := msc.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secret.Id, Property: "k"})

providers/v1/nebius/mysterybox/token_getter_test.go

@@ -248,7 +248,7 @@ func TestGetToken_Singleflight_DedupesConcurrentSameKey(t *testing.T) {
 	tokens := make([]string, n)
 	errs := make([]error, n)
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func() {
 			defer wg.Done()
 			<-start
@@ -261,7 +261,7 @@ func TestGetToken_Singleflight_DedupesConcurrentSameKey(t *testing.T) {
 	close(start)
 	wg.Wait()
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		tassert.NoError(t, errs[i])
 		tassert.Equal(t, tokens[0], tokens[i])
 	}
@@ -282,7 +282,7 @@ func TestGetToken_ConcurrentDifferentKeys_NoRaceAndWorks(t *testing.T) {
 	var wg sync.WaitGroup
 	wg.Add(n)
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func() {
 			defer wg.Done()
 			<-start

providers/v1/nebius/mysterybox/validation_test.go

@@ -21,7 +21,6 @@ import (
 	"testing"
 
 	tassert "github.com/stretchr/testify/assert"
-	pointer "k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -240,7 +239,7 @@ func TestValidateStoreClusterScope(t *testing.T) {
 		{
 			name: "cluster: namespaced token passes",
 			store: makeStore(func(nm *esv1.NebiusMysteryboxProvider) {
-				nm.Auth.Token = esmeta.SecretKeySelector{Name: "tok", Key: "k", Namespace: pointer.To("ns1")}
+				nm.Auth.Token = esmeta.SecretKeySelector{Name: "tok", Key: "k", Namespace: new("ns1")}
 			}),
 			wantErr: "",
 		},
@@ -254,14 +253,14 @@ func TestValidateStoreClusterScope(t *testing.T) {
 		{
 			name: "cluster: namespaced sa creds passes",
 			store: makeStore(func(nm *esv1.NebiusMysteryboxProvider) {
-				nm.Auth.ServiceAccountCreds = esmeta.SecretKeySelector{Name: "tok", Key: "k", Namespace: pointer.To("ns1")}
+				nm.Auth.ServiceAccountCreds = esmeta.SecretKeySelector{Name: "tok", Key: "k", Namespace: new("ns1")}
 			}),
 			wantErr: "",
 		},
 		{
 			name: "cluster: ca cert requires namespace",
 			store: makeStore(func(nm *esv1.NebiusMysteryboxProvider) {
-				nm.Auth.Token = esmeta.SecretKeySelector{Name: "tok", Key: "k", Namespace: pointer.To("ns1")}
+				nm.Auth.Token = esmeta.SecretKeySelector{Name: "tok", Key: "k", Namespace: new("ns1")}
 				nm.CAProvider = &esv1.NebiusCAProvider{Certificate: esmeta.SecretKeySelector{Name: "ca", Key: "tls.crt"}}
 			}),
 			wantErr: utilsErrRequireNamespace,
@@ -269,8 +268,8 @@ func TestValidateStoreClusterScope(t *testing.T) {
 		{
 			name: "cluster: namespaced ca cert passes",
 			store: makeStore(func(nm *esv1.NebiusMysteryboxProvider) {
-				nm.Auth.Token = esmeta.SecretKeySelector{Name: "tok", Key: "k", Namespace: pointer.To("ns1")}
-				nm.CAProvider = &esv1.NebiusCAProvider{Certificate: esmeta.SecretKeySelector{Name: "ca", Key: "tls.crt", Namespace: pointer.To("ns1")}}
+				nm.Auth.Token = esmeta.SecretKeySelector{Name: "tok", Key: "k", Namespace: new("ns1")}
+				nm.CAProvider = &esv1.NebiusCAProvider{Certificate: esmeta.SecretKeySelector{Name: "ca", Key: "tls.crt", Namespace: new("ns1")}}
 			}),
 			wantErr: "",
 		},

providers/v1/ngrok/client.go

@@ -30,7 +30,6 @@ import (
 	"github.com/ngrok/ngrok-api-go/v7"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
@@ -140,9 +139,9 @@ func (c *client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv
 	// If the secret exists, update it
 	_, err = c.secretsClient.Update(ctx, &ngrok.SecretUpdate{
 		ID:          existingSecret.ID,
-		Value:       ptr.To(string(value)),
-		Metadata:    ptr.To(string(metadataJSON)),
-		Description: ptr.To(psmd.Description),
+		Value:       new(string(value)),
+		Metadata:    new(string(metadataJSON)),
+		Description: new(psmd.Description),
 	})
 	return err
 }

providers/v1/ngrok/fake/fake.go

@@ -36,7 +36,7 @@ func GenerateRandomString(length int) string {
 
 	sb := strings.Builder{}
 	sb.Grow(length)
-	for i := 0; i < length; i++ {
+	for range length {
 		sb.WriteByte(charset[seededRand.Intn(len(charset))])
 	}
 	return sb.String()

providers/v1/ngrok/go.mod

@@ -11,7 +11,6 @@ require (
 	k8s.io/api v0.35.0
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -74,6 +73,7 @@ require (
 	k8s.io/client-go v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/ngrok/provider_test.go

@@ -23,7 +23,6 @@ import (
 	"github.com/ngrok/ngrok-api-go/v7"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/ptr"
 	kubeClient "sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -250,7 +249,7 @@ var _ = Describe("Provider", func() {
 								SecretRef: &v1.SecretKeySelector{
 									Key:       "API_KEY",
 									Name:      "non-existent-secret",
-									Namespace: ptr.To("some-other-namespace"),
+									Namespace: new("some-other-namespace"),
 								},
 							},
 						},
@@ -275,7 +274,7 @@ var _ = Describe("Provider", func() {
 								SecretRef: &v1.SecretKeySelector{
 									Key:       "API_KEY",
 									Name:      ngrokCredentials.Name,
-									Namespace: ptr.To(namespace),
+									Namespace: new(namespace),
 								},
 							},
 						},

providers/v1/onepassword/go.mod

@@ -10,7 +10,6 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -91,6 +90,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/onepassword/onepassword_test.go

@@ -28,7 +28,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	pointer "k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -469,7 +468,7 @@ func TestValidateStore(t *testing.T) {
 								SecretRef: &esv1.OnePasswordAuthSecretRef{
 									ConnectToken: esmeta.SecretKeySelector{
 										Name:      mySecret,
-										Namespace: pointer.To("my-namespace"),
+										Namespace: new("my-namespace"),
 										Key:       token,
 									},
 								},
@@ -526,7 +525,7 @@ func TestValidateStore(t *testing.T) {
 								SecretRef: &esv1.OnePasswordAuthSecretRef{
 									ConnectToken: esmeta.SecretKeySelector{
 										Name:      mySecret,
-										Namespace: pointer.To("my-namespace"),
+										Namespace: new("my-namespace"),
 										Key:       token,
 									},
 								},
@@ -1190,7 +1189,7 @@ func TestGetAllSecrets(t *testing.T) {
 				{
 					checkNote: "find some with path only",
 					ref: esv1.ExternalSecretFind{
-						Path: pointer.To(myItem),
+						Path: new(myItem),
 					},
 					expectedMap: map[string][]byte{
 						key1: []byte(value1),
@@ -1219,7 +1218,7 @@ func TestGetAllSecrets(t *testing.T) {
 						Name: &esv1.FindName{
 							RegExp: "key*",
 						},
-						Path: pointer.To(myOtherItem),
+						Path: new(myOtherItem),
 					},
 					expectedMap: map[string][]byte{
 						key3: []byte(value3),
@@ -1243,7 +1242,7 @@ func TestGetAllSecrets(t *testing.T) {
 						Name: &esv1.FindName{
 							RegExp: "key*",
 						},
-						Path: pointer.To("no-exist"),
+						Path: new("no-exist"),
 					},
 					expectedMap: map[string][]byte{},
 					expectedErr: nil,
@@ -1295,7 +1294,7 @@ func TestGetAllSecrets(t *testing.T) {
 				{
 					checkNote: "find with tags",
 					ref: esv1.ExternalSecretFind{
-						Path: pointer.To(myItem),
+						Path: new(myItem),
 						Tags: map[string]string{
 							"foo": "true",
 							"bar": "true",
@@ -1310,7 +1309,7 @@ func TestGetAllSecrets(t *testing.T) {
 				{
 					checkNote: "find with tags and get all",
 					ref: esv1.ExternalSecretFind{
-						Path: pointer.To(myItem),
+						Path: new(myItem),
 						Tags: map[string]string{
 							"foo": "true",
 						},
@@ -1415,7 +1414,7 @@ func TestGetAllSecrets(t *testing.T) {
 						Name: &esv1.FindName{
 							RegExp: "^my-*",
 						},
-						Path: pointer.To(myOtherItem),
+						Path: new(myOtherItem),
 					},
 					expectedMap: map[string][]byte{
 						myOtherFilePNG: []byte(myOtherContents),
@@ -1438,7 +1437,7 @@ func TestGetAllSecrets(t *testing.T) {
 						Name: &esv1.FindName{
 							RegExp: "^my-*",
 						},
-						Path: pointer.To("no-exist"),
+						Path: new("no-exist"),
 					},
 					expectedMap: map[string][]byte{},
 					expectedErr: nil,
@@ -2492,16 +2491,16 @@ func (m *mockClient) GetFileContent(file *onepassword.File) ([]byte, error) { re
 func (m *mockClient) DownloadFile(file *onepassword.File, targetDirectory string, overwrite bool) (string, error) {
 	return "", nil
 }
-func (m *mockClient) LoadStructFromItemByUUID(config interface{}, itemUUID, vaultQuery string) error {
+func (m *mockClient) LoadStructFromItemByUUID(config any, itemUUID, vaultQuery string) error {
 	return nil
 }
-func (m *mockClient) LoadStructFromItemByTitle(config interface{}, itemTitle, vaultQuery string) error {
+func (m *mockClient) LoadStructFromItemByTitle(config any, itemTitle, vaultQuery string) error {
 	return nil
 }
-func (m *mockClient) LoadStructFromItem(config interface{}, itemQuery, vaultQuery string) error {
+func (m *mockClient) LoadStructFromItem(config any, itemQuery, vaultQuery string) error {
 	return nil
 }
-func (m *mockClient) LoadStruct(config interface{}) error { return nil }
+func (m *mockClient) LoadStruct(config any) error { return nil }
 
 func TestDeleteSecretWithEmptySections(t *testing.T) {
 	const vaultName = "vault1"

providers/v1/onepassword/retry_client.go

@@ -177,25 +177,25 @@ func (r *retryClient) DownloadFile(file *onepassword.File, targetDirectory strin
 	})
 }
 
-func (r *retryClient) LoadStructFromItemByUUID(config interface{}, itemUUID, vaultQuery string) error {
+func (r *retryClient) LoadStructFromItemByUUID(config any, itemUUID, vaultQuery string) error {
 	return retryOn403(func() error {
 		return r.client.LoadStructFromItemByUUID(config, itemUUID, vaultQuery)
 	})
 }
 
-func (r *retryClient) LoadStructFromItemByTitle(config interface{}, itemTitle, vaultQuery string) error {
+func (r *retryClient) LoadStructFromItemByTitle(config any, itemTitle, vaultQuery string) error {
 	return retryOn403(func() error {
 		return r.client.LoadStructFromItemByTitle(config, itemTitle, vaultQuery)
 	})
 }
 
-func (r *retryClient) LoadStructFromItem(config interface{}, itemQuery, vaultQuery string) error {
+func (r *retryClient) LoadStructFromItem(config any, itemQuery, vaultQuery string) error {
 	return retryOn403(func() error {
 		return r.client.LoadStructFromItem(config, itemQuery, vaultQuery)
 	})
 }
 
-func (r *retryClient) LoadStruct(config interface{}) error {
+func (r *retryClient) LoadStruct(config any) error {
 	return retryOn403(func() error {
 		return r.client.LoadStruct(config)
 	})

providers/v1/oracle/go.mod

@@ -11,7 +11,6 @@ require (
 	k8s.io/api v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -94,6 +93,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/oracle/oracle_test.go

@@ -36,7 +36,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/ptr"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
@@ -91,8 +90,8 @@ func makeValidRef() *esv1.ExternalSecretDataRemoteRef {
 
 func makeValidAPIInput() *secrets.GetSecretBundleByNameRequest {
 	return &secrets.GetSecretBundleByNameRequest{
-		SecretName: ptr.To("test-secret"),
-		VaultId:    ptr.To("test-vault"),
+		SecretName: new("test-secret"),
+		VaultId:    new("test-vault"),
 	}
 }
 
@@ -130,10 +129,10 @@ func TestOracleVaultGetSecret(t *testing.T) {
 	setSecretString := func(smtc *vaultTestCase) {
 		smtc.apiOutput = &secrets.GetSecretBundleByNameResponse{
 			SecretBundle: secrets.SecretBundle{
-				SecretId:      ptr.To("test-id"),
-				VersionNumber: ptr.To(int64(1)),
+				SecretId:      new("test-id"),
+				VersionNumber: new(int64(1)),
 				SecretBundleContent: secrets.Base64SecretBundleContentDetails{
-					Content: ptr.To(base64.StdEncoding.EncodeToString([]byte(secretValue))),
+					Content: new(base64.StdEncoding.EncodeToString([]byte(secretValue))),
 				},
 			},
 		}
@@ -163,7 +162,7 @@ func TestGetSecretMap(t *testing.T) {
 	// good case: default version & deserialization
 	setDeserialization := func(smtc *vaultTestCase) {
 		smtc.apiOutput.SecretBundleContent = secrets.Base64SecretBundleContentDetails{
-			Content: ptr.To(base64.StdEncoding.EncodeToString([]byte(`{"foo":"bar"}`))),
+			Content: new(base64.StdEncoding.EncodeToString([]byte(`{"foo":"bar"}`))),
 		}
 		smtc.expectedData["foo"] = []byte("bar")
 	}
@@ -171,7 +170,7 @@ func TestGetSecretMap(t *testing.T) {
 	// bad case: invalid json
 	setInvalidJSON := func(smtc *vaultTestCase) {
 		smtc.apiOutput.SecretBundleContent = secrets.Base64SecretBundleContentDetails{
-			Content: ptr.To(base64.StdEncoding.EncodeToString([]byte(`-----------------`))),
+			Content: new(base64.StdEncoding.EncodeToString([]byte(`-----------------`))),
 		}
 		smtc.expectError = "unable to unmarshal secret"
 	}
@@ -373,8 +372,8 @@ func TestVaultManagementServiceNewClient(t *testing.T) {
 						},
 					},
 					RetrySettings: &esv1.SecretStoreRetrySettings{
-						RetryInterval: ptr.To("1s"),
-						MaxRetries:    ptr.To(int32(5)),
+						RetryInterval: new("1s"),
+						MaxRetries:    new(int32(5)),
 					},
 				},
 			},
@@ -391,7 +390,7 @@ func TestVaultManagementServiceNewClient(t *testing.T) {
 						},
 					},
 					RetrySettings: &esv1.SecretStoreRetrySettings{
-						RetryInterval: ptr.To("1s"),
+						RetryInterval: new("1s"),
 					},
 				},
 			},
@@ -408,7 +407,7 @@ func TestVaultManagementServiceNewClient(t *testing.T) {
 						},
 					},
 					RetrySettings: &esv1.SecretStoreRetrySettings{
-						MaxRetries: ptr.To(int32(5)),
+						MaxRetries: new(int32(5)),
 					},
 				},
 			},
@@ -438,7 +437,7 @@ func TestVaultManagementServiceNewClient(t *testing.T) {
 						},
 					},
 					RetrySettings: &esv1.SecretStoreRetrySettings{
-						RetryInterval: ptr.To("invalid"),
+						RetryInterval: new("invalid"),
 					},
 				},
 			},
@@ -456,7 +455,7 @@ func TestVaultManagementServiceNewClient(t *testing.T) {
 						},
 					},
 					RetrySettings: &esv1.SecretStoreRetrySettings{
-						RetryInterval: ptr.To("invalid"),
+						RetryInterval: new("invalid"),
 					},
 				},
 			},
@@ -812,7 +811,7 @@ func makeSecretBundle(id string, deleting bool) secrets.SecretBundle {
 	return secrets.SecretBundle{
 		SecretId: &id,
 		SecretBundleContent: secrets.Base64SecretBundleContentDetails{
-			Content: ptr.To(base64.StdEncoding.EncodeToString([]byte(id))),
+			Content: new(base64.StdEncoding.EncodeToString([]byte(id))),
 		},
 		TimeOfDeletion: deletionTime,
 	}

providers/v1/pulumi/pulumi.go

@@ -63,8 +63,8 @@ func (c *client) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteR
 	return esutils.GetByteValue(value.GetValue())
 }
 
-func createSubmaps(input map[string]interface{}) map[string]interface{} {
-	result := make(map[string]interface{})
+func createSubmaps(input map[string]any) map[string]any {
+	result := make(map[string]any)
 
 	for key, value := range input {
 		keys := strings.Split(key, ".")
@@ -75,9 +75,9 @@ func createSubmaps(input map[string]interface{}) map[string]interface{} {
 				current[k] = value
 			} else {
 				if _, exists := current[k]; !exists {
-					current[k] = make(map[string]interface{})
+					current[k] = make(map[string]any)
 				}
-				current = current[k].(map[string]interface{})
+				current = current[k].(map[string]any)
 			}
 		}
 	}
@@ -94,7 +94,7 @@ func (c *client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1.
 
 	updatePayload := &esc.EnvironmentDefinition{
 		Values: &esc.EnvironmentDefinitionValues{
-			AdditionalProperties: map[string]interface{}{
+			AdditionalProperties: map[string]any{
 				data.GetRemoteKey(): string(value),
 			},
 		},
@@ -129,9 +129,9 @@ func (c *client) Validate() (esv1.ValidationResult, error) {
 }
 
 // GetMapFromInterface converts an interface{} to a map[string][]byte.
-func GetMapFromInterface(i interface{}) (map[string][]byte, error) {
+func GetMapFromInterface(i any) (map[string][]byte, error) {
 	// Assert the interface{} to map[string]interface{}
-	m, ok := i.(map[string]interface{})
+	m, ok := i.(map[string]any)
 	if !ok {
 		return nil, errors.New(errInterfaceType)
 	}

providers/v1/pulumi/pulumi_test.go

@@ -45,7 +45,7 @@ func newTestClient(t *testing.T, _, pattern string, handler func(w http.Response
 		r.Header.Add(contentType, contentTypeValue)
 		w.Header().Add(contentType, contentTypeValue)
 		w.WriteHeader(http.StatusOK)
-		err := json.NewEncoder(w).Encode(map[string]interface{}{
+		err := json.NewEncoder(w).Encode(map[string]any{
 			"id": "session-id",
 		})
 		require.NoError(t, err)
@@ -73,7 +73,7 @@ func newTestClient(t *testing.T, _, pattern string, handler func(w http.Response
 }
 
 func TestGetSecret(t *testing.T) {
-	testmap := map[string]interface{}{
+	testmap := map[string]any{
 		"b": "world",
 	}
 
@@ -115,7 +115,7 @@ func TestGetSecretMap(t *testing.T) {
 	tests := []struct {
 		name  string
 		ref   esv1.ExternalSecretDataRemoteRef
-		input map[string]interface{}
+		input map[string]any
 
 		want    map[string][]byte
 		wantErr bool
@@ -125,18 +125,18 @@ func TestGetSecretMap(t *testing.T) {
 			ref: esv1.ExternalSecretDataRemoteRef{
 				Key: "mysec",
 			},
-			input: map[string]interface{}{
-				"foo": map[string]interface{}{
+			input: map[string]any{
+				"foo": map[string]any{
 					"value": "bar",
-					"trace": map[string]interface{}{
-						"def": map[string]interface{}{
+					"trace": map[string]any{
+						"def": map[string]any{
 							"environment": "bar",
-							"begin": map[string]interface{}{
+							"begin": map[string]any{
 								"line":   3,
 								"column": 9,
 								"byte":   29,
 							},
-							"end": map[string]interface{}{
+							"end": map[string]any{
 								"line":   3,
 								"column": 13,
 								"byte":   33,
@@ -144,17 +144,17 @@ func TestGetSecretMap(t *testing.T) {
 						},
 					},
 				},
-				"foobar": map[string]interface{}{
+				"foobar": map[string]any{
 					"value": "42",
-					"trace": map[string]interface{}{
-						"def": map[string]interface{}{
+					"trace": map[string]any{
+						"def": map[string]any{
 							"environment": "bar",
-							"begin": map[string]interface{}{
+							"begin": map[string]any{
 								"line":   4,
 								"column": 9,
 								"byte":   38,
 							},
-							"end": map[string]interface{}{
+							"end": map[string]any{
 								"line":   4,
 								"column": 13,
 								"byte":   42,
@@ -162,17 +162,17 @@ func TestGetSecretMap(t *testing.T) {
 						},
 					},
 				},
-				"bar": map[string]interface{}{
+				"bar": map[string]any{
 					"value": true,
-					"trace": map[string]interface{}{
-						"def": map[string]interface{}{
+					"trace": map[string]any{
+						"def": map[string]any{
 							"environment": "bar",
-							"begin": map[string]interface{}{
+							"begin": map[string]any{
 								"line":   5,
 								"column": 9,
 								"byte":   47,
 							},
-							"end": map[string]interface{}{
+							"end": map[string]any{
 								"line":   5,
 								"column": 13,
 								"byte":   51,
@@ -193,20 +193,20 @@ func TestGetSecretMap(t *testing.T) {
 			ref: esv1.ExternalSecretDataRemoteRef{
 				Key: "mysec",
 			},
-			input: map[string]interface{}{
-				"test22": map[string]interface{}{
-					"value": map[string]interface{}{
-						"my": map[string]interface{}{
+			input: map[string]any{
+				"test22": map[string]any{
+					"value": map[string]any{
+						"my": map[string]any{
 							"value": "hello",
-							"trace": map[string]interface{}{
-								"def": map[string]interface{}{
+							"trace": map[string]any{
+								"def": map[string]any{
 									"environment": "bar",
-									"begin": map[string]interface{}{
+									"begin": map[string]any{
 										"line":   6,
 										"column": 11,
 										"byte":   72,
 									},
-									"end": map[string]interface{}{
+									"end": map[string]any{
 										"line":   6,
 										"column": 16,
 										"byte":   77,
@@ -215,15 +215,15 @@ func TestGetSecretMap(t *testing.T) {
 							},
 						},
 					},
-					"trace": map[string]interface{}{
-						"def": map[string]interface{}{
+					"trace": map[string]any{
+						"def": map[string]any{
 							"environment": "bar",
-							"begin": map[string]interface{}{
+							"begin": map[string]any{
 								"line":   6,
 								"column": 7,
 								"byte":   68,
 							},
-							"end": map[string]interface{}{
+							"end": map[string]any{
 								"line":   6,
 								"column": 16,
 								"byte":   77,
@@ -231,19 +231,19 @@ func TestGetSecretMap(t *testing.T) {
 						},
 					},
 				},
-				"test33": map[string]interface{}{
-					"value": map[string]interface{}{
-						"world": map[string]interface{}{
+				"test33": map[string]any{
+					"value": map[string]any{
+						"world": map[string]any{
 							"value": "hello",
-							"trace": map[string]interface{}{
-								"def": map[string]interface{}{
+							"trace": map[string]any{
+								"def": map[string]any{
 									"environment": "bar",
-									"begin": map[string]interface{}{
+									"begin": map[string]any{
 										"line":   8,
 										"column": 14,
 										"byte":   103,
 									},
-									"end": map[string]interface{}{
+									"end": map[string]any{
 										"line":   8,
 										"column": 19,
 										"byte":   108,
@@ -252,15 +252,15 @@ func TestGetSecretMap(t *testing.T) {
 							},
 						},
 					},
-					"trace": map[string]interface{}{
-						"def": map[string]interface{}{
+					"trace": map[string]any{
+						"def": map[string]any{
 							"environment": "bar",
-							"begin": map[string]interface{}{
+							"begin": map[string]any{
 								"line":   8,
 								"column": 7,
 								"byte":   96,
 							},
-							"end": map[string]interface{}{
+							"end": map[string]any{
 								"line":   8,
 								"column": 19,
 								"byte":   108,
@@ -280,18 +280,18 @@ func TestGetSecretMap(t *testing.T) {
 			ref: esv1.ExternalSecretDataRemoteRef{
 				Key: "mysec",
 			},
-			input: map[string]interface{}{
-				"foo": map[string]interface{}{
+			input: map[string]any{
+				"foo": map[string]any{
 					"value": "bar",
-					"trace": map[string]interface{}{
-						"def": map[string]interface{}{
+					"trace": map[string]any{
+						"def": map[string]any{
 							"environment": "bar",
-							"begin": map[string]interface{}{
+							"begin": map[string]any{
 								"line":   3,
 								"column": 9,
 								"byte":   29,
 							},
-							"end": map[string]interface{}{
+							"end": map[string]any{
 								"line":   3,
 								"column": 13,
 								"byte":   33,
@@ -299,19 +299,19 @@ func TestGetSecretMap(t *testing.T) {
 						},
 					},
 				},
-				"test22": map[string]interface{}{
-					"value": map[string]interface{}{
-						"my": map[string]interface{}{
+				"test22": map[string]any{
+					"value": map[string]any{
+						"my": map[string]any{
 							"value": "hello",
-							"trace": map[string]interface{}{
-								"def": map[string]interface{}{
+							"trace": map[string]any{
+								"def": map[string]any{
 									"environment": "bar",
-									"begin": map[string]interface{}{
+									"begin": map[string]any{
 										"line":   6,
 										"column": 11,
 										"byte":   72,
 									},
-									"end": map[string]interface{}{
+									"end": map[string]any{
 										"line":   6,
 										"column": 16,
 										"byte":   77,
@@ -320,15 +320,15 @@ func TestGetSecretMap(t *testing.T) {
 							},
 						},
 					},
-					"trace": map[string]interface{}{
-						"def": map[string]interface{}{
+					"trace": map[string]any{
+						"def": map[string]any{
 							"environment": "bar",
-							"begin": map[string]interface{}{
+							"begin": map[string]any{
 								"line":   6,
 								"column": 7,
 								"byte":   68,
 							},
-							"end": map[string]interface{}{
+							"end": map[string]any{
 								"line":   6,
 								"column": 16,
 								"byte":   77,
@@ -366,16 +366,16 @@ func TestGetSecretMap(t *testing.T) {
 }
 
 func TestCreateSubmaps(t *testing.T) {
-	input := map[string]interface{}{
+	input := map[string]any{
 		"a.b.c": 1,
 		"a.b.d": 2,
 		"a.e":   3,
 		"f":     4,
 	}
 
-	expected := map[string]interface{}{
-		"a": map[string]interface{}{
-			"b": map[string]interface{}{
+	expected := map[string]any{
+		"a": map[string]any{
+			"b": map[string]any{
 				"c": 1,
 				"d": 2,
 			},
@@ -391,12 +391,12 @@ func TestCreateSubmaps(t *testing.T) {
 	}
 
 	// Test nested access
-	a, ok := result["a"].(map[string]interface{})
+	a, ok := result["a"].(map[string]any)
 	if !ok {
 		t.Errorf("Expected 'a' to be a map")
 	}
 
-	b, ok := a["b"].(map[string]interface{})
+	b, ok := a["b"].(map[string]any)
 	if !ok {
 		t.Errorf("Expected 'a.b' to be a map")
 	}

providers/v1/scaleway/cache_test.go

@@ -48,11 +48,11 @@ func TestCacheLeastRecentlyUsedIsRemovedFirst(t *testing.T) {
 	secretID := "0c82ecf4-d3f7-4960-8301-0def5230eee2"
 	maxEntryCount := 500
 
-	for i := 0; i < maxEntryCount; i++ {
+	for i := range maxEntryCount {
 		cache.Put(secretID, uint32(i+1), []byte{})
 	}
 
-	for i := 0; i < maxEntryCount; i++ {
+	for i := range maxEntryCount {
 		cache.Get(secretID, uint32(i+1))
 	}
 

providers/v1/scaleway/client_test.go

@@ -25,7 +25,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 	testingfake "github.com/external-secrets/external-secrets/runtime/testing/fake"
 )
 
@@ -381,7 +380,7 @@ func TestGetAllSecrets(t *testing.T) {
 		},
 		"find secrets by path": {
 			ref: esv1.ExternalSecretFind{
-				Path: esutils.Ptr("/subpath"),
+				Path: new("/subpath"),
 			},
 			response: map[string][]byte{
 				db.secret("nested-secret").name: db.secret("nested-secret").mustGetVersion("latest_enabled").data,

providers/v1/scaleway/fake_secret_api_test.go

@@ -18,6 +18,7 @@ package scaleway
 
 import (
 	"fmt"
+	"slices"
 	"sort"
 	"strconv"
 
@@ -79,7 +80,7 @@ func buildDB(f *fakeSecretAPI) *fakeSecretAPI {
 
 		for _, version := range secret.versions {
 			if len(version.data) == 0 && !version.dontFillData {
-				version.data = []byte(fmt.Sprintf("some data for secret %s version %d: %s", secret.id, version.revision, uuid.NewString()))
+				version.data = fmt.Appendf(nil, "some data for secret %s version %d: %s", secret.id, version.revision, uuid.NewString())
 			}
 		}
 
@@ -263,10 +264,8 @@ func matchListSecretFilter(secret *fakeSecret, filter *smapi.ListSecretsRequest)
 	if filter.Tags != nil {
 		filters = append(filters, func(fs *fakeSecret) bool {
 			for _, requiredTag := range filter.Tags {
-				for _, secretTag := range fs.tags {
-					if requiredTag == secretTag {
-						return true
-					}
+				if slices.Contains(fs.tags, requiredTag) {
+					return true
 				}
 			}
 			return false
@@ -332,10 +331,7 @@ func (f *fakeSecretAPI) ListSecrets(request *smapi.ListSecretsRequest, _ ...scw.
 		return nil, fmt.Errorf("invalid page offset (page = %d, page size = %d, total = %d)", page, pageSize, len(matches))
 	}
 
-	endOffset := page * pageSize
-	if endOffset > len(matches) {
-		endOffset = len(matches)
-	}
+	endOffset := min(page*pageSize, len(matches))
 
 	for _, secret := range matches[startOffset:endOffset] {
 		response.Secrets = append(response.Secrets, &smapi.Secret{

providers/v1/secretserver/client_test.go

@@ -586,7 +586,7 @@ func TestGetAllSecrets(t *testing.T) {
 	}{
 		"returns error indicating not supported": {
 			ref: esv1.ExternalSecretFind{
-				Path: esv1Ptr("some-path"),
+				Path: new("some-path"),
 			},
 			wantErr: true,
 			errMsg:  "getting all secrets is not supported by Delinea Secret Server at this time",
@@ -608,8 +608,3 @@ func TestGetAllSecrets(t *testing.T) {
 		})
 	}
 }
-
-// Helper function to create string pointer.
-func esv1Ptr(s string) *string {
-	return &s
-}

providers/v1/secretserver/provider_test.go

@@ -31,7 +31,6 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
 func TestDoesConfigDependOnNamespace(t *testing.T) {
@@ -475,7 +474,7 @@ QJ85ioEpy00NioqcF0WyMZH80uMsPycfpnl5uF7RkW8u
 								Type:      esv1.CAProviderTypeSecret,
 								Name:      caSecretName,
 								Key:       caSecretKey,
-								Namespace: esutils.Ptr("default"),
+								Namespace: new("default"),
 							},
 						},
 					},
@@ -523,7 +522,7 @@ QJ85ioEpy00NioqcF0WyMZH80uMsPycfpnl5uF7RkW8u
 
 func makeSecretRefUsingNamespacedRef(namespace, name, key string) *esv1.SecretServerProviderRef {
 	return &esv1.SecretServerProviderRef{
-		SecretRef: &v1.SecretKeySelector{Namespace: esutils.Ptr(namespace), Name: name, Key: key},
+		SecretRef: &v1.SecretKeySelector{Namespace: new(namespace), Name: name, Key: key},
 	}
 }
 

providers/v1/vault/auth_test.go

@@ -27,7 +27,6 @@ import (
 	vault "github.com/hashicorp/vault/api"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/ptr"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
@@ -52,7 +51,7 @@ func TestSetAuthNamespace(t *testing.T) {
 	store.Spec.Provider.Vault.Auth.Kubernetes.ServiceAccountRef = nil
 	store.Spec.Provider.Vault.Auth.Kubernetes.SecretRef = &esmeta.SecretKeySelector{
 		Name:      "vault-secret",
-		Namespace: ptr.To("default"),
+		Namespace: new("default"),
 		Key:       "key",
 	}
 
@@ -85,7 +84,7 @@ func TestSetAuthNamespace(t *testing.T) {
 			args: args{
 				store: func(store *esv1.SecretStore) *esv1.SecretStore {
 					s := store.DeepCopy()
-					s.Spec.Provider.Vault.Namespace = ptr.To(teamNS)
+					s.Spec.Provider.Vault.Namespace = new(teamNS)
 					return s
 				}(store),
 				expected: result{Before: teamNS, During: teamNS, After: teamNS},
@@ -96,7 +95,7 @@ func TestSetAuthNamespace(t *testing.T) {
 			args: args{
 				store: func(store *esv1.SecretStore) *esv1.SecretStore {
 					s := store.DeepCopy()
-					s.Spec.Provider.Vault.Auth.Namespace = ptr.To(adminNS)
+					s.Spec.Provider.Vault.Auth.Namespace = new(adminNS)
 					return s
 				}(store),
 				expected: result{Before: "", During: adminNS, After: ""},
@@ -107,8 +106,8 @@ func TestSetAuthNamespace(t *testing.T) {
 			args: args{
 				store: func(store *esv1.SecretStore) *esv1.SecretStore {
 					s := store.DeepCopy()
-					s.Spec.Provider.Vault.Namespace = ptr.To(adminNS)
-					s.Spec.Provider.Vault.Auth.Namespace = ptr.To(adminNS)
+					s.Spec.Provider.Vault.Namespace = new(adminNS)
+					s.Spec.Provider.Vault.Auth.Namespace = new(adminNS)
 					return s
 				}(store),
 				expected: result{Before: adminNS, During: adminNS, After: adminNS},
@@ -119,8 +118,8 @@ func TestSetAuthNamespace(t *testing.T) {
 			args: args{
 				store: func(store *esv1.SecretStore) *esv1.SecretStore {
 					s := store.DeepCopy()
-					s.Spec.Provider.Vault.Namespace = ptr.To(teamNS)
-					s.Spec.Provider.Vault.Auth.Namespace = ptr.To(adminNS)
+					s.Spec.Provider.Vault.Namespace = new(teamNS)
+					s.Spec.Provider.Vault.Auth.Namespace = new(adminNS)
 					return s
 				}(store),
 				expected: result{Before: teamNS, During: adminNS, After: teamNS},
@@ -221,7 +220,7 @@ func TestCheckTokenTtl(t *testing.T) {
 		"LongTTLExpirable": {
 			message: "should cache if expirable token expires far into the future",
 			secret: &vault.Secret{
-				Data: map[string]interface{}{
+				Data: map[string]any{
 					"expire_time": "2024-01-01T00:00:00.000000000Z",
 					"ttl":         json.Number("3600"),
 					"type":        "service",
@@ -232,7 +231,7 @@ func TestCheckTokenTtl(t *testing.T) {
 		"ShortTTLExpirable": {
 			message: "should not cache if expirable token is about to expire",
 			secret: &vault.Secret{
-				Data: map[string]interface{}{
+				Data: map[string]any{
 					"expire_time": "2024-01-01T00:00:00.000000000Z",
 					"ttl":         json.Number("5"),
 					"type":        "service",
@@ -243,7 +242,7 @@ func TestCheckTokenTtl(t *testing.T) {
 		"ZeroTTLExpirable": {
 			message: "should not cache if expirable token has TTL of 0",
 			secret: &vault.Secret{
-				Data: map[string]interface{}{
+				Data: map[string]any{
 					"expire_time": "2024-01-01T00:00:00.000000000Z",
 					"ttl":         json.Number("0"),
 					"type":        "service",
@@ -254,7 +253,7 @@ func TestCheckTokenTtl(t *testing.T) {
 		"NonExpirable": {
 			message: "should cache if token is non-expirable",
 			secret: &vault.Secret{
-				Data: map[string]interface{}{
+				Data: map[string]any{
 					"expire_time": nil,
 					"ttl":         json.Number("0"),
 					"type":        "service",

providers/v1/vault/client_get_all_secrets_test.go

@@ -392,8 +392,8 @@ func newListWithContextKvv1Fn(secrets map[string]any) func(ctx context.Context,
 
 		keys := make([]any, 0, len(secrets))
 		for k := range secrets {
-			if strings.HasPrefix(k, path) {
-				uniqueSuffix := strings.TrimPrefix(k, path)
+			if after, ok := strings.CutPrefix(k, path); ok {
+				uniqueSuffix := after
 				keys = append(keys, uniqueSuffix)
 			}
 		}

providers/v1/vault/go.mod

@@ -29,7 +29,6 @@ require (
 	k8s.io/api v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.1
 )
 
@@ -161,6 +160,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect

providers/v1/vault/provider_test.go

@@ -26,7 +26,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	"k8s.io/utils/ptr"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
@@ -299,8 +298,8 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			args: args{
 				store: makeSecretStore(func(s *esv1.SecretStore) {
 					s.Spec.RetrySettings = &esv1.SecretStoreRetrySettings{
-						MaxRetries:    ptr.To(int32(3)),
-						RetryInterval: ptr.To("not-an-interval"),
+						MaxRetries:    new(int32(3)),
+						RetryInterval: new("not-an-interval"),
 					}
 				}),
 			},
@@ -313,8 +312,8 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			args: args{
 				store: makeSecretStore(func(s *esv1.SecretStore) {
 					s.Spec.RetrySettings = &esv1.SecretStoreRetrySettings{
-						MaxRetries:    ptr.To(int32(3)),
-						RetryInterval: ptr.To("10m"),
+						MaxRetries:    new(int32(3)),
+						RetryInterval: new("10m"),
 					}
 				}),
 				ns:            "default",
@@ -633,7 +632,7 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 					s.Spec.Provider.Vault.Auth.Kubernetes = nil
 					s.Spec.Provider.Vault.Auth.TokenSecretRef = &esmeta.SecretKeySelector{
 						Name:      "vault-token",
-						Namespace: ptr.To("default"),
+						Namespace: new("default"),
 						Key:       "token",
 					}
 				}),

providers/v1/vault/validate_test.go

@@ -18,8 +18,6 @@ package vault
 import (
 	"testing"
 
-	pointer "k8s.io/utils/ptr"
-
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
@@ -50,7 +48,7 @@ func TestValidateStore(t *testing.T) {
 				auth: esv1.VaultAuth{
 					AppRole: &esv1.VaultAppRole{
 						SecretRef: esmeta.SecretKeySelector{
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -99,7 +97,7 @@ func TestValidateStore(t *testing.T) {
 				auth: esv1.VaultAuth{
 					Cert: &esv1.VaultCertAuth{
 						ClientCert: esmeta.SecretKeySelector{
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -112,7 +110,7 @@ func TestValidateStore(t *testing.T) {
 				auth: esv1.VaultAuth{
 					Cert: &esv1.VaultCertAuth{
 						SecretRef: esmeta.SecretKeySelector{
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -125,7 +123,7 @@ func TestValidateStore(t *testing.T) {
 				auth: esv1.VaultAuth{
 					Jwt: &esv1.VaultJwtAuth{
 						SecretRef: &esmeta.SecretKeySelector{
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -138,7 +136,7 @@ func TestValidateStore(t *testing.T) {
 				auth: esv1.VaultAuth{
 					Kubernetes: &esv1.VaultKubernetesAuth{
 						ServiceAccountRef: &esmeta.ServiceAccountSelector{
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -151,7 +149,7 @@ func TestValidateStore(t *testing.T) {
 				auth: esv1.VaultAuth{
 					Kubernetes: &esv1.VaultKubernetesAuth{
 						SecretRef: &esmeta.SecretKeySelector{
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -164,7 +162,7 @@ func TestValidateStore(t *testing.T) {
 				auth: esv1.VaultAuth{
 					Ldap: &esv1.VaultLdapAuth{
 						SecretRef: esmeta.SecretKeySelector{
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -177,7 +175,7 @@ func TestValidateStore(t *testing.T) {
 				auth: esv1.VaultAuth{
 					UserPass: &esv1.VaultUserPassAuth{
 						SecretRef: esmeta.SecretKeySelector{
-							Namespace: pointer.To("invalid"),
+							Namespace: new("invalid"),
 						},
 					},
 				},
@@ -189,7 +187,7 @@ func TestValidateStore(t *testing.T) {
 			args: args{
 				auth: esv1.VaultAuth{
 					TokenSecretRef: &esmeta.SecretKeySelector{
-						Namespace: pointer.To("invalid"),
+						Namespace: new("invalid"),
 					},
 				},
 			},

runtime/esutils/resolvers/secret_ref_test.go

@@ -25,7 +25,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/scheme"
-	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -64,7 +63,7 @@ func TestResolveSecretKeyRef(t *testing.T) {
 			storeKind: "SecretStore",
 			selector: &esmeta.SecretKeySelector{
 				Name:      testSecret,
-				Namespace: ptr.To(testNamespace),
+				Namespace: new(testNamespace),
 				Key:       testKey,
 			},
 			expected: testValue,
@@ -87,7 +86,7 @@ func TestResolveSecretKeyRef(t *testing.T) {
 			storeKind: "SecretStore",
 			selector: &esmeta.SecretKeySelector{
 				Name:      testSecret,
-				Namespace: ptr.To(testNamespace),
+				Namespace: new(testNamespace),
 				Key:       testKey,
 			},
 			err: errors.New(`cannot get Kubernetes secret "test-secret" from namespace "other-namespace": secrets "test-secret" not found`),
@@ -97,7 +96,7 @@ func TestResolveSecretKeyRef(t *testing.T) {
 			storeKind: "ClusterSecretStore",
 			selector: &esmeta.SecretKeySelector{
 				Name:      testSecret,
-				Namespace: ptr.To(testNamespace),
+				Namespace: new(testNamespace),
 				Key:       testKey,
 			},
 			expected: testValue,
@@ -109,7 +108,7 @@ func TestResolveSecretKeyRef(t *testing.T) {
 			storeKind: "SecretStore",
 			selector: &esmeta.SecretKeySelector{
 				Name:      testSecret,
-				Namespace: ptr.To(testNamespace),
+				Namespace: new(testNamespace),
 				Key:       "xxxxxxxx",
 			},
 			expected: "",

runtime/esutils/utils.go

@@ -77,9 +77,7 @@ func JSONMarshal(t any) ([]byte, error) {
 
 // MergeByteMap merges map of byte slices.
 func MergeByteMap(dst, src map[string][]byte) map[string][]byte {
-	for k, v := range src {
-		dst[k] = v
-	}
+	maps.Copy(dst, src)
 	return dst
 }
 
@@ -383,9 +381,7 @@ func reverse(strategy esv1alpha1.PushSecretConversionStrategy, str string) strin
 
 // MergeStringMap performs a deep clone from src to dest.
 func MergeStringMap(dest, src map[string]string) {
-	for k, v := range src {
-		dest[k] = v
-	}
+	maps.Copy(dest, src)
 }
 
 var (
@@ -556,8 +552,10 @@ func Deref[V any](v *V) V {
 }
 
 // Ptr returns a pointer to the given value.
+//
+//go:fix inline
 func Ptr[T any](i T) *T {
-	return &i
+	return new(i)
 }
 
 // ConvertToType converts an object to the specified type using JSON marshaling.
@@ -860,7 +858,7 @@ func CheckEndpointSlicesReady(ctx context.Context, c client.Client, svcName, svc
 }
 
 // ParseJWTClaims extracts claims from a JWT token string.
-func ParseJWTClaims(tokenString string) (map[string]interface{}, error) {
+func ParseJWTClaims(tokenString string) (map[string]any, error) {
 	// Split the token into its three parts
 	parts := strings.Split(tokenString, ".")
 	if len(parts) != 3 {
@@ -873,7 +871,7 @@ func ParseJWTClaims(tokenString string) (map[string]interface{}, error) {
 		return nil, fmt.Errorf("error decoding payload: %w", err)
 	}
 
-	var claims map[string]interface{}
+	var claims map[string]any
 	if err := json.Unmarshal(payload, &claims); err != nil {
 		return nil, fmt.Errorf("error un-marshaling claims: %w", err)
 	}

runtime/esutils/utils_test.go

@@ -779,7 +779,7 @@ func TestRewriteMerge(t *testing.T) {
 				"mongo-credentials": []byte(`{"username": "foz", "password": "baz"}`),
 				"redis-credentials": []byte(`{"host": "redis.example.com", "port": "6379"}`),
 				"credentials": func() []byte {
-					expected := map[string]interface{}{
+					expected := map[string]any{
 						"username": "foz",
 						"password": "baz",
 						"host":     "redis.example.com",
@@ -1144,7 +1144,7 @@ func TestValidateSecretSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.SecretKeySelector{
-				Namespace: Ptr("test"),
+				Namespace: new("test"),
 			},
 			expected: nil,
 		},
@@ -1169,7 +1169,7 @@ func TestValidateSecretSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.SecretKeySelector{
-				Namespace: Ptr("test"),
+				Namespace: new("test"),
 			},
 			expected: nil,
 		},
@@ -1194,7 +1194,7 @@ func TestValidateSecretSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.SecretKeySelector{
-				Namespace: Ptr("different"),
+				Namespace: new("different"),
 			},
 			expected: errNamespaceNotAllowed,
 		},
@@ -1226,7 +1226,7 @@ func TestValidateReferentSecretSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.SecretKeySelector{
-				Namespace: Ptr("test"),
+				Namespace: new("test"),
 			},
 			expected: nil,
 		},
@@ -1251,7 +1251,7 @@ func TestValidateReferentSecretSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.SecretKeySelector{
-				Namespace: Ptr("test"),
+				Namespace: new("test"),
 			},
 			expected: nil,
 		},
@@ -1266,7 +1266,7 @@ func TestValidateReferentSecretSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.SecretKeySelector{
-				Namespace: Ptr("different"),
+				Namespace: new("different"),
 			},
 			expected: errNamespaceNotAllowed,
 		},
@@ -1298,7 +1298,7 @@ func TestValidateServiceAccountSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.ServiceAccountSelector{
-				Namespace: Ptr("test"),
+				Namespace: new("test"),
 			},
 			expected: nil,
 		},
@@ -1323,7 +1323,7 @@ func TestValidateServiceAccountSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.ServiceAccountSelector{
-				Namespace: Ptr("test"),
+				Namespace: new("test"),
 			},
 			expected: nil,
 		},
@@ -1348,7 +1348,7 @@ func TestValidateServiceAccountSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.ServiceAccountSelector{
-				Namespace: Ptr("different"),
+				Namespace: new("different"),
 			},
 			expected: errNamespaceNotAllowed,
 		},
@@ -1380,7 +1380,7 @@ func TestValidateReferentServiceAccountSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.ServiceAccountSelector{
-				Namespace: Ptr("test"),
+				Namespace: new("test"),
 			},
 			expected: nil,
 		},
@@ -1405,7 +1405,7 @@ func TestValidateReferentServiceAccountSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.ServiceAccountSelector{
-				Namespace: Ptr("test"),
+				Namespace: new("test"),
 			},
 			expected: nil,
 		},
@@ -1420,7 +1420,7 @@ func TestValidateReferentServiceAccountSelector(t *testing.T) {
 				},
 			},
 			ref: esmetav1.ServiceAccountSelector{
-				Namespace: Ptr("different"),
+				Namespace: new("different"),
 			},
 			expected: errNamespaceNotAllowed,
 		},