fix(deps): update go

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go (source)		patch	1.26.3 → 1.26.4
go (source)	golang	patch	1.26.3 → 1.26.4

---

Release Notes

golang/go (go)

v1.26.4

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Go 1.26.4 Release Summary (Released: 2026-06-02)

Go 1.26.4 is a patch release that includes three critical security fixes and several bug fixes:

Security Fixes (CVE Vulnerabilities)

1. CVE-2026-42504 - mime package

   • Issue: Quadratic complexity in WordDecoder.DecodeHeader
   • Impact: Decoding maliciously-crafted MIME headers with many invalid encoded-words could cause excessive CPU consumption (DoS)
   • Fix: MIME decoder now handles invalid encoded-words more efficiently

2. CVE-2026-42507 - net/textproto package

   • Issue: Arbitrary input included in error messages without escaping
   • Impact: Attackers could inject misleading content or terminal control bytes into error messages
   • Affected: HTTP clients parsing server headers through ReadMIMEHeader
   • Fix: Input is now properly escaped in error messages

3. CVE-2026-27145 - crypto/x509 package

   • Issue: Quadratic complexity in hostname verification with large DNS SAN lists
   • Impact: Certificate verification scaled quadratically (O(n²)) based on SAN entries × hostname labels
   • Fix: Hostname is now split only once instead of repeatedly, improving performance

Bug Fixes

4. Compiler: AMD64 SHL instruction overflow bug (miscompilation issue)
5. Runtime: Race detector build failure on Amazon Linux 2 ARM64
6. cmd/fix: Fixed slicescontains hoisting needle expressions with side effects
7. crypto/internal/fips140: Backported DRBG improvements (CL 774221)

Breaking Changes: None documented

🎯 Impact Scope Investigation

1. Codebase Usage Analysis

Direct Package Usage: The sandbox codebase does not directly import the affected security packages (crypto/x509, mime, net/textproto) in its source code.

Transitive Dependencies: However, these packages are used transitively through the dependency tree:

• crypto/x509 - Used by crypto/tls, which is used by net/http (Echo framework dependency)
• mime - Used by net/http for multipart form handling
• net/textproto - Used by net/http for HTTP protocol parsing

Benefit: While not directly used, the security fixes improve the safety of HTTP request handling through the Echo v5 web framework.

2. Modified Files Analysis

The PR correctly updates 4 files:

• ✅ Dockerfile (line 56): ARG GO_VERSION=1.26.3 → 1.26.4
• ✅ go.mod (line 3): go 1.26.3 → 1.26.4
• ✅ internal/sandbox/defaults/go/go.mod.tmpl (line 3): go 1.26.3 → 1.26.4
• ✅ mise.toml (line 2): go = "1.26.3" → 1.26.4

3. CRITICAL ISSUE FOUND: Missing Dockerfile Builder Stage Update

Problem: The Dockerfile's builder stage (line 84) uses a hardcoded golang:1.26.3-bookworm base image with pinned digest:

FROM golang:1.26.3-bookworm@sha256:386d475a660466863d9f8c766fec64d7fdad3edac2c6a05020c09534d71edb4b AS builder

This was NOT updated by Renovate, causing the E2E test failures:

go: go.mod requires go >= 1.26.4 (running go 1.26.3; GOTOOLCHAIN=local)

Root Cause: The builder stage's cached Go 1.26.3 installation conflicts with the updated go.mod requirement for Go 1.26.4.

Evidence: Both E2E test runs failed with identical errors during the go mod download step in the Docker build process.

4. CI/CD Status

• ✅ Build: Passing
• ✅ Lint: Passing (golangci-lint 2.12.2)
• ✅ Unit Test: Passing
• ✅ hadolint: Passing
• ❌ E2E Test (ubuntu-latest): Failed - Docker build error (go.mod version mismatch)
• ❌ E2E Test (ubuntu-24.04-arm): Failed - Docker build error (go.mod version mismatch)
• ✅ Socket Security: Passing
• ⏳ Claude Renovate Review: Pending (current review)

💡 Recommended Actions

Required Manual Fixes

1. Update Dockerfile Builder Stage (REQUIRED before merge)

The Dockerfile line 84 must be updated from:

FROM golang:1.26.3-bookworm@sha256:386d475a660466863d9f8c766fec64d7fdad3edac2c6a05020c09534d71edb4b AS builder

To:

FROM golang:1.26.4-bookworm@sha256:<new-digest-for-1.26.4> AS builder

Action: Either:

• Option A: Manually update this line in the PR
• Option B: Wait for Renovate to create a separate PR for the golang Docker image update and merge both together
• Option C: Check if Renovate's grouping configuration should have caught this (may indicate a config issue)

2. Verification Steps (After fixing Dockerfile)

# Rebuild Docker image with --no-cache to ensure clean build
docker compose down
docker compose up --build

# Run E2E tests
go test -tags e2e ./e2e/...

Why This Update Is Important

1. Security: Three CVEs fixed, including DoS vulnerabilities and error message injection
2. Correctness: Fixes compiler bug (AMD64 SHL overflow) that could cause miscompilation
3. Compatibility: Patch releases in Go are backward-compatible and safe to adopt
4. Best Practice: Staying current with security patches reduces attack surface

Post-Merge Recommendations

• ✅ No code changes required in application logic
• ✅ No API breaking changes
• ✅ No configuration changes needed
• ✅ Verify E2E tests pass after Dockerfile fix

🔗 Reference Links

• Go 1.26 Release History
• Go 1.26.4 GitHub Milestone
• OSS Security Announcement - Go 1.26.4
• Microsoft Go Builds - 1.26.4 Release
• CVE-2026-42504: mime DoS vulnerability
• CVE-2026-42507: net/textproto error injection
• CVE-2026-27145: crypto/x509 hostname verification

Generated by koki-develop/claude-renovate-review