chore(deps): update dependency go to v1.26.4

[renovate]

This PR contains the following updates:

Package	Update	Change
go	patch	1.26.3 → 1.26.4

---

Release Notes

golang/go (go)

v1.26.4

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.4 is a patch release (released June 2, 2026) containing security fixes and bug fixes with no breaking changes.

Security Fixes:

• CVE-2026-42504 (mime package) — Quadratic CPU consumption in WordDecoder.DecodeHeader when parsing maliciously-crafted MIME headers with many invalid encoded-words (DoS vector)
• net/textproto — Unescaped user input in error messages could allow content injection into logs/error output when parsing headers from untrusted HTTP servers
• crypto/x509 — Quadratic complexity in (*x509.Certificate).VerifyHostname when verifying hostnames against DNS SANs (performance DoS)

Bug Fixes:

• Compiler and runtime stability improvements
• go fix command (modernizer/inliner) fixes
• crypto/fips140 package fixes

Breaking Changes: None. Full backward compatibility is maintained.

🎯 Impact Scope Investigation

PR Diff: Only mise.toml is modified — the Go toolchain version pin changes from 1.26.3 → 1.26.4. No source code changes.

Affected packages check: Searched the entire codebase for usage of the packages targeted by security fixes (mime, net/textproto, crypto/x509) — zero direct usages found. The codebase does not call into any of the patched packages directly.

go.mod compatibility: The module declares go 1.26.1 as the minimum language version, which is fully compatible with the 1.26.4 toolchain.

Transitive dependency impact: None expected. The security fixes are in the Go standard library; no go.sum or go.mod changes are required.

💡 Recommended Actions

• No code changes required. This is a drop-in toolchain upgrade.
• Merge as-is. The security fixes are beneficial even though the patched packages are not directly used — they may be called transitively by dependencies (e.g., golang.org/x/text, mvdan.cc/sh/v3) or by the Go toolchain itself during builds.
• Consider monitoring CI results post-merge to confirm the build and test suite pass with the new toolchain.

🔗 Reference Links

• Go Release History
• CVE-2026-42504 (mime DoS)
• oss-security announcement for Go 1.26.4

Generated by koki-develop/claude-renovate-review