fix(deps): update dependency go to v1.26.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
go (source)		patch	1.26.0 → 1.26.1	1.26.2
go (source)	golang	patch	1.26.0 → 1.26.1	1.26.2

---

Release Notes

golang/go (go)

v1.26.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Update: Go 1.26.0 → 1.26.1 (patch release)

Security Fixes (5 CVEs addressed):

• CVE-2026-27137 (crypto/x509): Incorrect enforcement of email constraints in certificate verification. Multiple email address constraints with common local portions but different domain portions were not properly applied, allowing improperly constrained certificates to pass verification. Severity: Medium (affects only Go 1.26+)
• CVE-2026-27138 (crypto/x509): Certificate verification panic with empty DNS names and excluded name constraints. Can cause denial-of-service through application crashes in programs verifying X.509 certificate chains or using TLS. Severity: High (affects only Go 1.26+)
• CVE-2026-27142 (html/template): XSS vulnerability in meta tag content attributes. URLs in meta tag content attributes were not escaped, enabling XSS attacks when combined with http-equiv="refresh". Fixed with new escaping behavior (controllable via GODEBUG=htmlmetacontenturlescape=0). Severity: Medium
• CVE-2026-25679 (net/url): Insufficient validation of host/authority component in URL parsing. net/url.Parse incorrectly accepted invalid URLs by treating garbage before IPv6 literals as ignorable. Now properly rejects IPv6 literals not at the start of the host subcomponent. Severity: Low
• CVE-2026-27139 (os): FileInfo can escape from a Root constraint (issue #77834). Severity: Medium (affects only Go 1.26+)

Bug Fixes (21+ issues addressed):

• Compiler fixes: Fixed internal compiler error with generic functions and large types (#77623), rewriteFixedLoad sign extension issue (#77786), struct pointer load ICE (#77536)
• reflect package: Fixed breaking change in reflect.Value.Interface() behavior (#77780) - now uses &zeroVal[0] instead of nil for zero-sized payloads
• cmd/go: Reverted go mod init default directive back to 1.N (#77860)
• x/tools fixes: Multiple fixes for code rewriting tools (stringsbuilder, rangeint, waitgroup, minmax, stringscut, reflect.TypeOf transformations)
• Other: strings.HasSuffix multibyte rune issue (#77618), os.RemoveAll Windows regression (#77407), CGO pkg-config flag issue (#77474)

🎯 Impact Scope Investigation

Files Modified:

1. Dockerfile: Updated ARG GO_VERSION from 1.26.0 to 1.26.1
2. go.mod: Updated go directive from 1.26.0 to 1.26.1; github.com/spf13/cobra moved from indirect to direct dependency (no version change)
3. internal/sandbox/defaults/go/go.mod.tmpl: Updated template Go version from 1.26.0 to 1.26.1
4. mise.toml: Already updated to 1.26.1

Codebase Impact Analysis:

• ✅ No usage of affected security packages: The codebase does not directly import crypto/x509, html/template, or net/url, minimizing direct exposure to the fixed vulnerabilities
• ✅ No reflect.Value usage: Grep search confirmed no usage of reflect.Value.Interface() in the codebase, so the breaking change fix does not affect this project
• ✅ os package usage is safe: The codebase uses os.MkdirTemp, os.RemoveAll, os.WriteFile, and os.Stat - all standard operations unaffected by the FileInfo Root escape issue
• ✅ Dependency compatibility: All indirect dependencies remain unchanged except for github.com/spf13/cobra moving to direct (organizational change, not a version update)
• ✅ Go runtime in sandbox: The Docker image and sandbox Go runtime template are correctly updated to 1.26.1, ensuring sandboxed Go code executes with security patches

Testing Verification:

• ✅ All unit tests pass: cmd/gocacheprog, internal/handler, internal/middleware, internal/sandbox
• ✅ Build succeeds with Go 1.26.1
• ✅ No compilation errors or warnings

Dependency Chain:

• No transitive dependency updates
• Go 1.26.1 maintains full backward compatibility with 1.26.0
• The changes are purely additive security fixes and bug corrections

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge immediately - This is a critical security patch release with no breaking changes
2. ✅ No code modifications required - All fixes are backward compatible
3. ✅ No configuration changes needed - Default behavior is secure

Post-Merge:

1. Monitor for Go 1.26.2 (already pending per PR description)
2. Consider updating CLAUDE.md line 12 documentation from "Go: 1.26.0" to "Go: 1.26.1" to keep documentation in sync
3. Rebuild and redeploy Docker images to ensure runtime security patches are active

Security Benefits:

• Eliminates 5 CVEs including 2 critical crypto/x509 vulnerabilities that could affect TLS operations
• Protects against XSS in html/template (though not directly used in this codebase)
• Hardens URL parsing against malformed inputs
• Fixes OS file operations security issue specific to Go 1.26

🔗 Reference Links

• Go 1.26.1 Official Security Announcement
• Go 1.26.1 Security Summary
• CVE-2026-27137 (crypto/x509 email constraints)
• CVE-2026-27138 (crypto/x509 panic)
• CVE-2026-27142 (html/template XSS)
• Go 1.26.1 Milestone Issues
• Go Official Release Page

Generated by koki-develop/claude-renovate-review