fix(deps): update go to v1.26.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go (source)		patch	1.26.0 → 1.26.2
go		patch	1.26.1 → 1.26.2
go (source)	golang	patch	1.26.0 → 1.26.2
golang	final	patch	1.26.1-bookworm → 1.26.2-bookworm

---

Release Notes

golang/go (go)

v1.26.2

v1.26.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This PR updates Go from 1.26.0 to 1.26.2, encompassing two patch releases (1.26.1 and 1.26.2) that focus exclusively on security fixes and bug fixes with no breaking changes.

Go 1.26.1 (Released 2026-03-05)

Security Fixes (5 CVEs):

• CVE-2026-27137 (crypto/x509): Fixed incorrect enforcement of multiple full-email name constraints
• CVE-2026-27138 (crypto/x509): Fixed certificate verification panic with empty DNS names and excluded name constraints
• CVE-2026-27142 (html/template): Fixed XSS vulnerability in URL actions within meta tag content attributes
• CVE-2026-27139 (os): Fixed FileInfo path resolution issue that could reference files outside Root
• CVE-2026-25679 (net/url): Stricter URL parsing

Bug Fixes: go command, go fix command, compiler, os package, reflect package

Go 1.26.2 (Released 2026-04-07)

Security Fixes (10 CVEs, including critical compiler bugs):

• CVE-2026-27143 (cmd/compile): CRITICAL - Fixed memory corruption after bound check elimination that broke Go's memory safety guarantees
• CVE-2026-27144 (cmd/compile): CRITICAL - Fixed no-op interface conversion bypassing overlap checking, also breaking memory safety
• Additional CVEs: CVE-2026-32282, CVE-2026-32283, CVE-2026-27140
• Security fixes to: go command, compiler, archive/tar, crypto/tls, crypto/x509, html/template, os

Bug Fixes: go command, go fix command, compiler, linker, runtime, net, net/http, net/url packages

Key Impact: The two compiler bugs (CVE-2026-27143 and CVE-2026-27144) are particularly significant as they could cause memory corruption using only safe Go code, undermining Go's memory safety guarantees.

🎯 Impact Scope Investigation

Changed Files

1. Dockerfile (lines 50, 78): Updates GO_VERSION ARG and golang base image
2. go.mod (line 3): Updates Go directive from 1.26.0 to 1.26.2; also moves cobra from indirect to direct dependency (unrelated to Go version)
3. internal/sandbox/defaults/go/go.mod.tmpl (line 3): Updates Go directive for sandbox Go runtime template
4. mise.toml (line 2): Updates development Go toolchain version

Codebase Impact Analysis

Direct Usage of Security-Fixed Packages:

• net/http: Used extensively throughout the codebase (handler, middleware, e2e tests) - benefits from net/http bug fixes in 1.26.2
• crypto/x509, crypto/tls, html/template, archive/tar: NOT directly imported by the codebase
• Impact: The codebase primarily benefits from the critical compiler bug fixes and net/http improvements

Compiler Bug Fixes:

• The two critical compiler CVEs (memory corruption and overlap checking) affect ALL Go code
• These fixes improve memory safety guarantees for the entire application without requiring code changes

Dependencies:

• All direct and indirect dependencies will benefit from the improved compiler and runtime
• No dependency changes are required; patch versions maintain full backward compatibility

CI/CD Impact:

• ✅ Build job: PASSED (go build completed successfully)
• ✅ Lint job: PASSED (golangci-lint run succeeded)
• ✅ Unit Test job: PASSED (all unit tests passed)
• ⏳ E2E Test jobs: PENDING (ubuntu-latest and ubuntu-24.04-arm)

💡 Recommended Actions

Immediate Actions

1. ✅ SAFE TO MERGE once E2E tests pass - This is a backward-compatible security patch release
2. Priority: HIGH - The critical compiler bugs (CVE-2026-27143, CVE-2026-27144) could affect any Go code and should be patched immediately
3. No code changes required - This is a drop-in replacement with security and stability improvements

Verification Steps

• ✅ Build verification: Already passed in CI
• ✅ Lint verification: Already passed in CI
• ✅ Unit tests: Already passed in CI
• ⏳ Wait for E2E tests to complete (expected to pass based on patch release nature)

Post-Merge

• Monitor application behavior after deployment (standard practice)
• No migration work or configuration changes needed
• The sandbox service's Go runtime (configured via mise/Dockerfile) will automatically use 1.26.2 for user code execution

🔗 Reference Links

• Go 1.26 Release Notes
• Go Release History
• Go 1.26.1 Milestone
• Go 1.26.2 Milestone
• Go 1.26.2 Security Analysis
• Go 1.26.1 CVE Fixes
• OSS Security Mailing List: Go 1.26.2 Security Fixes

Generated by koki-develop/claude-renovate-review