Ignore go1.26.4 stdlib vulns in govulncheck until toolchain bump

[rdimitrov]

Summary

The daily Security Scan and every open PR have been failing the Go Vulnerability Check since 2026-06-03 03:03 UTC. On 2026-06-02 three Go standard-library advisories were published, and govulncheck flags them because CI builds with setup-go: stable, which still resolves to go1.26.3 (the actions/go-versions manifest lags the release):

• GO-2026-5037 (CVE-2026-27145) — crypto/x509 VerifyHostname quadratic-cost perf
• GO-2026-5038 (CVE-2026-42504) — mime WordDecoder.DecodeHeader excessive CPU
• GO-2026-5039 (CVE-2026-42507) — net/textproto user input in error messages

All three are stdlib DoS / log-injection issues (no RCE) fixed in go1.26.4 / go1.25.11 — code we do not own. This PR adds the three OSV IDs to the existing, documented IGNORED_VULNS exclusion list to unblock CI. It is explicitly temporary: the comment instructs removing the exclusion once CI builds on go1.26.4 or later (at which point stable will resolve to a patched toolchain and the findings disappear on their own).

Type of change

• Other (CI / security tooling)

Test plan

• Manual testing (describe below)

• Confirmed each OSV maps to a Go stdlib advisory fixed in go1.26.4 / go1.25.11 via pkg.go.dev/vuln.

• Verified the failing job lists exactly these three IDs: ❌ Vulnerabilities need attention: GO-2026-5037 GO-2026-5038 GO-2026-5039.

• Validated security-scan.yml still parses as YAML.

• Authoritative check is this PR's own Go Vulnerability Check run going green.

API Compatibility

• This PR does not break the v1beta1 API.

Does this introduce a user-facing change?

No.

Special notes for reviewers

This is a stop-gap. The clean fix is to get CI onto go1.26.4 (e.g. pin the version or wait for the actions/go-versions stable manifest to catch up). Once that lands, delete the three IDs from IGNORED_VULNS and restore the comment to "none currently."

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.85%. Comparing base (535e808) to head (034e729).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5425      +/-   ##
==========================================
+ Coverage   68.84%   68.85%   +0.01%     
==========================================
  Files         634      634              
  Lines       64433    64433              
==========================================
+ Hits        44358    44367       +9     
+ Misses      16795    16785      -10     
- Partials     3280     3281       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.