chore(deps): update dependency go to v1.26.2 - autoclosed

[renovate]

This PR contains the following updates:

Package	Update	Change
go	patch	1.26.1 → 1.26.2

---

Release Notes

golang/go (go)

v1.26.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Go 1.26.2 is a security and bug fix patch release published on April 7, 2026. The release includes:

Security Fixes (10 CVEs):

• CVE-2026-32282: os package - Root.Chmod can follow symlinks out of the root on Linux
• CVE-2026-32289: Additional os package security issue
• CVE-2026-33810: crypto/x509 - excluded DNS constraints not properly applied to wildcard domains
• CVE-2026-27144: cmd/compile - no-op interface conversion bypasses overlap checking
• CVE-2026-27143: cmd/compile - memory corruption after bound check elimination (critical: slices/arrays accessed using induction variables were sometimes incorrectly proved in-bound)
• CVE-2026-32288: archive/tar - unbounded allocation when parsing old format GNU sparse map
• CVE-2026-32283: crypto/tls - multiple key update handshake messages can cause connection deadlock (DoS)
• CVE-2026-27140: cmd/go - trust layer bypass when using cgo and SWIG

Bug Fixes:

• go command, go fix command
• Compiler and linker improvements
• Runtime enhancements
• net, net/http, and net/url package fixes

Breaking Changes: None - this is a backward-compatible patch release within the Go 1.26 series.

🎯 Impact Scope Investigation

Direct Usage in Codebase:

• The codebase does not directly use affected security packages (archive/tar, crypto/tls, crypto/x509, html/template) in application code
• Go compiler security fixes (CVE-2026-27143, CVE-2026-27144) affect all Go code compilation and are critical memory safety improvements
• The sandbox service compiles and executes user-submitted Go code, making compiler security fixes especially important

Files Requiring Updates:

1. mise.toml (line 2): go = "1.26.1" → go = "1.26.2" ✅ Already updated in PR

2. Dockerfile (line 78): FROM golang:1.26.1-bookworm@... → needs update to golang:1.26.2-bookworm

   • Docker image golang:1.26.2-bookworm confirmed available
   • New SHA256: sha256:b6c3f6b2881231dda32428740ea934e556614756b76a6c23129c9d85c3af4630

3. Dockerfile (line 50): ARG GO_VERSION=1.26.0 → should update to 1.26.2

   • This controls the Go runtime installed in the base image via mise for executing user Go code

4. go.mod (line 3): go 1.26.0 → should update to go 1.26.2

   • Specifies minimum Go version requirement for the project

5. internal/sandbox/defaults/go/go.mod.tmpl (line 3): go 1.26.0 → should update to go 1.26.2

   • Template used for user-submitted Go code execution

CI/Test Status:
All CI checks passed successfully on the PR branch:

• ✅ Build
• ✅ Unit Test
• ✅ E2E Test (ubuntu-24.04-arm)
• ✅ E2E Test (ubuntu-latest)
• ✅ Lint
• ✅ hadolint

This indicates the mise.toml change alone works for local development builds, but Docker image updates are required for production deployments.

💡 Recommended Actions

Required Manual Updates:

1. Update Dockerfile builder stage (line 78):

   FROM golang:1.26.2-bookworm@sha256:b6c3f6b2881231dda32428740ea934e556614756b76a6c23129c9d85c3af4630 AS builder

2. Update Dockerfile base stage Go version (line 50):

   ARG GO_VERSION=1.26.2

3. Update go.mod minimum version (line 3):

   go 1.26.2

4. Update internal/sandbox/defaults/go/go.mod.tmpl (line 3):

   go 1.26.2

Testing After Updates:

• Run full Docker build to ensure all stages complete successfully
• Run E2E tests against the new Docker image to verify Go runtime behavior
• Verify user-submitted Go code execution works correctly with the updated runtime

Security Priority: HIGH - The compiler memory safety fixes (CVE-2026-27143, CVE-2026-27144) are critical for a code execution sandbox service. The bound check elimination bug could potentially allow memory access beyond slice/array boundaries in compiled code, which is a serious concern for untrusted code execution.

🔗 Reference Links

• Go 1.26.2 Released: Security Fixes, Regression Patches, and an Upgrade Playbook - DEV Community
• Go 1.26.2 Released: Security Fixes, Regression Patches, and an Upgrade Playbook | Ratn Labs
• Release History - The Go Programming Language
• oss-sec: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes
• [security] Go 1.26.2 and Go 1.25.9 are released
• Go 1.26.2 and Go 1.25.9 security fixes · Issue #9302 · rclone/rclone
• Bump Go to 1.26.2 / 1.25.9 · Issue #21582 · etcd-io/etcd

Generated by koki-develop/claude-renovate-review