fix(deps): update go to v1.26.4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go (source)		patch	1.26.3 → 1.26.4
go (source)	golang	patch	1.26.3 → 1.26.4
golang	final	patch	1.26.3-bookworm → 1.26.4-bookworm

---

Release Notes

golang/go (go)

v1.26.4

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.4 (released June 2, 2026) is a patch release that includes critical security fixes and bug fixes. This is a maintenance release with no breaking changes or new features.

Security Fixes (3 CVEs):

• CVE-2026-42504 (mime package): Fixed quadratic complexity in WordDecoder.DecodeHeader that could lead to performance degradation or DoS attacks
• CVE-2026-42507 (net/textproto package): Fixed issue where functions would include input as part of errors without escaping, allowing attackers to inject arbitrary content into errors/logs (injection vulnerability)
• CVE-2026-27145 (crypto/x509 package): Fixed high-CPU VerifyHostname behavior where verification costs scaled quadratically with large DNS SAN lists, causing performance/DoS issues even for untrusted certificates

Bug Fixes:

• Compiler: Fixed bug in rewrite rules for AMD64 causing SHL instruction overflow and miscompilation (#79191)
• Runtime: Fixed change in race detector that led to failed builds on Amazon Linux 2 with arm64 (#79686)
• go fix command: Fixed issue where slicescontains hoists needle expression, changing side effect count (#79349)
• crypto/fips140 package: Backported fix from CL 774221 (#79226)

Backward Compatibility:

• ✅ Fully backward compatible with Go 1.26.3
• ✅ No API changes or breaking changes
• ✅ Standard patch release following Go's stability guarantees

🎯 Impact Scope Investigation

Files Modified in PR:

1. Dockerfile (2 changes):
   • Line 56: ARG GO_VERSION=1.26.4 (was 1.26.3)
   • Line 84: FROM golang:1.26.4-bookworm@sha256:5f68ec... with updated SHA256 digest
2. go.mod: Updated go 1.26.4 directive (line 3)
3. mise.toml: Updated go = "1.26.4" for local development tooling (line 2)
4. internal/sandbox/defaults/go/go.mod.tmpl: Updated template for sandbox Go executions (line 3)

Codebase Analysis:

• ✅ No direct usage of affected security packages (crypto/x509, mime, net/textproto) found in the codebase
• ✅ Build test: Successfully compiled with Go 1.26.4 (11MB binary produced)
• ✅ Unit tests: All tests pass with 100% success rate
• ✅ Dependencies: All Go module dependencies are compatible (Echo v5, Cobra v1.10.2, testify v1.11.1, etc.)

Indirect Benefits:

• While this codebase doesn't directly use the affected packages, dependencies like golang.org/x/net (v0.49.0) may internally use these standard library packages, so the security fixes provide defense-in-depth
• The compiler and runtime bug fixes improve overall stability and correctness

Docker Image Impact:

• The golang:1.26.4-bookworm base image includes all security patches
• SHA256 digest update ensures reproducible builds with the correct patched version

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - This is a critical security patch release that should be applied promptly
2. ✅ No code changes required - The update is fully backward compatible
3. ✅ No configuration changes needed - All existing configurations remain valid

Post-Merge Verification:

1. Run the standard test suite to confirm everything works as expected:

   go test ./...
   go test -tags e2e ./e2e/...

2. Rebuild Docker image and verify the sandbox service functions correctly:

   docker compose down && docker compose up --build -d

Risk Assessment:

• Merge Risk: ⬇️ Very Low - Patch releases are designed for minimal risk
• Security Risk of NOT Merging: ⬆️ Medium - Three CVEs remain unpatched, including injection and DoS vulnerabilities
• Breaking Change Risk: ✅ None - Full backward compatibility guaranteed

🔗 Reference Links

• Go 1.26.4 Release History
• Go 1.26.4 Announcement (oss-security mailing list)
• Go 1.26.4 Milestone Issues
• Microsoft Go Developers Blog - Go 1.26.4 Announcement
• Go 1.26 Release Notes

Generated by koki-develop/claude-renovate-review