fix(deps): update dependency go to v1.26.1

[renovate]

This PR contains the following updates:

Package	Update	Change
go (source)	patch	1.26.0 → 1.26.1

---

Release Notes

golang/go (go)

v1.26.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Go 1.26.1 is a patch release published on March 5, 2026 that includes important security fixes and bug fixes. This is a minor revision to the Go 1.26 major release (released February 10, 2026).

Security Fixes (5 CVEs):

1. CVE-2026-27137 (crypto/x509): Certificate verification does not properly apply multiple email address constraints that share common local portions but different domain portions. Only the last constraint is considered, potentially allowing improperly constrained certificates to be verified.

2. CVE-2026-27138 (crypto/x509): Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate has excluded name constraints. This can crash programs verifying X.509 certificate chains or using TLS. This issue only affects Go 1.26.

3. CVE-2026-25679 (net/url): net/url.Parse insufficiently validated the host/authority component, accepting invalid URLs by treating garbage before an IP-literal as ignorable. Now rejects IPv6 literals that don't appear at the start of the host subcomponent.

4. CVE-2026-27142 (html/template): Security fix (specific details not publicly disclosed yet).

5. CVE-2026-27139 (os): Security fix (specific details not publicly disclosed yet).

Bug Fixes:

• The go command
• The go fix command
• The compiler
• The os package
• The reflect package

Backward Compatibility:
As a patch release (1.26.0 → 1.26.1), this update maintains backward compatibility with the Go 1 compatibility promise. No breaking changes are expected.

🎯 Impact Scope Investigation

Current State Analysis:

The codebase currently has a version mismatch:

• mise.toml: Already specifies Go 1.26.1 (line 2)
• Dockerfile: Currently specifies Go 1.26.0 (line 48) ← This PR fixes this
• go.mod: Specifies go 1.26.0 (line 3) ← Needs manual update
• CLAUDE.md: Documents Go 1.26.0 (line 11) ← Needs manual update

Runtime Configuration Impact:

The Go runtime is hardcoded in internal/sandbox/runtime.go at four locations:

• Line 342: /mise/installs/go/1.26.0/bin/go in CompileCommand()
• Line 347: /mise/installs/go/1.26.0 in CompileBindMounts() (source path)
• Line 347: /mise/installs/go/1.26.0 in CompileBindMounts() (destination path)
• Line 356: /mise/installs/go/1.26.0/bin in CompileEnv() PATH
• Line 357: GOROOT=/mise/installs/go/1.26.0 in CompileEnv()

These hardcoded paths must be updated to 1.26.1 to match the Docker image that will be built with Go 1.26.1.

Template Files:

• internal/sandbox/defaults/go/go.mod.tmpl: Uses go 1.26 (major.minor only), which is compatible with both 1.26.0 and 1.26.1. No change needed.

Test Files:

• e2e/tests/runtime/go.yml: Uses go 1.26 (major.minor only). No change needed.

Build & Deployment Impact:

• The Dockerfile change will trigger a new Docker image build with Go 1.26.1 installed via mise
• This affects the sandbox's Go runtime compilation and execution environment
• The pre-built Go stdlib cache (/mise/go-cache) will be rebuilt with 1.26.1 during Docker build

Dependency Impact:

• No changes to Go module dependencies
• No API changes affecting the codebase's usage of standard library packages
• The security fixes are internal to the affected packages

💡 Recommended Actions

Required Changes (Before Merging):

1. Update internal/sandbox/runtime.go (5 occurrences):

   • Line 342: Change /mise/installs/go/1.26.0/bin/go → /mise/installs/go/1.26.1/bin/go
   • Line 347: Change both occurrences of /mise/installs/go/1.26.0 → /mise/installs/go/1.26.1
   • Line 356: Change /mise/installs/go/1.26.0/bin → /mise/installs/go/1.26.1/bin
   • Line 357: Change GOROOT=/mise/installs/go/1.26.0 → GOROOT=/mise/installs/go/1.26.1

2. Update go.mod:

   • Line 3: Change go 1.26.0 → go 1.26.1

3. Update CLAUDE.md:

   • Line 11: Change "1.26.0" → "1.26.1" in the documentation

Testing Requirements:

1. Run full test suite after updates: go test ./...
2. Run E2E tests with Docker Compose: docker compose down && docker compose up --build -d && go test -tags e2e ./e2e/...
3. Verify Go sandbox execution works correctly with the new version
4. Confirm the pre-built stdlib cache is correctly populated during Docker build

Merge Strategy:

This PR should NOT be merged as-is. The Dockerfile change is necessary but incomplete. Recommend:

1. Add commits to this PR (or create a follow-up commit) updating the files listed above
2. Ensure all CI checks pass (Build, Lint, Unit Test, E2E Tests)
3. Merge once all version references are consistent

Security Considerations:

Given that this release includes 5 security fixes (including critical crypto/x509 and net/url vulnerabilities), this update should be prioritized. The security fixes address:

• Certificate verification vulnerabilities that could allow improperly constrained certificates
• Panic conditions in TLS certificate validation (unique to Go 1.26)
• URL parsing vulnerabilities accepting invalid URLs

🔗 Reference Links

• Go 1.26 Release Notes
• Go Release History
• Go 1.26.1 Security Announcement
• Go 1.26 Blog Post
• GitHub PR #24

Generated by koki-develop/claude-renovate-review