fix(deps): update dependency go to v1.26.4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go (source)		patch	1.26.3 → 1.26.4
go (source)	golang	patch	1.26.3 → 1.26.4

---

Release Notes

golang/go (go)

v1.26.4

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.4 (released June 2, 2026) is a minor patch release that includes important security fixes and bug fixes:

Security Fixes (3 CVEs)

1. CVE-2026-27145 - crypto/x509: Quadratic hostname verification cost

   • The VerifyHostname function previously had O(n²) complexity when processing certificates with many DNS Subject Alternative Name (SAN) entries
   • Verification costs scaled quadratically with (number of SAN entries × hostname label count)
   • This overhead occurred even for untrusted certificates

2. CVE-2026-42504 - mime: Quadratic complexity in WordDecoder.DecodeHeader

   • Maliciously-crafted MIME headers with many invalid encoded-words could consume excessive CPU
   • The MIME decoder now handles this case more efficiently

3. CVE-2026-42507 - net/textproto: Arbitrary input included in errors without escaping

   • Functions in net/textproto included untrusted input in error messages without escaping
   • Could allow attackers to inject misleading content, terminal control bytes, etc. into victim's output or logs
   • Particularly relevant when parsing headers from external sources (e.g., net/http client uses ReadMIMEHeader when parsing server responses)

Bug Fixes (4 issues)

• cmd/compile: Fixed SHL instruction overflow and miscompilation in AMD64 rewrite rules (#79191)
• runtime/race: Fixed build failure on Amazon Linux 2 and arm64 (#79686)
• cmd/fix: Fixed issue with slicescontains hoisting affecting side effect count (#79349)
• crypto/internal/fips140/drbg: Backported CL 774221 (#79226)

🎯 Impact Scope Investigation

Direct Codebase Usage

The sandbox service does not directly use the three affected packages (crypto/x509, mime, net/textproto) in its source code. However:

1. Indirect Dependency Chain: The service uses Echo v5.1.1 web framework, which depends on golang.org/x/net@v0.49.0. The Go standard library's net/http package (used by Echo) internally uses net/textproto for HTTP header parsing.

2. Attack Surface: As an HTTP API service that:

   • Accepts POST requests at /v1/run (handler/handler.go:144)
   • Parses JSON request bodies with file content and stdin
   • Uses Echo's HTTP server infrastructure (cmd/serve.go:110-148)

   The service is indirectly vulnerable to CVE-2026-42507 if an attacker controls HTTP headers in responses from upstream services (though this is not the typical attack vector for this service).

3. No Direct MIME/TLS Usage: The codebase does not:

   • Parse MIME headers directly (no mime.WordDecoder usage found)
   • Perform TLS certificate hostname verification (no crypto/x509.VerifyHostname calls found)
   • Handle email or MIME-encoded content

Files Modified by PR

The PR updates Go version references in 4 files:

• Dockerfile (line 56): ARG GO_VERSION=1.26.3 → 1.26.4 (runtime Go for sandbox)
• go.mod (line 3): go 1.26.3 → go 1.26.4 (module declaration)
• internal/sandbox/defaults/go/go.mod.tmpl (line 3): Template for user-submitted Go code
• mise.toml (line 2): Development tooling version

Known Issue

Note: The Dockerfile's builder stage at line 84 still references golang:1.26.3-bookworm and was NOT updated by Renovate. This appears to be causing E2E test failures (go mod download exits with code 1). This is a Renovate configuration issue, not a safety issue with the Go update itself. The builder image should also be updated to golang:1.26.4-bookworm or the digest should be updated.

💡 Recommended Actions

Immediate Actions Required

1. Fix Dockerfile Builder Image: Update line 84 from golang:1.26.3-bookworm to golang:1.26.4-bookworm (or update the digest). This is likely why E2E tests are failing.

   FROM golang:1.26.4-bookworm@sha256:... AS builder

2. Verify and Merge: Once the builder image is fixed, re-run E2E tests. The update itself is backward compatible with no breaking changes.

Why This is Safe to Merge

• Patch Release: Go 1.26.4 is a patch release with full backward compatibility
• Security Improvements: Fixes DoS vulnerabilities and information disclosure issues
• No Breaking Changes: Zero API changes or behavioral modifications beyond security fixes
• No Code Changes Required: The codebase does not require any modifications
• Standard Library Only: All fixes are in the Go standard library; no external dependency updates needed
• Compiler Bug Fix: Includes important AMD64 codegen fix that could affect correctness

Post-Merge Validation

• Verify all E2E tests pass after builder image is updated
• Confirm Docker build completes successfully for both amd64 and arm64 architectures
• Monitor production logs for any unexpected behavior (unlikely given the nature of fixes)

🔗 Reference Links

Release Information:

• Go 1.26 Release Notes
• Release History
• Go 1.26.4 Microsoft Builds Announcement

Security Announcements:

• Go 1.26.4 and Go 1.25.11 Security Release
• oss-security Announcement
• Tenable Plugin: Golang Multiple Vulnerabilities

Issue Tracker:

• Go 1.26.4 Milestone (7 issues fixed)

Related PR Examples:

• moby/moby#52753
• docker/cli#7025

Generated by koki-develop/claude-renovate-review