Skip to content

fix(deps): update dependency go to v1.26.1#24

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-1.x
Open

fix(deps): update dependency go to v1.26.1#24
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-1.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 10, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
go (source) patch 1.26.01.26.1
go (source) golang patch 1.26.01.26.1

Release Notes

golang/go (go)

v1.26.1

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Mar 10, 2026
edited
Loading

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Release Date: March 5, 2026

Type: Minor patch release (1.26.0 → 1.26.1)

Security Fixes (5 CVEs):

  • CVE-2026-27137 (crypto/x509): Incorrect enforcement of multiple full-email name constraints, allowing disallowed emails to pass certificate verification
  • CVE-2026-27138 (crypto/x509): Certificate verification panic when chain contains empty DNS name and excluded name constraints
  • CVE-2026-27142 (html/template): XSS vulnerability in URL actions within meta tag content attributes with http-equiv="refresh"
  • CVE-2026-25679 (net/url): Stricter URL parsing implementation to address parsing issues
  • CVE-2026-27139 (os): FileInfo from ReadDir/Readdir could reference files outside opened Root due to symlink path swapping

Bug Fixes:

  • go command improvements
  • go fix command corrections
  • Compiler enhancements
  • os package fixes
  • reflect package fixes

Breaking Changes: None identified. This is a backward-compatible patch release.

🎯 Impact Scope Investigation

Changed Files in PR:

  • Dockerfile: Updates ARG GO_VERSION from 1.26.0 to 1.26.1
  • go.mod: Updates Go toolchain version from 1.26.0 to 1.26.1
  • go.mod: Minor dependency reorganization (spf13/cobra moved from indirect to direct, no version change)
  • mise.toml: Already updated to 1.26.1 (current state)

Direct Usage of Affected Packages:

  • crypto/x509: ❌ Not directly imported in codebase
  • html/template: ❌ Not directly imported in codebase
  • net/url: ❌ Not directly imported in codebase
  • os: ✅ Used in 3 locations:
    • internal/sandbox/sandbox.go:83 - Uses os.Stat() for file existence checks (not ReadDir/Readdir, minimal CVE-2026-27139 risk)
    • cmd/gocacheprog/main.go:48 - Uses os.Stat() for cache directory validation
    • cmd/gocacheprog/main.go:135 - Uses os.Stat() for disk path checks

Dependency Impact:

  • All dependencies (github.com/labstack/echo/v5, github.com/spf13/cobra, etc.) will continue to work with Go 1.26.1
  • No breaking changes in Go 1.26.1 that would affect existing code
  • Standard library usage in codebase is minimal and uses basic filesystem operations only

Build/Runtime Impact:

  • Go 1.26.1 is already installed in the current environment (go version confirms go1.26.1)
  • Docker build will use the updated version for both the mise base stage and final runtime
  • Compiled Go code in sandbox will use Go 1.26.1 toolchain

💡 Recommended Actions

Immediate Actions:

  1. Merge this PR immediately - This is a critical security update with no breaking changes
  2. ✅ Rebuild and redeploy Docker containers to apply security fixes
  3. ✅ No code changes required - fully backward compatible

Post-Merge Validation (Optional but Recommended):

  1. Run existing test suite: go test ./...
  2. Run E2E tests: docker compose down && docker compose up --build -d && go test -tags e2e ./e2e/...
  3. Verify build: go build -o sandbox .

Why This is Safe:

  • Patch releases (x.y.Z) in Go maintain strict backward compatibility
  • No API changes or behavioral changes except security fixes
  • The codebase uses only basic os.Stat() calls, not the vulnerable ReadDir/Readdir operations with symlinks
  • No direct usage of the other three vulnerable packages (crypto/x509, html/template, net/url)
  • Security fixes only tighten security constraints without breaking existing valid use cases

Priority Level: HIGH - Contains 5 security fixes including XSS and certificate validation vulnerabilities

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

@renovate renovate bot force-pushed the renovate/go-1.x branch 3 times, most recently from 00dbeeb to 6ecde59 Compare March 17, 2026 11:43
@renovate renovate bot force-pushed the renovate/go-1.x branch from 6ecde59 to 6329d9b Compare March 17, 2026 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants