Skip to content

fix(deps): update go to v1.26.4#76

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go
Open

fix(deps): update go to v1.26.4#76
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go

Conversation

@renovate

@renovate renovate Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
go (source) patch 1.26.31.26.4
go (source) golang patch 1.26.31.26.4
golang final patch 1.26.3-bookworm1.26.4-bookworm

Release Notes

golang/go (go)

v1.26.4


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
    • Only on Sunday and Saturday (* * * * 0,6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.4 (released June 2, 2026) is a patch release that includes critical security fixes and bug fixes with full backward compatibility:

Security Fixes (3 CVEs)

  1. CVE-2026-42504 (mime package) - Quadratic complexity in WordDecoder.DecodeHeader

    • Maliciously-crafted MIME headers with many invalid encoded-words could cause excessive CPU consumption
    • Impact: DoS vulnerability in MIME header parsing
  2. CVE-2026-42507 (net/textproto package) - Arbitrary input included in errors without escaping

    • Error messages included unescaped user-controlled input
    • Impact: Attackers could inject misleading content, terminal control bytes, or manipulate logs
    • Critical for services handling external input (HTTP servers)
  3. CVE-2026-27145 (crypto/x509 package) - Quadratic hostname verification cost

    • Large DNS SAN lists caused verification costs to scale quadratically (SAN entries × hostname labels)
    • Impact: Performance degradation even for untrusted certificates (occurs before chain building)

Bug Fixes

  • Compiler: AMD64 SHL instruction overflow in rewrite rules (issue #79191)
  • Runtime: Race detector build failure on Amazon Linux 2 arm64 (issue #79686)
  • cmd/fix: Fixed unintended side-effect changes in slices.Contains transformations (issue #79349)
  • crypto/fips140: Backported FIPS 140 compliance improvements (issue #79226)

🎯 Impact Scope Investigation

Affected Packages in Dependency Tree

The security-patched packages are present in the project's dependency tree:

  • crypto/x509 and crypto/x509/pkix - Used indirectly by Echo framework and HTTP client libraries
  • mime and mime/multipart - Used by Echo v5 for HTTP request parsing
  • net/textproto and mime/quotedprintable - Used by Echo v5 for HTTP protocol handling

Direct Code Impact

  • No direct imports of affected packages in application code
  • Indirect usage through github.com/labstack/echo/v5 (HTTP framework)
  • Since this is an HTTP API service handling external requests, the security fixes are highly relevant

Files Modified by PR

  1. Dockerfile (2 locations)

    • ARG GO_VERSION=1.26.31.26.4
    • FROM golang:1.26.3-bookwormgolang:1.26.4-bookworm with updated SHA256
  2. go.mod

    • go 1.26.3go 1.26.4
  3. mise.toml

    • go = "1.26.3""1.26.4"
  4. internal/sandbox/defaults/go/go.mod.tmpl

    • Template used for sandbox Go runtime: go 1.26.3go 1.26.4

Verification Results

Build successful - Project compiles without errors with Go 1.26.4
All unit tests pass - No test failures across all packages
Module verification passes - go mod verify confirms integrity
No breaking changes - Patch release maintains full API compatibility

💡 Recommended Actions

Immediate Actions

  1. Merge this PR immediately - Contains critical security fixes for production HTTP service
  2. No code changes required - This is a drop-in replacement with full backward compatibility
  3. Rebuild Docker images - Ensure deployment uses patched Go runtime

Why This is Important

  • CVE-2026-42507 is particularly critical for this codebase because:

    • This service exposes an HTTP API (POST /v1/run) using Echo v5
    • Echo uses net/textproto for HTTP protocol handling
    • External users can send arbitrary input that could appear in error messages
    • Without this patch, attackers could inject malicious content into logs/responses
  • CVE-2026-42504 affects MIME parsing which Echo may use for multipart requests

  • CVE-2026-27145 affects TLS certificate verification if the service makes HTTPS calls

Post-Merge Validation

  1. Run full E2E test suite: go test -tags e2e ./e2e/... (requires Docker Compose)
  2. Verify Docker build completes: docker compose up --build
  3. Monitor service logs for any unexpected behavior

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

@renovate renovate Bot force-pushed the renovate/go branch 2 times, most recently from f2b7d97 to 70fbc5e Compare June 19, 2026 09:08
@renovate renovate Bot changed the title fix(deps): update go to v1.26.4 fix(deps): update go Jun 24, 2026
@renovate renovate Bot changed the title fix(deps): update go fix(deps): update dependency go to v1.26.4 Jun 25, 2026
@renovate renovate Bot changed the title fix(deps): update dependency go to v1.26.4 fix(deps): update go to v1.26.4 Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants