fix(deps): update go to v1.26.3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go (source)		patch	1.26.2 → 1.26.3
go (source)	golang	patch	1.26.2 → 1.26.3
golang	final	patch	1.26.2-bookworm → 1.26.3-bookworm

---

Release Notes

golang/go (go)

v1.26.3

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.3 is a patch release focusing on security fixes and bug corrections. Released on May 7, 2026, this update addresses multiple critical vulnerabilities:

Security Fixes (11 CVEs):

• CVE-2026-42501, CVE-2026-27142, CVE-2026-39836: Critical security vulnerabilities
• html/template: XSS vulnerability with script tag escaper bypass (#79032, #79025)
• net/mail: Quadratic complexity vulnerability in email parsing (#78568, #79004)
• net/http: HTTP/2 infinite loop with invalid frame size (#78478)
• net/http/httputil: ReverseProxy query parameter handling vulnerability (#78986)
• syscall: Memory safety issue with cgo pointers in DNS responses (#78813)
• go command: Predictable temporary filenames in go bug command (#78588)
• pack tool: Path sanitization vulnerability (#78791)

Bug Fixes:

• Compiler: Crash with extreme loop iteration values (#78676), incorrect loop trip count (#78375), generic struct method devirtualization panic (#78409)
• Linker: Gold linker requirement on ARM64 (#78406)
• Runtime: Wasm memory usage regression (#78354), generic append type parameter panic (#78198), benchmark loop optimization regression (#78155)
• crypto/fips140: Alias updates (#78984), X25519MLKEM768 curve configuration (#78372)
• crypto/tls: Bug fixes (standard library improvements)
• go/types: Type system improvements
• os: File removal error exposure on Unix systems (#78867)
• Testing: Coverage cache staleness with -coverpkg flag (#78583), coverage tool discovery with toolchain switching (#78412)

🎯 Impact Scope Investigation

Modified Files (4):

1. Dockerfile - Updates Go version from 1.26.2 to 1.26.3 in both mise installation and builder base image
2. go.mod - Updates Go directive from 1.26.2 to 1.26.3
3. internal/sandbox/defaults/go/go.mod.tmpl - Updates Go directive in template for user-submitted Go code
4. mise.toml - Updates Go version for development tooling

Package Usage Analysis:

The codebase directly uses several packages that received security fixes:

• ✅ net/http: Used extensively in cmd/serve.go, internal/handler/, internal/middleware/, and e2e/ for the HTTP server and testing
• ✅ syscall: Used in internal/sandbox/sandbox.go and internal/sandbox/signal_test.go for process management
• ❌ html/template: NOT used in the codebase
• ❌ net/mail: NOT used in the codebase
• ❌ net/http/httputil: NOT used directly (ReverseProxy not found)

Dependency Impact:

• No breaking API changes in this patch release
• All dependencies in go.mod remain compatible (Echo v5, Cobra, testify, etc.)
• The update only changes the Go directive; no code modifications required

Runtime Impact:

• The sandbox executes user-submitted Go code using Go 1.26.3 (via go.mod.tmpl)
• Security improvements in the go command and pack tool enhance sandbox security
• Compiler and runtime bug fixes improve stability for Go runtime execution

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - This is a backward-compatible patch release with critical security fixes
2. ✅ No code changes required - All changes are version bumps in configuration files
3. ✅ CI validation - Wait for pending CI checks (Build, Lint, Unit Test, E2E Test) to pass before merging

Post-Merge Verification:

1. Monitor the E2E tests to ensure Go runtime execution remains stable
2. Verify that user-submitted Go code compiles and runs correctly with 1.26.3
3. Check that the Docker image builds successfully with the updated golang:1.26.3-bookworm base image

Security Benefits:

• Eliminates 11 security vulnerabilities affecting the go command, pack tool, net/http, syscall, and net/mail
• Improves sandbox security through fixes in the Go toolchain itself
• Addresses HTTP/2 denial-of-service vulnerability (#78478)
• Fixes memory safety issues in DNS handling (#78813)

No Migration Required:

• Go 1.26.2 → 1.26.3 maintains full backward compatibility
• No API changes, deprecations, or breaking changes
• Existing code continues to work without modification

🔗 Reference Links

• Go 1.26.3 Release Notes
• Go 1.26.3 GitHub Release
• Go 1.26.3 Milestone Issues
• PR #70 on GitHub

Generated by koki-develop/claude-renovate-review