From dffc895da72a40fc11952d851ce01e3ef10116f1 Mon Sep 17 00:00:00 2001
From: Damien Degois <damien@degois.info>
Date: Wed, 20 May 2026 20:10:24 +0200
Subject: [PATCH] chore(deps): bump Go to 1.26.3

Patches stdlib CVEs reachable from current code:
- GO-2026-4982, GO-2026-4980: html/template escaper bypass XSS
  (renderConsent in handlers/consent.go)
- GO-2026-4976: net/http/httputil ReverseProxy query-param forwarding
- GO-2026-4971: net Dial NUL-byte panic (Windows)
- GO-2026-4918: net/http HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite loop

Dockerfile builder digest refreshed to a 1.26-alpine image that
resolves to 1.26.3.
---
 Dockerfile | 2 +-
 go.mod     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 80eed12..dc7e6e1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 # Base images pinned by digest for supply-chain reproducibility.
 # Bump deliberately — the human-readable tag in the comment after `#`
 # is for review context, only the @sha256 selects the image.
-FROM golang:1.26-alpine@sha256:f85330846cde1e57ca9ec309382da3b8e6ae3ab943d2739500e08c86393a21b1 AS builder
+FROM golang:1.26-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
 
 ARG VERSION="v0.0.0"
 ARG COMMIT_HASH="00000000-dirty"
diff --git a/go.mod b/go.mod
index 41db6b3..c756ea0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/babs/mcp-auth-proxy
 
-go 1.26.2
+go 1.26.3
 
 require (
 	github.com/alicebob/miniredis/v2 v2.37.0