chore(deps): update dependency go to v1.26.1

[renovate]

This PR contains the following updates:

Package	Update	Change
go	patch	1.26.0 → 1.26.1

---

Release Notes

golang/go (go)

v1.26.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.1 (released March 5, 2026) is a minor patch release containing:

Security Fixes:

• CVE-2026-27138, CVE-2026-27137, CVE-2026-27142, CVE-2026-25679: Security vulnerabilities in the following packages:
  • crypto/x509: Certificate handling security fixes
  • html/template: Template injection prevention
  • net/url: URL parsing security improvements
  • os: FileInfo escape from Root prevention

Bug Fixes:

• go command: Default go directive handling restoration
• go fix command: Multiple modernization pass fixes (stringsbuilder, stringscut, rangeint, minmax/waitgroup, reflect.TypeOf)
• Compiler: Register allocation errors with generic functions, SSA lowering issues, codegen improvements
• os package: RemoveAll Windows regression fix
• reflect package: Value.Interface behavior correction
• Platform-specific: CGO pkg-config regression fix, illumos external linkmode fix

Breaking Changes: None. This is a backward-compatible patch release focused on bug fixes and security improvements.

🎯 Impact Scope Investigation

Direct Impact Areas:

1. mise.toml (line 2): Updates Go toolchain from 1.26.0 → 1.26.1
2. Dockerfile (line 41-42): Uses Go 1.26.0 via mise for runtime installation
3. go.mod (line 3): Specifies minimum Go version as 1.26.0
4. CI Workflow (.github/workflows/ci.yml): Uses mise-action which reads mise.toml for Go version

Codebase Analysis:

• Security-sensitive packages in use: os package is extensively used throughout the codebase (internal/sandbox/execution.go, handler.go, sandbox.go)
• No usage detected: crypto/x509, html/template, net/url are not directly imported in the project
• Compiler fixes: The project uses standard Go features (generics, reflect) that benefit from the compiler bug fixes
• Runtime compatibility: All code uses standard library features compatible with both 1.26.0 and 1.26.1

Dependency Impact:

• No changes to go.mod or go.sum required - this is a toolchain-only update
• The project's minimum Go requirement (go.mod: go 1.26.0) remains satisfied
• Pre-installed Go packages in Docker remain compatible (golang.org/x/text)

Testing Coverage:

• E2E tests (e2e/tests/runtime/go.yml) exercise Go runtime compilation and execution
• Unit tests cover sandbox execution, handler logic, and middleware
• Test cases reference go 1.26 in templates (internal/sandbox/defaults/go/go.mod.tmpl)

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - The update is safe and brings important security fixes
2. ✅ No code changes required - Full backward compatibility maintained
3. ✅ No configuration changes required - Only mise.toml is updated

Post-Merge Verification:

1. Run CI pipeline to verify all tests pass with Go 1.26.1
2. Verify Docker build completes successfully with new Go version
3. Run E2E test suite to confirm Go runtime execution remains functional

Optional Follow-up:

• Consider updating Dockerfile line 41-42 to reference 1.26.1 explicitly for documentation clarity (mise will use 1.26.1 automatically after this PR merges)

🔗 Reference Links

• Go 1.26 Release Notes
• Go 1.26 Release Announcement
• Go 1.26.1 Milestone on GitHub
• Go Release History
• Security Fixes Overview

Generated by koki-develop/claude-renovate-review