From 69d1b8be6c3407f028cffbaf5abbffec2baefd75 Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Fri, 10 Apr 2026 14:57:21 +0200
Subject: [PATCH 1/2] Upgrade Go to 1.26.2 to fix stdlib CVEs
 (GO-2026-4865/4866/4869/4870/4946)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile | 2 +-
 go.mod     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 5ce0e9125..8c49e7018 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # golang alpine
-FROM golang:1.26.1-alpine AS builder
+FROM golang:1.26.2-alpine AS builder
 
 ARG TARGETARCH
 ARG TARGETOS
diff --git a/go.mod b/go.mod
index e92cbaa8a..d95f89f02 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module github.com/nuts-foundation/nuts-node
 
 // This is the minimal version, the actual go version is determined by the images in the Dockerfile
 // This version is used in automated tests such as the 'Scheduled govulncheck' action
-go 1.26.1
+go 1.26.2
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0

From 4bc40170ac198de12d9d91a6f50c3835411a9d90 Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Fri, 10 Apr 2026 15:41:32 +0200
Subject: [PATCH 2/2] docs: add v6.2.2 and v5.4.28/29/30 release notes to
 master

---
 docs/pages/release_notes.rst | 40 ++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/docs/pages/release_notes.rst b/docs/pages/release_notes.rst
index b4bcede5f..c7ed78e7d 100644
--- a/docs/pages/release_notes.rst
+++ b/docs/pages/release_notes.rst
@@ -9,6 +9,16 @@ Unreleased
 ## New features
 * #4063: Enable ``storage.debug`` flag to log go-leia performance issues (full table scans, suboptimal index usage) by @reinkrul in https://github.com/nuts-foundation/nuts-node/pull/4064
 
+****************
+Peanut (v6.2.2)
+****************
+
+Release date: 2026-04-10
+
+- Upgrade Go to 1.26.2 to fix GO-2026-4865 (html/template XSS), GO-2026-4866 (crypto/x509 auth bypass), GO-2026-4869 (archive/tar DoS), GO-2026-4870 (crypto/tls DoS), GO-2026-4946 (crypto/x509 DoS)
+
+**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v6.2.1...v6.2.2
+
 ****************
 Peanut (v6.2.1)
 ****************
@@ -422,6 +432,36 @@ The following features have been deprecated:
 - Network v1 API, to be removed
 - VDR v1 API, replaced by VDR v2
 
+*************************
+Hazelnut update (v5.4.30)
+*************************
+
+Release date: 2026-04-10
+
+- Upgrade Go to 1.26.2 to fix GO-2026-4865 (html/template XSS), GO-2026-4866 (crypto/x509 auth bypass), GO-2026-4869 (archive/tar DoS), GO-2026-4870 (crypto/tls DoS), GO-2026-4946 (crypto/x509 DoS)
+
+**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.4.29...v5.4.30
+
+*************************
+Hazelnut update (v5.4.29)
+*************************
+
+Release date: 2026-04-10
+
+- Fix node failing to start when syncing many transactions on a slow disk (e.g. SMB/Azure Files): concurrent read transactions were incorrectly blocked by pending write transactions at the Go level, causing read lock timeouts during startup. See `#4162 <https://github.com/nuts-foundation/nuts-node/issues/4162>`_.
+
+**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.4.28...v5.4.29
+
+*************************
+Hazelnut update (v5.4.28)
+*************************
+
+Release date: 2026-03-31
+
+- Update grpc-go to fix https://pkg.go.dev/vuln/GO-2026-4762
+
+**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.4.27...v5.4.28
+
 *************************
 Hazelnut update (v5.4.27)
 *************************