fix(deps): update go to v1.26.4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go (source)		patch	1.26.3 → 1.26.4
go (source)	golang	patch	1.26.3 → 1.26.4

---

Release Notes

golang/go (go)

v1.26.4

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Release Date: June 2, 2026 (Go 1.26.4 patch release)

Security Fixes (3 CVEs):

• CVE-2026-42504 (mime package): Fixed quadratic complexity in WordDecoder.DecodeHeader when decoding maliciously-crafted MIME headers with many invalid encoded-words, which could cause excessive CPU consumption
• CVE-2026-42507 (net/textproto package): Fixed ReadMIMEHeader error handling that allowed attackers to inject arbitrary content (including terminal control bytes) into error messages, potentially misleading users or poisoning logs
• crypto/x509 package: Fixed high-CPU VerifyHostname behavior caused by repeated hostname splitting that executed strings.Split(host, ".") in a loop over all DNS Subject Alternative Name entries

Bug Fixes (4 issues):

• runtime/race: Fixed build failure on Amazon Linux 2 and arm64 platforms
• cmd/fix: Fixed slicescontains rewrite rule that incorrectly hoisted needle expressions, changing side effect count
• crypto/internal/fips140/drbg: Backported critical fix from CL 774221
• cmd/compile: Fixed AMD64 rewrite rule bug causing SHL instruction overflow and miscompilation (release-blocker severity)

Breaking Changes: None - This is a patch release maintaining full backward compatibility with Go 1.26.x

🎯 Impact Scope Investigation

Direct Usage:

• The codebase does NOT directly import crypto/x509, net/textproto, or mime packages
• Main Go source files use: net/http, encoding/base64, encoding/json, standard library packages

Indirect/Transitive Dependencies:

• Echo framework v5.1.1 (HTTP router) uses mime/multipart and net/http
• net/http standard library package transitively depends on net/textproto
• This means the security fixes in net/textproto and mime do apply to this codebase through HTTP request handling

Files Modified by This PR:

1. Dockerfile - Updates GO_VERSION build arg from 1.26.3 to 1.26.4
2. go.mod - Updates Go directive from 1.26.3 to 1.26.4
3. mise.toml - Updates mise tool version from 1.26.3 to 1.26.4
4. internal/sandbox/defaults/go/go.mod.tmpl - Updates template Go directive from 1.26.3 to 1.26.4

Compatibility Analysis:

• No API changes between 1.26.3 and 1.26.4 (patch release)
• No new language features or breaking changes
• All changes are internal performance/security improvements
• Existing code requires zero modifications

CI/Build Impact:

• Current CI shows all tests pending (normal for new PR)
• Socket Security checks passed
• Renovate stability-days requirement met
• Environment already running Go 1.26.4 (go version confirms)

💡 Recommended Actions

Immediate Action:

• ✅ Approve and merge - This is a security patch release with zero breaking changes

No Code Changes Required:

• All security fixes are internal to the Go standard library
• No API modifications needed in application code
• Backward compatibility fully maintained

Verification Steps (optional):

# After merge, verify the update worked
go version                    # Should show go1.26.4
go mod verify                 # Verify module checksums
go test ./...                 # Run unit tests
go test -tags e2e ./e2e/...  # Run E2E tests

Why This is Safe:

1. Patch releases (1.26.3 → 1.26.4) follow Go's strict compatibility promise
2. Changes only fix bugs and security issues without altering APIs
3. Three security vulnerabilities are resolved, improving security posture
4. Compiler bug fix prevents potential miscompilation on AMD64
5. The project's HTTP handler benefits from the net/textproto security fix through Echo framework

🔗 Reference Links

• Go Release History
• Go 1.26.4 GitHub Milestone
• Go 1.26 Release Notes
• OSS Security Announcement
• Microsoft Go 1.26.4 Release Announcement
• Heroku Go 1.26.4 Changelog

Generated by koki-develop/claude-renovate-review