fix(deps): update module golang.org/x/image to v0.41.0 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/image	v0.38.0 → v0.41.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
golang.org/x/text	v0.35.0 -> v0.37.0

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

golang.org/x/image v0.38.0 → v0.41.0 (3 minor version bumps)

Security Fixes (primary driver for upgrade):

• GO-2026-4961 (fixed in v0.38.0→v0.39.0+): Panic when decoding large WEBP images on 32-bit platforms
• GO-2026-4962 (fixed in v0.38.0→v0.39.0+): Excessive memory allocation when decoding malicious SFNT font data
• GO-2026-5031 (fixed in v0.40.0): Panic when reading out-of-bound palette index in bmp package
• GO-2026-5032 (fixed in v0.40.0): Excessive resource consumption in PackBits decompression in tiff package
• v0.41.0 is the first version with zero known vulnerabilities across all of these; also adds security documentation to the README

No breaking API changes: The draw package (the only sub-package used in this codebase) has no API-level changes across these three versions. The security changes are isolated to the bmp, tiff, webp, and font/sfnt sub-packages.

Indirect dependency bump: golang.org/x/text v0.35.0 → v0.37.0 (pulled in transitively by golang.org/x/image); no breaking changes expected.

🎯 Impact Scope Investigation

Usage in codebase (internal/gat/gat.go:25):

import "golang.org/x/image/draw"

The draw package is used in printImage() (gat.go:303–336) for two stable, unchanged APIs:

• draw.ApproxBiLinear.Scale(...) — bilinear scaling of images before Sixel encoding
• draw.Src — compositing mode constant

Both of these APIs are unchanged across v0.38.0–v0.41.0. The security-patched sub-packages (bmp, tiff, webp, font/sfnt) are not directly imported by this codebase.

Impact on other dependencies: The bump to golang.org/x/text v0.37.0 is an indirect transitive dependency. No other Go modules in go.mod are affected.

💡 Recommended Actions

• No code changes required. The upgrade is a drop-in replacement.
• Merge as-is. The update resolves multiple security vulnerabilities in image-decoding sub-packages, even though the specific packages affected (bmp, tiff, webp, font/sfnt) are not directly imported by this project — they are part of the same module and the fixed version should be used to eliminate known CVEs.
• Run go test ./... post-merge as a routine sanity check (no failures expected).

🔗 Reference Links

• golang.org/x/image versions on pkg.go.dev
• golang.org/x/image/draw package docs
• Source diff v0.38.0 → v0.41.0
• golang/image GitHub repository

Generated by koki-develop/claude-renovate-review