fix(deps): update dependency go to v1.26.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
go (source)		patch	1.26.0 → 1.26.1	1.26.2
go (source)	golang	patch	1.26.0 → 1.26.1	1.26.2

---

Release Notes

golang/go (go)

v1.26.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.1 Release Summary (Released: March 5, 2026)

Go 1.26.1 is a patch release that includes important security fixes and bug fixes. This is a standard maintenance release with backward compatibility maintained.

Security Fixes:

• CVE-2026-27138, CVE-2026-27137, CVE-2026-27142, CVE-2026-25679: Four security vulnerabilities addressed
• crypto/x509: Certificate validation security fixes
• html/template: Template injection vulnerability fixes
• net/url: URL parsing security fixes
• os: Operating system interaction security fixes (FileInfo escape prevention from Root)

Bug Fixes:

• Compiler: Fixed internal compiler errors for generic functions with large types, struct pointer load operations, sign extension in AuxInt, and various code generation issues
• reflect package: Fixed breaking behavior in Value.Interface method
• go command: Modified default go directive in go mod init back to 1.N format, fixed CGO compilation failures after version upgrade
• go fix command: Multiple analysis and rewrite fixes (stringsbuilder, rangeint, stringscut, waitgroup, minmax, reflect.TypeOf)
• Standard library: Fixed strings.HasSuffix multibyte rune handling, certificate expiry date extension for testing

Breaking Changes: None - This is a patch release maintaining full backward compatibility with Go 1.26.0

🎯 Impact Scope Investigation

Files Modified by PR:

1. Dockerfile - Updates ARG GO_VERSION from 1.26.0 to 1.26.1
2. go.mod - Updates go directive from 1.26.0 to 1.26.1
3. internal/sandbox/defaults/go/go.mod.tmpl - Updates template go directive from 1.26.0 to 1.26.1

Codebase Impact Analysis:

Direct Package Usage:

• The codebase does not directly import any of the security-affected packages (crypto/x509, html/template, net/url)
• Primary imports used: os, os/exec, path/filepath, syscall, encoding/base64, net/http, context, Echo framework, Cobra CLI
• The os package is used throughout the codebase for file operations, and benefits from the security fixes in this release

Dependency Impact:

• The go.mod change shows github.com/spf13/cobra moved from indirect to direct dependency - this is a benign go mod tidy cleanup, not a functional change
• All existing dependencies remain compatible with Go 1.26.1
• No dependency version changes required

Build & Runtime Impact:

• Docker build: The new Go version will be installed in the Docker image via mise
• Compilation: The compiler bug fixes improve stability but don't require code changes
• Runtime environment: The sandbox Go runtime template is updated, ensuring user-submitted Go code runs with 1.26.1

Test Results:

• Build: ✅ Passed
• Lint: ✅ Passed
• Unit Test: ✅ Passed
• E2E Test: ❌ Failed with 3 tests - HOWEVER, these exact same tests also fail on the main branch (verified in run #23734532111), confirming these are pre-existing flaky tests unrelated to the Go version upgrade:
  • security/filesystem/9/node_runtime_directory_is_read-only
  • security/filesystem/10/ruby_runtime_directory_is_read-only
  • security/dynamic_linker_attack/4/Ruby_dlopen_of_arbitrary_shared_object_path

Configuration Impact:

• mise.toml already updated to Go 1.26.1 (indicating this change was expected)
• No other configuration changes required

💡 Recommended Actions

Immediate Actions:

1. ✅ Safe to merge - This is a straightforward patch version update with security fixes and no breaking changes
2. The Go 1.26.1 patch includes important security fixes that should be applied, especially the os package fixes relevant to this codebase
3. The E2E test failures are pre-existing issues on main branch and should be addressed separately (not a blocker for this PR)

Post-Merge Considerations:

1. Monitor for Go 1.26.2 (already pending according to the PR description) - consider updating to that when available for additional security fixes
2. Address the pre-existing E2E test failures in a separate PR (filesystem and Ruby dlopen tests)

No Code Changes Required:

• All changes are version bumps in configuration files
• Backward compatibility is fully maintained
• No API changes affecting the codebase
• No migration work needed

🔗 Reference Links

• Go 1.26 Release Notes
• Go Release History
• Go 1.26.1 Milestone on GitHub
• Go 1.26 Release Announcement

Generated by koki-develop/claude-renovate-review