chore(deps): update module golang.org/x/image to v0.39.0 [security]

[alaudaa-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/image	v0.38.0 -> v0.39.0

---

Excessive memory allocation when decoding malicious SFNT in golang.org/x/image

CVE-2026-33812 / GO-2026-4962

More information

Details

Parsing a malicious font file can cause excessive memory allocation.

Severity

Unknown

References

• https://go.dev/cl/761180
• https://go.dev/issue/78382

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image

CVE-2026-33813 / GO-2026-4961

More information

Details

Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

Severity

Unknown

References

• https://go.dev/cl/759860
• https://go.dev/issue/78407

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alaudaa-renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
golang.org/x/text	v0.35.0 -> v0.36.0