chore(deps): update dependency go to v1.26.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go		minor	1.25.5 → 1.26.1
go (source)	toolchain	minor	1.25.5 → 1.26.1

---

Release Notes

golang/go (go)

v1.26.1

Compare Source

v1.26.0

Compare Source

v1.25.8

Compare Source

v1.25.7

Compare Source

v1.25.6

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.0 → 1.26.1 Update (Minor Version)

Security Fixes in Go 1.26.1 (Released 2026-03-05):

• CVE-2026-27142 (html/template): XSS vulnerability in meta tag content attributes with http-equiv="refresh"
• CVE-2026-27139 (os): Directory traversal issue in File.ReadDir/File.Readdir on Unix systems
• CVE-2026-25679 (net/url): Insufficient validation of host/authority component in url.Parse
• CVE-2026-27138 (crypto/x509): Certificate verification panic with empty DNS names in name constraints
• CVE-2026-27137 (crypto/x509): Email address constraint validation bug

Major Changes in Go 1.26.0:

• New Green Tea garbage collector (10-40% GC overhead reduction)
• ~30% faster cgo calls
• Language enhancements: new() with expressions, generic self-references
• JPEG codec completely replaced (bit-for-bit output changes)
• Crypto packages now ignore rand parameter (always use secure randomness)
• URL parsing stricter (rejects unbracketed IPv6 addresses with colons in host)
• Post-quantum hybrid TLS enabled by default

Breaking Changes:

• cmd/doc and go tool doc removed (replaced by go doc)
• JPEG encoder/decoder output may differ bit-for-bit from previous versions
• URL parsing more strict for certain edge cases
• Multiple GODEBUG settings will be removed in Go 1.27

🎯 Impact Scope Investigation

Modified Files:

• go.mod: Toolchain version go1.25.5 → go1.26.1
• mise.toml: Go tool version 1.25.5 → 1.26.1

Codebase Analysis:

1. Standard Library Usage:

   • Uses image/jpeg as blank import for decoder registration (internal/gat/gat.go:10)
   • Uses image.Decode() for image processing (internal/gat/gat.go:232)
   • No direct usage of crypto/*, html/template, net/url packages that received security fixes
   • No usage of deprecated PKCS#1 v1.5 encryption functions
   • No GODEBUG settings in use

2. JPEG Decoder Impact:

   • The project uses JPEG decoding only for reading images (via image.Decode)
   • Does NOT perform bit-for-bit comparisons of JPEG output
   • The new JPEG codec is fully backward compatible for decoding operations
   • No encoding operations detected in codebase

3. Breaking Change Assessment:

   • No usage of removed cmd/doc or go tool doc commands
   • No URL parsing with edge cases that would be affected
   • No deterministic crypto operations requiring rand parameter
   • Project uses Go 1.24.0 language level (go.mod line 3), well below 1.26 features

4. Test Results:

   • All tests pass successfully with Go 1.26.1: ok status on all test packages
   • Build completes without errors
   • go vet reports no issues
   • go mod verify confirms module integrity

5. Dependency Compatibility:

   • All 33 third-party dependencies downloaded successfully
   • No version conflicts detected
   • CI/CD workflows (test, build, lint) structure remains compatible

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - The update is backward compatible and brings important security fixes
2. ✅ No code changes required - All existing code is compatible with Go 1.26.1
3. ✅ Monitor CI checks - Wait for pending CI jobs (Test, Build, Lint) to complete successfully

Post-Merge:

1. Security Benefits: Gain protection against 5 CVEs affecting crypto/x509, html/template, net/url, and os packages
2. Performance Improvements: Benefit from Green Tea GC (10-40% reduction in GC overhead) and faster cgo calls (~30%)
3. No Migration Work: Zero code changes needed due to backward compatibility

Future Considerations:

• Go 1.27 will remove several GODEBUG settings - monitor for deprecation warnings in future releases
• No action needed now as this project doesn't use any affected GODEBUG settings

🔗 Reference Links

• Go 1.26 Release Notes
• Go 1.26.1 Security Fixes
• CVE-2026-27142 (html/template XSS)
• CVE-2026-27139 (os directory traversal)
• CVE-2026-25679 (net/url parsing)
• CVE-2026-27138 (crypto/x509 panic)
• CVE-2026-27137 (crypto/x509 email constraints)
• Go 1.26 Milestone Issues

Generated by koki-develop/claude-renovate-review