Update dependency golang to v1.26.4

[renovate]

This PR contains the following updates:

Package	Update	Change
golang	patch	1.26.3 → 1.26.4

---

Release Notes

golang/go (golang)

v1.26.4

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because the project's go.mod currently declares go 1.23.0 while the upgrade targets 1.26.4, representing a major toolchain jump that requires updating the module directive and re-validating compatibility. The CI matrix in build.yml and test-and-coverage.yml only tests against Go 1.23 and 1.24, leaving 1.26.4 entirely untested by those critical pipelines. Web research confirms that earlier Go 1.26.x releases introduced a critical Windows runtime crash caused by the Green Tea garbage collector, a Linux signal: killed test regression, and a compiler-level bound check elimination bug leading to memory corruption — all fixed by 1.26.2 and later, but these issues signal meaningful instability in the 1.26 branch that warrants verification. On the positive side, this upgrade delivers two high-severity security fixes in net/textproto and crypto/x509, along with 3 additional bug fixes. The go.mod module directive and the CI matrix should both be updated to include 1.26.4 before merging.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 5 fixable issues in this upgrade.

• Update go.mod line 3 to change the Go directive from 'go 1.23.0' to 'go 1.26.4'. This aligns the module's declared minimum Go version with the upgraded toolchain. Alternatively, run: sed -i 's/^go 1.23.0$/go 1.26.4/' go.mod
  Run: sed -i 's/^go 1\.23\.0$/go 1.26.4/' go.mod
  Files: go.mod
• Update the CI build matrix in .github/workflows/build.yml line 21 to include Go 1.26.4. Change the go-version matrix from ['1.23', '1.24'] to ['1.23', '1.24', '1.26.4']. Search for the line containing "go-version: ['1.23', '1.24']" in build.yml and replace with "go-version: ['1.23', '1.24', '1.26.4']".
  Files: .github/workflows/build.yml
• Update the CI test-and-coverage matrix in .github/workflows/test-and-coverage.yml line 19 to include Go 1.26.4. Change the go-version matrix from ['1.23', '1.24'] to ['1.23', '1.24', '1.26.4']. Search for the line containing "go-version: ['1.23', '1.24']" in test-and-coverage.yml and replace with "go-version: ['1.23', '1.24', '1.26.4']".
  Files: .github/workflows/test-and-coverage.yml
• Pin the Go version in .github/workflows/multi-os-test.yml line 133 from '1.26' (floating) to '1.26.4' (exact patch). Search for "go-version: '1.26'" in multi-os-test.yml and replace with "go-version: '1.26.4'". This avoids picking up intermediate broken 1.26.x releases (e.g., 1.26.0/1.26.1 had a critical Windows runtime crash and compiler bug).
  Files: .github/workflows/multi-os-test.yml
• Pin the Go version in .github/workflows/lint-and-format.yml line 24 from '1.26' (floating) to '1.26.4' (exact patch). Search for "go-version: '1.26'" in lint-and-format.yml and replace with "go-version: '1.26.4'". This ensures lint runs use the same stable patch version as the rest of the CI pipeline.
  Files: .github/workflows/lint-and-format.yml

AI Assistant Prompt

Copy prompt for AI assistant

# Fix Go 1.26.4 Toolchain Upgrade Issues

I'm upgrading the Go toolchain in `syspkg` (github.com/bluet/syspkg) from Go 1.23.0 to Go 1.26.4. This upgrade includes two high-severity security fixes (net/textproto injection, crypto/x509 hostname validation) and 3 bug fixes. I need you to make the following changes across 5 files.

## Context
- Earlier Go 1.26.x releases (1.26.0, 1.26.1) had critical bugs: a Windows runtime crash from the Green Tea GC, a Linux `signal: killed` test regression, and a compiler bounds-check elimination bug causing memory corruption. All fixed in 1.26.2+, but we must pin to exactly `1.26.4` everywhere — never use a floating `1.26`.
- The CI matrix currently only tests Go 1.23 and 1.24. We need to add 1.26.4.

## Changes Needed

### 1. Update `go.mod` — Go directive
File: `go.mod`, line 3
- Change: `go 1.23.0` → `go 1.26.4`
- This aligns the module's minimum Go version with the upgraded toolchain.

### 2. Update CI build matrix
File: `.github/workflows/build.yml`, around line 21
- Find: `go-version: ['1.23', '1.24']`
- Replace with: `go-version: ['1.23', '1.24', '1.26.4']`

### 3. Update CI test-and-coverage matrix
File: `.github/workflows/test-and-coverage.yml`, around line 19
- Find: `go-version: ['1.23', '1.24']`
- Replace with: `go-version: ['1.23', '1.24', '1.26.4']`

### 4. Pin Go version in multi-os-test workflow
File: `.github/workflows/multi-os-test.yml`, around line 133
- Find: `go-version: '1.26'`
- Replace with: `go-version: '1.26.4'`
- Reason: Floating `1.26` could resolve to broken 1.26.0/1.26.1 releases.

### 5. Pin Go version in lint-and-format workflow
File: `.github/workflows/lint-and-format.yml`, around line 24
- Find: `go-version: '1.26'`
- Replace with: `go-version: '1.26.4'`
- Reason: Same as above — pin to known-good patch version.

## Instructions
Please make all 5 changes. Each is a single-line text replacement. Do not modify any other files or logic. After making the changes, briefly summarize what was updated.

What we checked

• Module directive declares go 1.23.0, but the upgrade targets toolchain 1.26.4. This directive must be updated to reflect the new minimum Go version; mismatched go directive can affect module resolution and toolchain behavior. ^[1]
• CI build matrix only tests go-version: ['1.23', '1.24']. Go 1.26.4 is never exercised in this critical build workflow, leaving a gap where the upgraded toolchain is unverified against the build pipeline. ^[2]
• Test and coverage matrix also only tests go-version: ['1.23', '1.24']. The target Go 1.26.4 version is not included, meaning test results with the upgraded toolchain are entirely unknown. ^[3]
• Native integration tests (for apt, snap, flatpak) use go-version: '1.26' with a floating version pin. This should be pinned to 1.26.4 specifically to avoid picking up intermediate broken releases within the 1.26.x series. ^[4]
• Lint workflow uses go-version: '1.26' without a patch version pin. Should be pinned to 1.26.4 to ensure consistency with the upgraded toolchain and avoid using a known-broken intermediate 1.26.x release. ^[5]
• Go 1.26.0 and 1.26.1 caused a critical runtime crash on Windows due to the Green Tea garbage collector corrupting return addresses during stack scanning or goroutine stack relocation (copystack). This affected all Windows users. Relevant because the project's multi-OS test matrix targets Windows-adjacent environments and the upstream instability in 1.26.x warrants validation that 1.26.4 is stable. ^[6]
• Go 1.26.1 introduced a regression where go test ./... fails with signal: killed on Linux/amd64. This directly impacts the project's CI pipeline running go test -v -race -coverprofile=coverage.txt ./... in test-and-coverage.yml, confirming intermediate 1.26.x releases were broken for testing. ^[7]
• A compiler bug in Go 1.26.1 and earlier versions caused incorrect bounds-check elimination for slices and arrays accessed via induction variables, allowing memory corruption in compiled programs. Fixed in 1.26.2. This confirms 1.26.4 is required (not just any 1.26.x version) and that the upgrade must precisely target 1.26.4. ^[8]

Dependency Usage

This is a Go (golang) project — the golang entry in the dependency scan refers to the Go language runtime and toolchain itself, not an imported third-party library. The repository is a Go module (github.com/bluet/syspkg) with source spread across 35+ .go files implementing a cross-platform system package manager abstraction layer. Since golang has zero import-style usages, it is not consumed as a library dependency but rather represents the underlying language platform that compiles and runs the entire application, including package manager integrations for apt, yum, snap, and flatpak. No actionable dependency risk or usage pattern exists for this entry — it is the foundational language runtime, not a discrete importable package.

• Module directive declares go 1.23.0, but the upgrade targets toolchain 1.26.4. This directive must be updated to reflect the new minimum Go version; mismatched go directive can affect module resolution and toolchain behavior.
  

  syspkg/go.mod

  Line 3 in 9f25b37

  go 1.23.0

• CI build matrix only tests go-version: ['1.23', '1.24']. Go 1.26.4 is never exercised in this critical build workflow, leaving a gap where the upgraded toolchain is unverified against the build pipeline.
  

  syspkg/.github/workflows/build.yml

  Line 21 in 9f25b37

  go-version: ['1.23', '1.24']

View 3 more usages

• Test and coverage matrix also only tests go-version: ['1.23', '1.24']. The target Go 1.26.4 version is not included, meaning test results with the upgraded toolchain are entirely unknown.
  

  syspkg/.github/workflows/test-and-coverage.yml

  Line 19 in 9f25b37

  go-version: ['1.23', '1.24']

• Native integration tests (for apt, snap, flatpak) use go-version: '1.26' with a floating version pin. This should be pinned to 1.26.4 specifically to avoid picking up intermediate broken releases within the 1.26.x series.
  

  syspkg/.github/workflows/multi-os-test.yml

  Line 133 in 9f25b37

  go-version: '1.26'

• Lint workflow uses go-version: '1.26' without a patch version pin. Should be pinned to 1.26.4 to ensure consistency with the upgraded toolchain and avoid using a known-broken intermediate 1.26.x release.
  

  syspkg/.github/workflows/lint-and-format.yml

  Line 24 in 9f25b37

  go-version: '1.26'

Changes

golang was updated with two security fixes: net/textproto now escapes arbitrary input when including it in error messages (preventing potential injection attacks), and crypto/x509 corrects hostname splitting logic during certificate validation. Additionally, three bug fixes address a WebAssembly DRBG stub in crypto/internal/fips140, quadratic complexity in mime.WordDecoder.DecodeHeader, and an amd64 compiler miscompilation of shift expressions in cmd/compile.

• [release-branch.go1.26] net/textproto: escape arbitrary input when including them in errors (ec1c380) (v1.26.4, changelog)
• [release-branch.go1.26] crypto/x509: split candidate hostname only once (ce5a3e7) (v1.26.4, changelog)
• [release-branch.go1.26] crypto/internal/fips140/drbg: fix Wasm stub (26c2ac5) (v1.26.4, changelog)

View 5 more changes

• [release-branch.go1.26] mime: avoid quadratic complexity in WordDecoder.DecodeHeader (7f24db4) (v1.26.4, changelog)
• [release-branch.go1.26] cmd/compile: do not misscompile x+x << 63 to x << 0 on amd64 (babc19e) (v1.26.4, changelog)
• [release-branch.go1.26] cmd/fix: pull in CL 783960 (ccffd99) (v1.26.4, changelog)
• [release-branch.go1.26] runtime/race: build race detector linux/arm64 syso with no-outline-atomics (7d24489) (v1.26.4, changelog)
• [release-branch.go1.26] go1.26.4 (a9ce111) (v1.26.4, changelog)

References (8)

[1]: Module directive declares go 1.23.0, but the upgrade targets toolchain 1.26.4. This directive must be updated to reflect the new minimum Go version; mismatched go directive can affect module resolution and toolchain behavior.

syspkg/go.mod

Line 3 in 9f25b37

go 1.23.0

[2]: CI build matrix only tests go-version: ['1.23', '1.24']. Go 1.26.4 is never exercised in this critical build workflow, leaving a gap where the upgraded toolchain is unverified against the build pipeline.

syspkg/.github/workflows/build.yml

Line 21 in 9f25b37

go-version: ['1.23', '1.24']

[3]: Test and coverage matrix also only tests go-version: ['1.23', '1.24']. The target Go 1.26.4 version is not included, meaning test results with the upgraded toolchain are entirely unknown.

syspkg/.github/workflows/test-and-coverage.yml

Line 19 in 9f25b37

go-version: ['1.23', '1.24']

[4]: Native integration tests (for apt, snap, flatpak) use go-version: '1.26' with a floating version pin. This should be pinned to 1.26.4 specifically to avoid picking up intermediate broken releases within the 1.26.x series.

syspkg/.github/workflows/multi-os-test.yml

Line 133 in 9f25b37

go-version: '1.26'

[5]: Lint workflow uses go-version: '1.26' without a patch version pin. Should be pinned to 1.26.4 to ensure consistency with the upgraded toolchain and avoid using a known-broken intermediate 1.26.x release.

syspkg/.github/workflows/lint-and-format.yml

Line 24 in 9f25b37

go-version: '1.26'

[6]: Go 1.26.0 and 1.26.1 caused a critical runtime crash on Windows due to the Green Tea garbage collector corrupting return addresses during stack scanning or goroutine stack relocation (copystack). This affected all Windows users. Relevant because the project's multi-OS test matrix targets Windows-adjacent environments and the upstream instability in 1.26.x warrants validation that 1.26.4 is stable. (source link)

[7]: Go 1.26.1 introduced a regression where go test ./... fails with signal: killed on Linux/amd64. This directly impacts the project's CI pipeline running go test -v -race -coverprofile=coverage.txt ./... in test-and-coverage.yml, confirming intermediate 1.26.x releases were broken for testing. (source link)

[8]: A compiler bug in Go 1.26.1 and earlier versions caused incorrect bounds-check elimination for slices and arrays accessed via induction variables, allowing memory corruption in compiled programs. Fixed in 1.26.2. This confirms 1.26.4 is required (not just any 1.26.x version) and that the upgrade must precisely target 1.26.4. (source link)

---

fossabot analyzed this PR using dependency research. View this analysis on the web