fix: upgrade Go to 1.26.1 to resolve security vulnerabilities

ndbroadbent · claude · ndbroadbent · commit af0b88fbbbe5 · 2026-03-07T11:52:09.000+13:00
Upgrades Go from 1.25.7 to 1.26.1 to fix 5 critical vulnerabilities found by govulncheck: - GO-2026-4603: URLs in meta content attribute actions are not escaped in html/template - GO-2026-4602: FileInfo can escape from a Root in os - GO-2026-4601: Incorrect parsing of IPv6 host literals in net/url - GO-2026-4600: Panic in name constraint checking for malformed certificates in crypto/x509 - GO-2026-4599: Incorrect enforcement of email constraints in crypto/x509 All references updated: - Dockerfiles (main, gateway-dev, mock-convox) - go.mod - GitHub Actions workflows (ci.yml, e2e.yml, release.yml) - mise.toml (local development) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,7 +19,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.25.7"
+          go-version: "1.26.1"
 
       - name: Install libfido2 dependencies
         run: |
@@ -63,7 +63,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.25.7"
+          go-version: "1.26.1"
 
       - name: Cache golangci-lint cache
         uses: actions/cache@v4
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -157,7 +157,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.25.7"
+          go-version: "1.26.1"
 
       - name: Download gateway image
         uses: actions/download-artifact@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -77,7 +77,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.25.7"
+          go-version: "1.26.1"
       - name: Build binary
         env:
           CGO_ENABLED: 0
diff --git a/Dockerfile b/Dockerfile
@@ -15,7 +15,7 @@ RUN bun install --frozen-lockfile
 COPY web/ ./
 RUN bun run build
 
-FROM golang:1.25.7-alpine AS builder
+FROM golang:1.26.1-alpine AS builder
 
 RUN apk add --no-cache git ca-certificates make gcc musl-dev nodejs npm
 
diff --git a/Dockerfile.gateway-dev b/Dockerfile.gateway-dev
@@ -1,4 +1,4 @@
-FROM golang:1.25.7-alpine AS builder
+FROM golang:1.26.1-alpine AS builder
 
 RUN apk add --no-cache git ca-certificates make gcc musl-dev
 
diff --git a/Dockerfile.mock-convox b/Dockerfile.mock-convox
@@ -1,7 +1,7 @@
 # Build stage
 # syntax=docker/dockerfile:1.5
 
-FROM golang:1.25.7-alpine AS builder
+FROM golang:1.26.1-alpine AS builder
 
 RUN apk add --no-cache git make
 
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/DocSpring/rack-gateway
 
-go 1.25.7
+go 1.26.1
 
 require (
 	github.com/GeertJohan/yubigo v0.0.0-20190917122436-175bc097e60e
diff --git a/mise.toml b/mise.toml
@@ -1,5 +1,5 @@
 [tools]
-go = "1.25.5"
+go = "1.26.1"
 node = "22.19.0"
 bun = "1.3.1"
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.25.7-alpine AS builder`
	`1`	`+FROM golang:1.26.1-alpine AS builder`
`2`	`2`
`3`	`3`	`RUN apk add --no-cache git ca-certificates make gcc musl-dev`
`4`	`4`