From 1524ea21ae0ec9f116ba59132f71a987b4315750 Mon Sep 17 00:00:00 2001
From: Kynan Ware <47394200+BagToad@users.noreply.github.com>
Date: Fri, 6 Mar 2026 21:21:21 -0700
Subject: [PATCH 1/2] Bump Go from 1.25.7 to 1.26.1 to fix stdlib
 vulnerabilities

Fixes 5 Go standard library vulnerabilities found by govulncheck:
- GO-2026-4603: html/template URL escaping
- GO-2026-4602: os FileInfo root escape
- GO-2026-4601: net/url IPv6 parsing
- GO-2026-4600: crypto/x509 malformed cert panic
- GO-2026-4599: crypto/x509 email constraint enforcement

Co-Authored-By: Copilot <223556219+Copilot@users.noreply.github.com>
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index a9c86a672d0..02c6c220251 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/cli/cli/v2
 
-go 1.25.7
+go 1.26.1
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7

From b18358b7547d13cd8fdae813e864a66d077af0fb Mon Sep 17 00:00:00 2001
From: Kynan Ware <47394200+BagToad@users.noreply.github.com>
Date: Fri, 6 Mar 2026 21:24:41 -0700
Subject: [PATCH 2/2] Bump golangci-lint from v2.6.0 to v2.11.0 for Go 1.26
 support

golangci-lint v2.6.0 was built with Go 1.25 and cannot lint code targeting
Go 1.26.1. Go 1.26 support was added in golangci-lint v2.9.0.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/lint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 2298acf8e7e..2f95d5e0ba1 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -48,7 +48,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
-          version: v2.6.0
+          version: v2.11.0
 
       # Verify that license generation succeeds for all release platforms (GOOS/GOARCH).
       # This catches issues like new dependencies with unrecognized licenses before release time.