Update dependency golang to v1.26.3

[renovate]

This PR contains the following updates:

Package	Update	Change
golang	patch	1.26.2 → 1.26.3

---

Release Notes

golang/go (golang)

v1.26.3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[fossabot]

No Issues

No security issues were detected in the SAST scan. The code changes appear to follow secure coding practices.

---

fossabot analyzed this PR using SAST security analysis (changed files only).

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because a GitHub Actions CI job (SonarQube quality gate) is failing due to a configuration conflict between CI-based scanning and SonarQube Cloud's Automatic Analysis running simultaneously — this must be resolved before merging. The golang toolchain upgrade itself is highly beneficial: it carries no breaking changes, delivers 1 new feature, 16 bug fixes, and most importantly resolves 18 security vulnerabilities spanning critical DoS, XSS, arbitrary file write, checksum bypass, and double-free crash issues in standard library packages (net/http, html/template, net/mail, cmd/go, net/http/httputil). The fix for the SonarQube failure is straightforward: either disable Automatic Analysis in the SonarQube Cloud project settings, or remove the SonarSource/sonarqube-scan-action step from quality-gate.yml. Once that CI conflict is resolved, this upgrade is strongly recommended from a security posture standpoint.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 2 fixable issues in this upgrade.

• Disable Automatic Analysis in SonarQube Cloud project settings: Navigate to the 'bluet_syspkg' project in SonarQube Cloud → Administration → Analysis Method → toggle OFF 'Automatic Analysis'. This resolves the conflict where both CI-based scanning (via SonarSource/sonarqube-scan-action@​v8) and Automatic Analysis are running simultaneously, causing the scan to abort with exit code 3. This is the preferred fix because it preserves CI-based scanning for PR decoration and fine-grained control.
  Files: .github/workflows/quality-gate.yml
• Alternative fix if SonarQube Cloud settings cannot be changed: Remove or comment out the SonarQube scan step in quality-gate.yml (line 17, the 'SonarSource/sonarqube-scan-action@​v8' step) to rely solely on SonarQube Cloud's Automatic Analysis instead. Search for 'SonarSource/sonarqube-scan-action' in '.github/workflows/quality-gate.yml' and remove or comment out that entire step block. NOTE: This is the less preferred option — only use if disabling Automatic Analysis in the SonarQube Cloud UI (the manual fix above) is not feasible.
  Files: .github/workflows/quality-gate.yml

AI Assistant Prompt

Copy prompt for AI assistant

# Fix CI Failure After Golang Toolchain Upgrade (PR #66)

## Context
The `syspkg` repository (github.com/bluet/syspkg) upgraded its Go toolchain to 1.26.3. The upgrade itself is clean — no breaking changes, and it resolves 18 security vulnerabilities (DoS, XSS, arbitrary file write, checksum bypass, double-free) across standard library packages (`net/http`, `html/template`, `net/mail`, `cmd/go`, `net/http/httputil`).

However, the SonarQube CI job is failing with exit code 3. This is **not caused by the upgrade** — it's a pre-existing configuration conflict.

## The Problem
The GitHub Actions workflow `.github/workflows/quality-gate.yml` runs `SonarSource/sonarqube-scan-action@​v8`, but the SonarQube Cloud project also has **Automatic Analysis** enabled. SonarQube Cloud rejects this dual-analysis setup.

Error: *"You are running CI analysis while Automatic Analysis is enabled. Please consider disabling one or the other."*

## Fix Options (in order of preference)

### Option 1 (Preferred — Manual Step)
Disable Automatic Analysis in SonarQube Cloud:
1. Go to the `bluet_syspkg` project in SonarQube Cloud
2. Navigate to: **Administration → Analysis Method**
3. Toggle OFF **Automatic Analysis**

This preserves CI-based scanning for PR decoration and fine-grained control. **No code changes needed.**

### Option 2 (Code Change — Only if Option 1 is not feasible)
Remove the CI-based SonarQube scan step from the workflow file to rely solely on Automatic Analysis.

**File:** `.github/workflows/quality-gate.yml`

Find and remove (or comment out) the entire step that uses `SonarSource/sonarqube-scan-action@​v8` (around line 17). For example, remove the block that looks like:

```yaml
      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@​v8
        # ... any 'with:' or 'env:' entries belonging to this step
```

Make sure to remove the complete step (including any `with:`, `env:`, or other keys indented under it) without affecting surrounding steps.

## Important Notes
- The golang upgrade itself requires **no code changes** — all fixes are about the CI configuration conflict.
- After fixing, all CI jobs should pass, and the upgrade can be safely merged.
- Merging this upgrade is strongly recommended for security posture.

What we checked

• PR upgrades the toolchain specifier to golang 1.26.3, the target of this analysis. This file is used by asdf and compatible version managers to pin the active Go toolchain. ^[1]
• Module declares go 1.23 as the minimum Go language version. Using a 1.26.3 toolchain to build code with a go 1.23 floor directive is fully supported and backward-compatible; no source changes are required. ^[2]
• The SonarSource/sonarqube-scan-action@​v8 step conflicts with SonarQube Cloud's Automatic Analysis enabled on the bluet_syspkg project, causing the job to exit with code 3. This is the sole CI failure and is entirely unrelated to the golang version change — it is a pre-existing SonarQube configuration conflict. Fix: disable Automatic Analysis under Administration → Analysis Method in SonarQube Cloud (preferred), or remove this step from the workflow. ^[3]
• Build matrix tests against Go 1.23 and 1.24 only. The upgraded toolchain (1.26.3) is not in this matrix, but since go.mod declares go 1.23 as the floor, the codebase is already validated to compile on older toolchains. Go's backward compatibility guarantee means 1.26.3 will compile this module without issues. ^[4]
• Lint and format workflow already uses go-version: '1.26', demonstrating the project is actively tested against the 1.26.x toolchain series. This reduces risk for the 1.26.3 patch upgrade. ^[5]
• Native integration tests (apt, snap, flatpak) also target go-version: '1.26', further confirming compatibility with the 1.26.x series before this patch upgrade. ^[6]
• Go 1.26.3 is an official security and bug-fix release. It fixes 18 vulnerabilities: CVE-2026-42501 (critical — checksum DB bypass), CVE-2026-33814 (HTTP/2 infinite loop DoS), CVE-2026-39823/CVE-2026-39826 (html/template XSS), CVE-2026-39820/CVE-2026-42499 (net/mail DoS), CVE-2026-39817 (arbitrary file write via cmd/go pack), CVE-2026-39825 (net/http/httputil query bypass), CVE-2026-33811 (double-free crash), CVE-2026-39836 (Windows panic), and CVE-2026-39819 (symlink attack). All 18 CVEs affect Go 1.26.0–1.26.2 and are resolved in 1.26.3. These are fixed by this upgrade, not introduced. ^[7]

Dependency Usage

No additional golang package usages were detected beyond what the initial scan captured — the repository is itself a Go project (github.com/bluet/syspkg) rather than a consumer of a dependency named golang. The codebase is a system package manager abstraction library written in Go, with source files spanning manager/apt, manager/snap, manager/yum, manager/flatpak, and osinfo packages, all built using the Go standard toolchain. The golang identifier appears only in tooling configuration files (.tool-versions, CI workflows, Makefile) as a runtime/toolchain specifier, not as an importable library dependency.

• PR upgrades the toolchain specifier to golang 1.26.3, the target of this analysis. This file is used by asdf and compatible version managers to pin the active Go toolchain.
  .tool-versions:1
• Module declares go 1.23 as the minimum Go language version. Using a 1.26.3 toolchain to build code with a go 1.23 floor directive is fully supported and backward-compatible; no source changes are required.
  go.mod:3

View 4 more usages

• The SonarSource/sonarqube-scan-action@​v8 step conflicts with SonarQube Cloud's Automatic Analysis enabled on the bluet_syspkg project, causing the job to exit with code 3. This is the sole CI failure and is entirely unrelated to the golang version change — it is a pre-existing SonarQube configuration conflict. Fix: disable Automatic Analysis under Administration → Analysis Method in SonarQube Cloud (preferred), or remove this step from the workflow.
  .github/workflows/quality-gate.yml:17
• Build matrix tests against Go 1.23 and 1.24 only. The upgraded toolchain (1.26.3) is not in this matrix, but since go.mod declares go 1.23 as the floor, the codebase is already validated to compile on older toolchains. Go's backward compatibility guarantee means 1.26.3 will compile this module without issues.
  .github/workflows/build.yml:21
• Lint and format workflow already uses go-version: '1.26', demonstrating the project is actively tested against the 1.26.x toolchain series. This reduces risk for the 1.26.3 patch upgrade.
  .github/workflows/lint-and-format.yml:24
• Native integration tests (apt, snap, flatpak) also target go-version: '1.26', further confirming compatibility with the 1.26.x series before this patch upgrade.
  .github/workflows/multi-os-test.yml:133

Changes

golang was updated with 7 security fixes, including patches for html/template escaper bypasses, a double-free vulnerability in net CGo DNS handling, path traversal in cmd/pack, and rejection of incomplete sumdb responses in cmd/go. Additionally, 16 bug fixes were applied covering quadratic complexity issues in net/mail, compiler loop handling, and runtime stability on 32-bit systems.

• [release-branch.go1.26] html/template: fix escaper bypass by treating empty script type as JavaScript (9b01c04) (v1.26.3, changelog)
• [release-branch.go1.26] crypto/tls: wrap ML-KEM hybrids in fips140.WithoutEnforcement (e9df527) (v1.26.3, changelog)
• [release-branch.go1.26] net: avoid double-free of cgo pointer when handling large DNS response (e0f5c05) (v1.26.3, changelog)

View 28 more changes

• [release-branch.go1.26] cmd/pack: refuse to extract files with directory components (40fa774) (v1.26.3, changelog)
• [release-branch.go1.26] html/template: fix escaping of URLs in meta content attributes (c9f97f5) (v1.26.3, changelog)
• [release-branch.go1.26] all: avoid unsafe StringToUTF16Ptr on Windows (3baf3ee) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/go: reject sumdb response lacking module hash (8282c62) (v1.26.3, changelog)
• [release-branch.go1.26] fix incorrect loop trip counts (f4e425d) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/go: specify full path to go command when running go tool covdata (ba4554f) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/compile: handle min integer step in loop (efdc0fb) (v1.26.3, changelog)
• [release-branch.go1.26] runtime: use uname version check for 64-bit time on 32-bit arch codepaths (be12fe1) (v1.26.3, changelog)
• [release-branch.go1.26] net/http/httputil: reencode queries with many parameters in proxy (9547066) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/fix: change -diff to exit 1 if diffs exist (cb994d8) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/compile/internal/devirtualize: use pointer identity for type comparison (e137885) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/go: use MkdirTemp to create temp directory for "go bug" (50856a1) (v1.26.3, changelog)
• [release-branch.go1.26] go/types, types2: handle unconstrained type parameters correctly in a few places (73f417a) (v1.26.3, changelog)
• [release-branch.go1.26] runtime: fix timespec definition on 32bits systems (19d2ce3) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/compile: fix loopvar version detection with line directives (dd29b59) (v1.26.3, changelog)
• [release-branch.go1.26] net/mail: fix quadratic complexity in consumeComment (d9389d3) (v1.26.3, changelog)
• [release-branch.go1.26] os: avoid panic when RemoveAll fails to remove a symlink (3ae315a) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/compile: keep blank nodes alive in b.loop (722b68c) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/go: invalidate test cache when -coverpkg dependencies change (7136366) (v1.26.3, changelog)
• [release-branch.go1.26] net/mail: fix quadratic consumePhrase behavior (0bec633) (v1.26.3, changelog)
• [release-branch.go1.26] runtime: add sysUnreserve to undo sysReserve (710f29a) (v1.26.3, changelog)
• [release-branch.go1.26] cmd/link: use bfd ld 2.36+ on linux/arm64 instead of gold (0b4d5f8) (v1.26.3, changelog)
• [release-branch.go1.26] all: update x/net to 705de46f (ec5ebec) (v1.26.3, changelog)
• [release-branch.go1.26] crypto/internal/fips140/drbg: build tag out entropy generation on Wasm (c971287) (v1.26.3, changelog)
• [release-branch.go1.26] lib/fips140: update inprocess to v1.26.0 (f43caf8) (v1.26.3, changelog)
• [release-branch.go1.26] lib/fips140: add certified pointing to v1.0.0-c2097c7c (2992086) (v1.26.3, changelog)
• [release-branch.go1.26] crypto/fips140: add package docs (18fa391) (v1.26.3, changelog)
• [release-branch.go1.26] go1.26.3 (2dc996f) (v1.26.3, changelog)

References (7)

[1]: PR upgrades the toolchain specifier to golang 1.26.3, the target of this analysis. This file is used by asdf and compatible version managers to pin the active Go toolchain.

syspkg/.tool-versions

Line 1 in a3cd304

golang 1.26.3

[2]: Module declares go 1.23 as the minimum Go language version. Using a 1.26.3 toolchain to build code with a go 1.23 floor directive is fully supported and backward-compatible; no source changes are required.

syspkg/go.mod

Line 3 in a3cd304

go 1.23

[3]: The SonarSource/sonarqube-scan-action@​v8 step conflicts with SonarQube Cloud's Automatic Analysis enabled on the bluet_syspkg project, causing the job to exit with code 3. This is the sole CI failure and is entirely unrelated to the golang version change — it is a pre-existing SonarQube configuration conflict. Fix: disable Automatic Analysis under Administration → Analysis Method in SonarQube Cloud (preferred), or remove this step from the workflow.

syspkg/.github/workflows/quality-gate.yml

Line 17 in a3cd304

uses: SonarSource/sonarqube-scan-action@v8

[4]: Build matrix tests against Go 1.23 and 1.24 only. The upgraded toolchain (1.26.3) is not in this matrix, but since go.mod declares go 1.23 as the floor, the codebase is already validated to compile on older toolchains. Go's backward compatibility guarantee means 1.26.3 will compile this module without issues.

syspkg/.github/workflows/build.yml

Line 21 in a3cd304

go-version: ['1.23', '1.24']

[5]: Lint and format workflow already uses go-version: '1.26', demonstrating the project is actively tested against the 1.26.x toolchain series. This reduces risk for the 1.26.3 patch upgrade.

syspkg/.github/workflows/lint-and-format.yml

Line 24 in a3cd304

go-version: '1.26'

[6]: Native integration tests (apt, snap, flatpak) also target go-version: '1.26', further confirming compatibility with the 1.26.x series before this patch upgrade.

syspkg/.github/workflows/multi-os-test.yml

Line 133 in a3cd304

go-version: '1.26'

[7]: Go 1.26.3 is an official security and bug-fix release. It fixes 18 vulnerabilities: CVE-2026-42501 (critical — checksum DB bypass), CVE-2026-33814 (HTTP/2 infinite loop DoS), CVE-2026-39823/CVE-2026-39826 (html/template XSS), CVE-2026-39820/CVE-2026-42499 (net/mail DoS), CVE-2026-39817 (arbitrary file write via cmd/go pack), CVE-2026-39825 (net/http/httputil query bypass), CVE-2026-33811 (double-free crash), CVE-2026-39836 (Windows panic), and CVE-2026-39819 (symlink attack). All 18 CVEs affect Go 1.26.0–1.26.2 and are resolved in 1.26.3. These are fixed by this upgrade, not introduced. (source link)

---

fossabot analyzed this PR using dependency research. View this analysis on the web