Skip to content

fix(deps): update golang:1.26.2-bookworm docker digest to 47ce563#56

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go
Open

fix(deps): update golang:1.26.2-bookworm docker digest to 47ce563#56
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 22, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
golang final digest 4f4ab2c47ce563

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
    • Only on Sunday and Saturday (* * * * 0,6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 22, 2026
edited
Loading

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This PR updates the golang:1.26.2-bookworm Docker image digest from sha256:4f4ab2c... to sha256:47ce563.... This is not a Go version upgrade — the Go runtime version remains at 1.26.2.

What Changed:

  • Docker image digest update for the builder stage in the Dockerfile (line 78)
  • Represents a rebuild of the same golang:1.26.2-bookworm image, likely incorporating updated Debian Bookworm base layers or security patches to the underlying OS packages

Go 1.26.2 Context (Released April 7, 2026):

The Go 1.26.2 release included 10 security fixes affecting:

  1. CVE-2026-33810 (Compiler): Fixed incorrect pointer unwrapping in no-op interface conversions
  2. CVE-2026-27144 (Compiler): Fixed incorrect bounds checking for slices/arrays with induction variables
  3. CVE-2026-32282 (html/template): Fixed XSS vulnerability in JS template literals
  4. CVE-2026-33810 (crypto/x509): Fixed DNS constraint validation for wildcard SANs
  5. CVE-2026-27143 (archive/tar): Fixed unbounded memory allocation with malicious archives
  6. CVE-2026-32288 (crypto/tls): Fixed connection deadlock from multiple key update messages
  7. Additional security fixes in go command and os package

Note: The codebase already uses Go 1.26.2 (verified in go.mod:3 and mise.toml:2), so these security fixes are already incorporated. This digest update likely reflects a Docker image rebuild with updated base OS packages.

🎯 Impact Scope Investigation

✅ No Breaking Changes: This is a digest-only update for the same Go version (1.26.2).

Codebase Analysis:

  • Direct package usage: The codebase does NOT directly import any of the security-affected packages (archive/tar, crypto/tls, crypto/x509, html/template)
  • Build configuration:
    • go.mod specifies go 1.26.2 (line 3) ✅
    • mise.toml specifies go = "1.26.2" (line 2) ✅
    • Dockerfile builder stage uses golang:1.26.2-bookworm
  • CI Status: All checks passing (Build ✅, Unit Test ✅, Lint ✅, hadolint ✅)
  • Docker multi-stage build: Only affects the builder stage used for compiling the sandbox and gocacheprog binaries

Impact:

  • Zero code changes required
  • Build process remains identical
  • No API breaking changes
  • No dependency conflicts
  • The base stage uses mise to install Go 1.26.2 separately and is unaffected by this builder image digest change

💡 Recommended Actions

Immediate Actions:

  1. Merge this PR — Safe to merge immediately
  2. Monitor CI/CD pipeline to confirm successful build with new digest
  3. No code modifications required

Why This Is Safe:

  • Digest updates are routine Docker image rebuilds for the same software version
  • Go 1.26.2 is already in use across the project (go.mod, mise.toml, and Dockerfile ARG)
  • All CI checks are passing
  • No breaking changes or API modifications
  • The change only affects the builder container used during compilation
  • Renovate's stability-days check is pending, which is conservative but not a blocker for digest-only updates

Optional Follow-ups:

  • Update CLAUDE.md line 12 from Go: 1.26.0 to Go: 1.26.2 to reflect current version (documentation drift)

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

@renovate renovate Bot changed the title fix(deps): update golang:1.26.2-bookworm docker digest to 982a758 fix(deps): update golang:1.26.2-bookworm docker digest to 47ce563 Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants