chore(deps): update dependency go to v1.26.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
go		minor	1.25.5 → 1.26.2	1.26.3
go (source)	toolchain	minor	1.25.5 → 1.26.2	1.26.3

---

Release Notes

golang/go (go)

v1.26.2

Compare Source

v1.26.1

Compare Source

v1.26.0

Compare Source

v1.25.10

Compare Source

v1.25.9

Compare Source

v1.25.8

Compare Source

v1.25.7

Compare Source

v1.25.6

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Go 1.26.0 (Major Release - February 2026)

• Language Changes:
  • Enhanced new() function accepting expressions for initial values
  • Self-referential generic types support
• Runtime Improvements:
  • Green Tea GC enabled by default (10-40% reduction in GC overhead)
  • ~30% reduction in cgo call overhead
  • Heap base address randomization on 64-bit platforms (security enhancement)
• Standard Library:
  • New packages: crypto/hpke, simd/archsimd (experimental), runtime/secret (experimental)
  • Post-quantum TLS support enabled by default
  • image/jpeg encoder/decoder improvements (may change outputs)
  • net/url rejects URLs with colons in host (breaking change)
• Tooling:
  • go fix revamped with modernizers
  • cmd/doc removed (use go doc instead)
  • Pprof web UI defaults to flame graph view

Go 1.26.1 (Security Release - March 2026)

• Security Fixes (CVEs):
  • CVE-2026-27138, CVE-2026-27137, CVE-2026-27142, CVE-2026-25679
  • crypto/x509, html/template, net/url, os package vulnerabilities
  • os package: FileInfo escape from Root sandbox
• Bug Fixes: Compiler, go command, go fix, reflect package

Go 1.26.2 (Security Release - April 2026)

• Security Fixes (10 CVEs):
  • CVE-2026-32283, CVE-2026-32282, CVE-2026-27144, CVE-2026-27140, CVE-2026-27143
  • CVE-2026-33810, CVE-2026-32289, CVE-2026-32288
  • CVE-2026-32280: crypto/x509 excessive chain-building work
  • CVE-2026-32281: Quadratic work in policy validation
  • go command, compiler, archive/tar, crypto/tls, crypto/x509, html/template, os
• Bug Fixes: Compiler, linker, runtime, net, net/http, net/url packages

🎯 Impact Scope Investigation

Codebase Analysis:

• Package Usage: The project uses image/jpeg (imported in internal/gat/gat.go:10) and net/http (line 13)
• Go Version: Currently requires go 1.25.0 (go.mod:3), toolchain will update to go1.26.2
• Build Tools: Uses mise.toml for Go version management (updates from 1.25.5 to 1.26.2)

Testing Results:

• ✅ All tests pass: go test ./... completed successfully
• ✅ Build succeeds: go build completed without errors
• ✅ Binary runs correctly: Generated binary executes and reports version

Dependency Impact:

• All 36 dependencies compatible with Go 1.26.2
• No deprecated APIs used in the codebase
• Key dependencies verified:
  • github.com/alecthomas/chroma/v2 v2.21.1 ✅
  • github.com/charmbracelet/glamour v0.10.0 ✅
  • github.com/spf13/cobra v1.10.2 ✅
  • golang.org/x/image v0.38.0 ✅
  • golang.org/x/term v0.38.0 ✅

Potential Behavioral Changes:

1. image/jpeg decoder/encoder: Internal/gat/gat.go:10 imports image/jpeg. Go 1.26 includes a new faster encoder/decoder that may produce slightly different outputs. This affects the printImage() function (gat.go:229-263) which decodes images for Sixel terminal display. Impact is minimal as the function focuses on display, not exact byte reproduction.

2. net/http.DetectContentType(): Used in gat.go:126 for MIME type detection. No breaking changes affect this usage.

3. No crypto/TLS usage: Project doesn't use crypto/x509, crypto/tls, or other crypto packages affected by breaking changes.

4. No net/url.Parse() issues: No URL parsing code found that would be affected by the colon-in-host rejection.

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - The update is safe and brings important security fixes
2. ✅ No code changes required - All tests pass and build succeeds with Go 1.26.2

Post-Merge Verification:

1. Monitor CI/CD pipelines to ensure all automated tests continue passing
2. If image output quality concerns arise, verify Sixel rendering with the new image/jpeg decoder (unlikely to cause issues)

Why This Is Safe:

• Backward compatibility maintained for this codebase's Go usage patterns
• No use of deprecated APIs or breaking change features
• All tests pass without modification
• 14 security CVEs fixed (4 in 1.26.1, 10 in 1.26.2)
• Performance improvements (10-40% GC overhead reduction, 30% cgo speedup)
• The project uses mise.toml which will automatically use the correct Go version

🔗 Reference Links

• Go 1.26 Release Notes
• Go 1.26.1 Milestone
• Go 1.26.2 Milestone
• Go Release History
• PR #255

Generated by koki-develop/claude-renovate-review