chore(deps): update dependency go to v1.26.3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go		minor	1.25.5 → 1.26.3
go (source)	toolchain	minor	1.25.5 → 1.26.3

---

Release Notes

golang/go (go)

v1.26.3

Compare Source

v1.26.2

Compare Source

v1.26.1

Compare Source

v1.26.0

Compare Source

v1.25.10

Compare Source

v1.25.9

Compare Source

v1.25.8

Compare Source

v1.25.7

Compare Source

v1.25.6

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Major Changes in Go 1.25.5 → 1.26.3:

1. Language Enhancements (Backward Compatible)

   • Enhanced new() built-in to accept expressions for initialization
   • Self-referential generic types support (e.g., type Adder[A Adder[A]])

2. Runtime & Performance Improvements

   • Green Tea garbage collector now enabled by default (10-40% GC overhead reduction)
   • ~30% faster cgo calls
   • Heap base address randomization for improved security
   • Compiler stack allocation optimization for slices

3. Standard Library Changes

   • JPEG encoder/decoder replacement: New faster, more accurate implementation
     • Impact: Code expecting specific bit-for-bit JPEG output may need updates
     • For gat: Only used for image decoding (read-only), no bit-exact comparison needed ✅
   • Post-quantum cryptography enabled by default in TLS
   • New crypto/hpke package for Hybrid Public Key Encryption

4. Breaking Changes (None Affecting This Project)

   • Removed cmd/doc tool (replaced by go doc - not used in gat)
   • Removed 32-bit Windows ARM port (not targeted by gat)
   • URL parsing strictness for malformed URLs with colons (not used in gat)
   • Crypto functions ignore random parameter (not used in gat)
   • Removed obsolete go fix fixers (not critical for existing code)

5. Tooling & Module Changes

   • go mod init now defaults to lower Go version (go 1.25.0) for better compatibility
   • Revamped go fix command with modern modernizers

Security Fixes:

• No specific CVE patches mentioned in release notes for 1.26.1, 1.26.2, or 1.26.3
• General security improvements through heap randomization and post-quantum crypto

Deprecated Features (Future Warnings):

• Several GODEBUG settings scheduled for removal in Go 1.27 (not used in this codebase)
• PKCS Configure Renovate #1 v1.5 encryption functions deprecated (not used in this codebase)

🎯 Impact Scope Investigation

Codebase Analysis:

1. Direct Go Version Usage

   • go.mod: Declares go 1.25.0 (minimum version)
   • mise.toml: Updated toolchain from 1.25.5 → 1.26.3
   • No version-specific build constraints or conditional compilation found

2. Affected Package Usage

   • image/jpeg: Used only for decoding (read-only) at internal/gat/gat.go:232
     • Purpose: Decode image files for terminal display
     • Impact: JPEG decoder changes are backward compatible for decoding
     • No bit-exact output comparison needed (only visual rendering)
   • No usage of deprecated crypto functions (crypto/dsa, crypto/ecdsa, crypto/rsa)
   • No usage of net/url.Parse() with potentially malformed URLs
   • No GODEBUG environment variable dependencies

3. Build & Test Results

   • ✅ All tests pass: go test ./... completed successfully
   • ✅ Build succeeds: go build -o gat completed without errors
   • ✅ Binary runs correctly: ./gat --version produces expected output
   • ✅ Module dependencies verified: go mod verify confirms integrity

4. Dependency Compatibility

   • All major dependencies compatible with Go 1.26:
     • github.com/alecthomas/chroma/v2 v2.21.1 ✅
     • github.com/charmbracelet/glamour v0.10.0 ✅
     • github.com/spf13/cobra v1.10.2 ✅
     • github.com/mattn/go-sixel v0.0.8 ✅
     • github.com/tdewolff/minify/v2 v2.24.12 ✅
   • No transitive dependency conflicts detected

5. CI/CD Compatibility

   • Uses jdx/mise-action for Go installation (automatically uses mise.toml version)
   • No hardcoded Go version constraints in workflows
   • GoReleaser configuration is version-agnostic (uses CGO_ENABLED=0 for static builds)

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - The update is safe and brings performance improvements
2. ✅ No code changes required - All features are backward compatible
3. ✅ No migration work needed - Tests and builds pass without modification

Post-Merge Verification:

1. Monitor CI/CD pipelines to confirm all workflows complete successfully
2. Verify GoReleaser builds succeed for all target platforms (linux, windows, darwin)
3. Test binary functionality across different platforms if possible

Future Considerations:

1. Go 1.27 Preparation: Several GODEBUG settings will be removed in Go 1.27
   • Not applicable to this codebase (no GODEBUG usage detected)
2. macOS Support: Go 1.26 is the last release supporting macOS 12 Monterey
   • Go 1.27+ will require macOS 13 Ventura or later
   • Consider this for user base with older macOS versions

Benefits of This Update:

• 10-40% reduction in garbage collection overhead
• ~30% faster cgo calls
• Enhanced security through heap randomization
• Access to new language features and standard library improvements
• Faster JPEG decoding performance
• Better compiler optimizations

🔗 Reference Links

• Go 1.26 Release Notes
• Go 1.26 Detailed Documentation
• GitHub PR #255
• Go Downloads

Generated by koki-develop/claude-renovate-review

---

🚫 Permission Denied Tool Executions

The following tool executions that Claude Code attempted were blocked due to insufficient permissions.
Consider adding them to allowed_tools if needed.

Run #26320997187 - 2 tools denied

Tool	Input
WebSearch	{"query":"Go 1.26.3 1.26.2 1.26.1 security fixes CVE 2026"}
WebSearch	{"query":"Go 1.26 breaking changes backward compatibility"}

Generated by koki-develop/claude-denied-tools