fix(vuln): bump go directive to 1.26.4 to clear stdlib CVEs

[kanywst]

The vuln job was failing on both dependabot PRs (#4, #5) and on main due to stdlib vulnerabilities in the go 1.26.3 toolchain pinned by go.mod:

• GO-2026-5039 (net/textproto)
• GO-2026-5037 (crypto/x509)

Both are fixed in go1.26.4. Because CI uses go-version-file: go.mod with GOTOOLCHAIN: local, bumping the go directive to 1.26.4 makes every job pull the patched toolchain.

Verified locally: govulncheck ./... → No vulnerabilities found.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the Go toolchain version directive in go.mod from 1.26.3 to 1.26.4. No module dependencies or requirements are changed.

Changes

Go Toolchain Update

Layer / File(s)	Summary
Go version bump go.mod	Go directive updated from version 1.26.3 to 1.26.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Poem

🐰 Go forth and bounce along,
Version 1.26.4 is here and strong,
A tiny hop from three to four,
The toolchain ready to explore!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping the Go directive from 1.26.3 to 1.26.4 to fix stdlib CVEs, which is the sole purpose of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/bump-go-1.26.4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the Go version in the go.mod file from 1.26.3 to 1.26.4. There are no review comments, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.