From 5a9843bda1aed7d0131d35cd9b19b8edb948c57c Mon Sep 17 00:00:00 2001
From: omarrelativity <135995941+omarrelativity@users.noreply.github.com>
Date: Mon, 11 May 2026 09:46:34 -0500
Subject: [PATCH] chore(deps): update golang from 1.26.2 to 1.26.3

Resolves the following stdlib vulnerabilities (all published 2026-05-07,
present in Go stdlib v1.26.2, fixed in 1.26.3):

- CVE-2026-33811
- CVE-2026-33814
- CVE-2026-39820
- CVE-2026-39836
- CVE-2026-42499

The published v1.3.31-rel image embeds go1.26.2 in its BuildInfo, which
is being flagged by Aqua/Trivy in downstream consumers (notably
relativityone/reporting-data-flows). Bumping the toolchain so the next
tagged release ships a binary built against the patched 1.26.3 stdlib.

Go version upgrade:

* Updated the Go version from 1.26.2 to 1.26.3 in the Dockerfile.
* Updated the Go version in the go.mod file to 1.26.3.

CI/CD workflow updates:

* Updated the Go version to 1.26.3 in the relativity-ci.yml workflow.
* Updated the Go version to 1.26.3 in the release.yaml workflow.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/relativity-ci.yml | 2 +-
 .github/workflows/release.yaml      | 2 +-
 Dockerfile                          | 2 +-
 go.mod                              | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/relativity-ci.yml b/.github/workflows/relativity-ci.yml
index 1cc7f61..c7959fc 100644
--- a/.github/workflows/relativity-ci.yml
+++ b/.github/workflows/relativity-ci.yml
@@ -28,7 +28,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.26.2'
+          go-version: '1.26.3'
 
       - name: Azure Login
         uses: Azure/login@v2
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 1feaac7..4d0c2a1 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.26.2'
+          go-version: '1.26.3'
       # On tag, get tag version without v (e.g. v1.0.0 -> 1.0.0, v1.1.1-beta -> 1.1.1-beta)
       - name: Get tag version
         id: get_version
diff --git a/Dockerfile b/Dockerfile
index 3416f0f..8b803ee 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.26.2-bookworm AS dev
+FROM golang:1.26.3-bookworm AS dev
 
 FROM dev AS build
 ARG VERSION="local"
diff --git a/go.mod b/go.mod
index 2a0a572..b6f0871 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/redboxllc/scuttle
 
-go 1.26.2
+go 1.26.3
 
 require (
 	github.com/cenk/backoff v2.1.1+incompatible