fix(deps): bump go directive to 1.26.4 for stdlib vulns

[kanywst]

Why

The govulncheck CI job is failing on main (and therefore on every open PR, e.g. #70 / #71). The failures are unrelated to those dependency bumps — Go 1.26.3's standard library is affected by three vulnerabilities, all fixed in 1.26.4:

ID	Package	Fixed in
GO-2026-5037	crypto/x509	go1.26.4
GO-2026-5038	mime	go1.26.4
GO-2026-5039	net/textproto	go1.26.4

CI resolves its toolchain from go.mod via go-version-file, so bumping the go directive to 1.26.4 pulls in the patched stdlib and clears the job.

Verification

• go vet ./... — clean
• govulncheck ./... — Your code is affected by 0 vulnerabilities.

Open dependabot PRs (#70, #71) should go green once rebased on this.

Summary by CodeRabbit

• Chores
  • Updated minimum Go version requirement to 1.26.4.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e7f2b561-191e-4c78-b243-159466b3b921

📥 Commits

Reviewing files that changed from the base of the PR and between 16192cd and 7e2d784.

📒 Files selected for processing (1)

• go.mod

---

📝 Walkthrough

Walkthrough

The Go module version requirement is bumped from 1.26.3 to 1.26.4 in go.mod. No other module requirements or dependencies were modified.

Changes

Go Version Update

Layer / File(s)	Summary
Go version upgrade to 1.26.4 go.mod	The go version directive is updated from 1.26.3 to 1.26.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Poem

🐰 A hop, a skip, a version so bright,
From point-three to point-four, all feels right,
Go marches forward, steady and true,
Our module takes wings on the Go that is new! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping the Go directive to 1.26.4 to address standard library vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/go-1.26.4-stdlib-vulns

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the Go version in the go.mod file from 1.26.3 to 1.26.4. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.