A small security-driven patch. The Go toolchain moves to 1.26.5 to pick up two
stdlib vulnerability fixes that are reachable from Bindery code paths, and the
Grimmory connection test now says what it actually received when a server (or a
reverse proxy in front of it) answers with something other than JSON.
Security
- Go toolchain bumped to 1.26.5 (#1492) — rebuilds all binaries and images
against a stdlib carrying the fixes for GO-2026-4970 (crypto/tls) and
GO-2026-5856 (os.Root), both confirmed reachable in Bindery by
govulncheck. v1.24.2 binaries were built with the affected stdlib; no
Bindery code changes were needed. Workflowgo-versionpins and the main
Dockerfiledigest move together so CI and the published image agree on the
toolchain.
Fixed
- Grimmory connection errors now name the content type (#1493) — adding a
Grimmory connection whose URL answers 2xx with a non-JSON body (typically a
reverse proxy or SPA fallback serving an HTML page on the API path) failed
with the bare JSON decoder errorinvalid character '<' looking for beginning of value. The client now reports the HTTP status andContent-Typeit got
back and points at the URL as the likely culprit, so misrouted proxies are
diagnosable from the Settings screen. Refs #1485.