From e6169b7b3a1fa81b6e40527f4bbfd8f93e3a0a94 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Thu, 21 May 2026 07:46:19 -0400
Subject: [PATCH 1/2] ci(lint): pin golangci-lint to v2.11.4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `golangci-lint-action` resolves the latest golangci-lint at runtime
when no `version` is set, so 2.12.x slipped in via the action's
release-tracking lookup. 2.12.x strengthens `goconst` defaults and trips
on dozens of pre-existing duplicated strings across test files and seed
data, breaking lint on every open PR (e.g. #998) while main passes only
because it hasn't been re-built since 2026-04-27.

Pin to v2.11.4 — the version main's last green run used — to restore CI.
Bumping the linter and fixing the new findings is a separate change.
---
 .github/workflows/lint.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c5170192..8250d0b5 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -132,6 +132,8 @@ jobs:
 
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        with:
+          version: v2.11.4
 
   pre-commit:
     name: Pre-commit

From 790d68dc1aca80e2357771e53231ff7b048aa8d2 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Thu, 21 May 2026 08:04:29 -0400
Subject: [PATCH 2/2] chore(deps): bump scoped Go override to 1.26.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

govulncheck reports six new stdlib advisories that landed in the Go
vulnerability database on 2026-05-07 and are fixed in 1.26.3:

  GO-2026-4918  net/http HTTP/2 SETTINGS frame infinite loop (CVE-2026-33814)
  GO-2026-4971  net Dial/LookupPort NUL panic on Windows (CVE-2026-39836)
  GO-2026-4977  net/mail consumePhrase DoS (CVE-2026-42499)
  GO-2026-4980  html/template empty <script type=> escape bug (CVE-2026-39826)
  GO-2026-4982  html/template <meta> URL escape gap (CVE-2026-39823)
  GO-2026-4986  net/mail parsing CPU/memory exhaustion (CVE-2026-39820)

Same pattern as the prior 1.26.1 → 1.26.2 bump: scoped override only,
so the VHS → Chromium closure does not rebuild from source.

Verified locally with `nix run '.#govulncheck'` (exits 0) and
`nix build '.#micasa'` (succeeds).
---
 nix/overlay.nix | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/nix/overlay.nix b/nix/overlay.nix
index 1c29e439..62325b74 100644
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@@ -8,23 +8,24 @@
 
 _final: prev:
 let
-  # Scoped Go 1.26.2 override for micasa and its dev tools only.
+  # Scoped Go 1.26.3 override for micasa and its dev tools only.
   # NOT exported as go/go_1_26/buildGoModule — doing so rebuilds the
   # entire transitive closure from source (VHS → Chromium → PipeWire →
   # ffmpeg/gstreamer) because every Go derivation's input hash changes.
   #
-  # 1.26.2 fixes five stdlib vulnerabilities flagged by govulncheck:
-  #   GO-2026-4865 (html/template JsBraceDepth XSS)
-  #   GO-2026-4866 (crypto/x509 excludedSubtrees auth bypass)
-  #   GO-2026-4870 (crypto/tls KeyUpdate DoS)
-  #   GO-2026-4946 (crypto/x509 inefficient policy validation)
-  #   GO-2026-4947 (crypto/x509 unexpected work during chain building)
-  # Drop this override once nixpkgs picks up Go 1.26.2.
+  # 1.26.3 fixes six stdlib vulnerabilities flagged by govulncheck:
+  #   GO-2026-4918 (net/http HTTP/2 SETTINGS frame infinite loop)
+  #   GO-2026-4971 (net Dial/LookupPort panic on NUL input on Windows)
+  #   GO-2026-4977 (net/mail consumePhrase DoS)
+  #   GO-2026-4980 (html/template empty <script type=> escape bug)
+  #   GO-2026-4982 (html/template <meta> URL escape gap)
+  #   GO-2026-4986 (net/mail parsing CPU/memory exhaustion)
+  # Drop this override once nixpkgs picks up Go 1.26.3.
   patchedGo = prev.go_1_26.overrideAttrs (_: rec {
-    version = "1.26.2";
+    version = "1.26.3";
     src = prev.fetchurl {
       url = "https://go.dev/dl/go${version}.src.tar.gz";
-      hash = "sha256-LpHrtpR6lulDb7KzkmqIAu/mOm03Xf/sT4Kqnb1v1Ds=";
+      hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg=";
     };
   });
 in