ci: restore green CI after upstream linter and vuln-DB drift

.github/workflows/lint.yml

@@ -132,6 +132,8 @@ jobs:
 
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        with:
+          version: v2.11.4
 
   pre-commit:
     name: Pre-commit

nix/overlay.nix

@@ -8,23 +8,24 @@
 
 _final: prev:
 let
-  # Scoped Go 1.26.2 override for micasa and its dev tools only.
+  # Scoped Go 1.26.3 override for micasa and its dev tools only.
   # NOT exported as go/go_1_26/buildGoModule — doing so rebuilds the
   # entire transitive closure from source (VHS → Chromium → PipeWire →
   # ffmpeg/gstreamer) because every Go derivation's input hash changes.
   #
-  # 1.26.2 fixes five stdlib vulnerabilities flagged by govulncheck:
-  #   GO-2026-4865 (html/template JsBraceDepth XSS)
-  #   GO-2026-4866 (crypto/x509 excludedSubtrees auth bypass)
-  #   GO-2026-4870 (crypto/tls KeyUpdate DoS)
-  #   GO-2026-4946 (crypto/x509 inefficient policy validation)
-  #   GO-2026-4947 (crypto/x509 unexpected work during chain building)
-  # Drop this override once nixpkgs picks up Go 1.26.2.
+  # 1.26.3 fixes six stdlib vulnerabilities flagged by govulncheck:
+  #   GO-2026-4918 (net/http HTTP/2 SETTINGS frame infinite loop)
+  #   GO-2026-4971 (net Dial/LookupPort panic on NUL input on Windows)
+  #   GO-2026-4977 (net/mail consumePhrase DoS)
+  #   GO-2026-4980 (html/template empty <script type=> escape bug)
+  #   GO-2026-4982 (html/template <meta> URL escape gap)
+  #   GO-2026-4986 (net/mail parsing CPU/memory exhaustion)
+  # Drop this override once nixpkgs picks up Go 1.26.3.
   patchedGo = prev.go_1_26.overrideAttrs (_: rec {
-    version = "1.26.2";
+    version = "1.26.3";
     src = prev.fetchurl {
       url = "https://go.dev/dl/go${version}.src.tar.gz";
-      hash = "sha256-LpHrtpR6lulDb7KzkmqIAu/mOm03Xf/sT4Kqnb1v1Ds=";
+      hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg=";
     };
   });
 in