fix: update Go version from 1.26.1 to 1.26.2 in Dockerfile and documentation for security improvements

Dockerfile

@@ -160,7 +160,7 @@ RUN set -eux; \
 # Note: xx-go install puts binaries in /go/bin/TARGETOS_TARGETARCH/dlv if cross-compiling.
 # We find it and move it to /go/bin/dlv so it's in a consistent location for the next stage.
 # renovate: datasource=go depName=github.com/go-delve/delve
-ARG DLV_VERSION=1.26.1
+ARG DLV_VERSION=1.26.2
 # hadolint ignore=DL3059,DL4006
 RUN CGO_ENABLED=0 xx-go install github.com/go-delve/delve/cmd/dlv@v${DLV_VERSION} && \
     DLV_PATH=$(find /go/bin -name dlv -type f | head -n 1) && \
@@ -345,7 +345,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
         rm -rf /tmp/buildenv_* /tmp/caddy-initial'
 
 # ---- CrowdSec Builder ----
-# Build CrowdSec from source to ensure we use Go 1.26.1+ and avoid stdlib vulnerabilities
+# Build CrowdSec from source to ensure we use Go 1.26.2+ and avoid stdlib vulnerabilities
 # (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729)
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS crowdsec-builder
 COPY --from=xx / /
@@ -516,7 +516,7 @@ COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
 # Allow non-root to bind privileged ports (80/443) securely
 RUN setcap 'cap_net_bind_service=+ep' /usr/bin/caddy
 
-# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.1+)
+# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.2+)
 # This ensures we don't have stdlib vulnerabilities from older Go versions
 COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec
 COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli

docs/development/go_version_upgrades.md

@@ -251,13 +251,13 @@ Go releases **two major versions per year**:
 - February (e.g., Go 1.26.0)
 - August (e.g., Go 1.27.0)
 
-Plus occasional patch releases (e.g., Go 1.26.1) for security fixes.
+Plus occasional patch releases (e.g., Go 1.26.2) for security fixes.
 
 **Bottom line:** Expect to run `./scripts/rebuild-go-tools.sh` 2-3 times per year.
 
 ### Do I need to rebuild tools for patch releases?
 
-**Usually no**, but it doesn't hurt. Patch releases (like 1.26.0 → 1.26.1) rarely break tool compatibility.
+**Usually no**, but it doesn't hurt. Patch releases (like 1.26.0 → 1.26.2) rarely break tool compatibility.
 
 **Rebuild if:**
 

docs/plans/current_spec.md

@@ -252,7 +252,7 @@ No UI/UX changes — this is a dependency-only update. Existing E2E tests valida
 
 | Task | File(s) | Action |
 |------|---------|--------|
-| 4.1 | `.github/skills/examples/gorm-scanner-ci-workflow.yml` | Bump Go version 1.26.1 → 1.26.2 |
+| 4.1 | `.github/skills/examples/gorm-scanner-ci-workflow.yml` | Bump Go version 1.26.2 → 1.26.2 |
 
 ### Phase 5: Validation
 
@@ -339,7 +339,7 @@ The `pgproto3/v2` module has **no patched release** — the fix exists only in `
 | `backend/go.mod` | Dependency version bumps (grpc, otlptracehttp) |
 | `backend/go.sum` | Auto-generated checksum updates |
 | `Dockerfile` | Add `go get` patches in caddy-builder and crowdsec-builder stages |
-| `.github/skills/examples/gorm-scanner-ci-workflow.yml` | Go version 1.26.1 → 1.26.2 |
+| `.github/skills/examples/gorm-scanner-ci-workflow.yml` | Go version 1.26.2 → 1.26.2 |
 
 **Dependencies**: None (standalone)