## What
Bumps go-boring from 1.26.0-1 to 1.26.2-1 and CI builder image from \`3501-fc698419a625\` to \`3595-779e088c0ec4\`.
go1.26.2 (released 2026-04-07) includes security fixes to the \`go\` command, the compiler, and the \`archive/tar\`, \`crypto/tls\`, \`crypto/x509\`, \`html/template\`, and \`os\` packages, as well as bug fixes to the \`net\`, \`net/http\`, and \`net/url\` packages.
### Security fixes (relevant)
- **crypto/tls**: multiple CVEs — cloudflared uses TLS extensively for tunnel connections
- **crypto/x509**: CVE-2026-32280 (excessive chain-building in \`Verify\`), CVE-2026-32281 (quadratic work in policy validation)
### Net bug fixes (not applicable)
- **net/url #78111**: \`url.Parse\` regression for MongoDB-style multi-host URLs — not used in cloudflared
- **net/http #78019**: race condition on Windows when using \`os.File\` as HTTP request body — cloudflared does not pass \`os.File\` as a request body
- **net #77885**: \`ReadMsgUDP\`/\`WriteMsgUDP\` WSAEFAULT on Windows with empty non-nil oob — quic-go uses \`basicConn\` on Windows (\`ReadFrom\`, not \`ReadMsgUDP\`)
## Jira
[TUN-10507](https://jira.cfdata.org/browse/TUN-10507)
## Summary
This commit changes the USER instruction in our Dockerfiles from using
the string "nonroot" to its numeric ID "65532".
This change is necessary because Kubernetes does not support string-based
user IDs in security contexts, requiring numeric IDs instead. The nonroot
user maps to 65532 in distroless images.
Semgrep config / semgrep/ci (push) Has been cancelled
Check / check (1.22.x, ubuntu-latest) (push) Has been cancelled
Check / check (1.22.x, windows-latest) (push) Has been cancelled
Check / check (1.22.x, macos-latest) (push) Has been cancelled
## Summary
Update several moving parts of cloudflared build system:
* use goboring 1.24.2 in cfsetup
* update linter and fix lint issues
* update packages namely **quic-go and net**
* install script for macos
* update docker files to use go 1.24.1
* remove usage of cloudflare-go
* pin golang linter
Closes TUN-9016
Also update golang.org/x/net and google.golang.org/grpc to fix vulnerabilities,
although cloudflared is using them in a way that is not exposed to those risks
This change seeks to push an arm64 built image to dockerhub for arm users to run. This should spin cloudflared on arm machines without the warning
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
João "Pisco" Fernandes
Gonçalo Garcia
Luis Neto
João Oliveirinha
chungthuang
Devin Carr
Nigel Armstrong
Sudarsan Reddy