fix(security): bump grpc and CLI tool versions to resolve CVEs (#52)

EItanya · claude · web-flow · commit 9125aee571cb · 2026-03-19T09:05:56.000-04:00
Bump google.golang.org/grpc v1.78.0 -> v1.79.3 to fix CRITICAL CVE-2026-33186 (authorization bypass). Bump all bundled CLI tools to latest releases (kubectl 1.35.3, helm 4.1.3, istioctl 1.28.5, argo-rollouts 1.8.4, cilium 0.19.2) to reduce CVE surface area. Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -47,7 +47,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '^1.25.6'
+          go-version: '^1.26.1'
           cache: false
 
       - name: Run cmd/main.go tests
@@ -64,7 +64,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '^1.25.5'
+          go-version: '^1.26.1'
           cache: false
 
       - name: Create k8s Kind Cluster
diff --git a/Makefile b/Makefile
@@ -136,11 +136,11 @@ DOCKER_BUILDER ?= docker buildx
 DOCKER_BUILD_ARGS ?= --pull --load --platform linux/$(LOCALARCH) --builder $(BUILDX_BUILDER_NAME)
 
 # tools image build args
-TOOLS_ISTIO_VERSION ?= 1.28.3
-TOOLS_ARGO_ROLLOUTS_VERSION ?= 1.8.3
-TOOLS_KUBECTL_VERSION ?= 1.35.1
-TOOLS_HELM_VERSION ?= 4.1.1
-TOOLS_CILIUM_VERSION ?= 0.19.0
+TOOLS_ISTIO_VERSION ?= 1.28.5
+TOOLS_ARGO_ROLLOUTS_VERSION ?= 1.8.4
+TOOLS_KUBECTL_VERSION ?= 1.35.3
+TOOLS_HELM_VERSION ?= 4.1.3
+TOOLS_CILIUM_VERSION ?= 0.19.2
 
 # build args
 TOOLS_IMAGE_BUILD_ARGS =  --build-arg VERSION=$(VERSION)
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/kagent-dev/tools
 
-go 1.25.6
+go 1.26.1
 
 require (
 	github.com/joho/godotenv v1.5.1
@@ -187,7 +187,7 @@ require (
 	golang.org/x/tools v0.42.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
-	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/grpc v1.79.3 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/go.sum b/go.sum
@@ -1254,8 +1254,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
-google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
