From 027bd57e09703cbabe5074752d6c204e9c0ed61f Mon Sep 17 00:00:00 2001
From: Eitan Yarmush <eitan.yarmush@solo.io>
Date: Thu, 19 Mar 2026 12:02:43 +0000
Subject: [PATCH] fix(security): bump grpc and CLI tool versions to resolve
 CVEs

Bump google.golang.org/grpc v1.78.0 -> v1.79.3 to fix CRITICAL
CVE-2026-33186 (authorization bypass). Bump all bundled CLI tools
to latest releases (kubectl 1.35.3, helm 4.1.3, istioctl 1.28.5,
argo-rollouts 1.8.4, cilium 0.19.2) to reduce CVE surface area.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
---
 .github/workflows/ci.yaml |  4 ++--
 Makefile                  | 10 +++++-----
 go.mod                    |  4 ++--
 go.sum                    |  4 ++--
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index dd105ca..819a56e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -47,7 +47,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '^1.25.6'
+          go-version: '^1.26.1'
           cache: false
 
       - name: Run cmd/main.go tests
@@ -64,7 +64,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '^1.25.5'
+          go-version: '^1.26.1'
           cache: false
 
       - name: Create k8s Kind Cluster
diff --git a/Makefile b/Makefile
index 4b188f1..b77e1ee 100644
--- a/Makefile
+++ b/Makefile
@@ -136,11 +136,11 @@ DOCKER_BUILDER ?= docker buildx
 DOCKER_BUILD_ARGS ?= --pull --load --platform linux/$(LOCALARCH) --builder $(BUILDX_BUILDER_NAME)
 
 # tools image build args
-TOOLS_ISTIO_VERSION ?= 1.28.3
-TOOLS_ARGO_ROLLOUTS_VERSION ?= 1.8.3
-TOOLS_KUBECTL_VERSION ?= 1.35.1
-TOOLS_HELM_VERSION ?= 4.1.1
-TOOLS_CILIUM_VERSION ?= 0.19.0
+TOOLS_ISTIO_VERSION ?= 1.28.5
+TOOLS_ARGO_ROLLOUTS_VERSION ?= 1.8.4
+TOOLS_KUBECTL_VERSION ?= 1.35.3
+TOOLS_HELM_VERSION ?= 4.1.3
+TOOLS_CILIUM_VERSION ?= 0.19.2
 
 # build args
 TOOLS_IMAGE_BUILD_ARGS =  --build-arg VERSION=$(VERSION)
diff --git a/go.mod b/go.mod
index e796d12..5f1e743 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/kagent-dev/tools
 
-go 1.25.6
+go 1.26.1
 
 require (
 	github.com/joho/godotenv v1.5.1
@@ -187,7 +187,7 @@ require (
 	golang.org/x/tools v0.42.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
-	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/grpc v1.79.3 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/go.sum b/go.sum
index 2411c56..8e47384 100644
--- a/go.sum
+++ b/go.sum
@@ -1254,8 +1254,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
-google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=