Skip to content

fix(deps): patch HIGH security vulnerabilities in Go dependencies#44

Merged
EItanya merged 1 commit intokagent-dev:mainfrom
MatteoMori8:feature/patch-to-latest
Feb 12, 2026
Merged

fix(deps): patch HIGH security vulnerabilities in Go dependencies#44
EItanya merged 1 commit intokagent-dev:mainfrom
MatteoMori8:feature/patch-to-latest

Conversation

@MatteoMori8
Copy link
Contributor

@MatteoMori8 MatteoMori8 commented Feb 12, 2026

Summary

  • Upgrade all Go dependencies to latest versions to patch HIGH security vulnerabilities
  • Bump kubectl 1.35.0 → 1.35.1 and helm 4.1.0 → 4.1.1
  • Pin kubescape/storage to v0.0.239 for API compatibility

Known limitations

8 HIGH vulnerabilities remain in upstream pre-compiled binaries (istioctl v1.28.3,
kubectl-argo-rollouts v1.8.3) that are already at their latest releases. These will
be resolved when Istio and Argo Rollouts publish new versions with updated
golang.org/x/net and go.opentelemetry.io/otel/sdk.

Test plan

  • make test-only — all 15 packages pass
  • MCP server tested locally (read-only k8s, k8s read-write, all tools)
  • make docker-build succeeds
  • Docker container tested with all 3 scenarios
  • Security scan run against built image

@MatteoMori8 MatteoMori8 force-pushed the feature/patch-to-latest branch from 124265d to a97f113 Compare February 12, 2026 14:34
@MatteoMori8 @claude
fix(deps): patch HIGH security vulnerabilities in Go dependencies
7d98c76 
Upgrade all Go dependencies to latest versions and bump bundled CLI tools
(kubectl 1.35.1, helm 4.1.1) to address HIGH severity vulnerabilities
flagged by security scanning.

Pin kubescape/storage to v0.0.239 (latest compatible release) as v0.2.0
removed APIs we depend on.

8 remaining HIGHs cannot be addressed as they originate from upstream
pre-compiled binaries (istioctl 1.28.3, kubectl-argo-rollouts 1.8.3)
which are already at their latest releases:

  ✅ TOOLS_ARGO_ROLLOUTS_VERSION=1.8.3 == v1.8.3
  ✅ TOOLS_CILIUM_VERSION=0.19.0 == v0.19.0
  ✅ TOOLS_ISTIO_VERSION=1.28.3 == 1.28.3
  ❌ TOOLS_HELM_VERSION=4.1.0 != v4.1.1       (bumped)
  ❌ TOOLS_KUBECTL_VERSION=1.35.0 != v1.35.1   (bumped)

Signed-off-by: Matteo Mori <matteo.mori@rvu.co.uk>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@MatteoMori8 MatteoMori8 force-pushed the feature/patch-to-latest branch from a97f113 to 7d98c76 Compare February 12, 2026 14:54
@EItanya EItanya merged commit 1f26a89 into kagent-dev:main Feb 12, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EItanya EItanya EItanya approved these changes

@dimetron dimetron Awaiting requested review from dimetron dimetron is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MatteoMori8 @EItanya