Argo
v3.1.13CI/CD & App DeliveryPatch release fixing a gRPC CVE and a UI bug in RollingSync. Low operational risk, but the security fix warrants prompt upgrade.
securityUpgrade now to mitigate CVE-2026-33186 in grpc-go
CVE-2026-33186 affects the grpc-go library used by Argo CD's internal and external gRPC communication. The fix is a mitigation backport to the 3.1 branch. Any Argo CD 3.1.x instance prior to 3.1.13 is exposed. Upgrade to 3.1.13 promptly — this should be treated as a priority patch, not a routine update. After upgrading, verify image signatures with cosign against the published provenance if your supply chain policy requires it.
securitylodash bumped to 4.17.23 — check if your own apps pin this version
The lodash bump in the UI bundle closes known issues in 4.17.21/4.17.22. If your team also pins lodash in application code or CI pipelines referencing Argo CD's frontend assets, audit those pinned versions independently. This change only covers the Argo CD UI bundle itself.
enhancementRollingSync UI fix helps diagnose misconfigured sync waves
If you use ApplicationSets with RollingSync and label-based step matching, the previous UI would silently hide steps that matched no labels — making it hard to spot misconfigured rollout waves. The fix surfaces these unmatched steps visibly. After upgrading, review any RollingSync-heavy ApplicationSets to confirm step labels are actually matching the intended clusters or apps.
主な変更 (4)
- Mitigated CVE-2026-33186 in grpc-go — affects all deployments using gRPC communication
- Fixed UI display issue where RollingSync steps with no matching labels were not shown clearly
- Bumped lodash from 4.17.21 to 4.17.23 to address known vulnerabilities in the dependency
- All container images remain cosign-signed with SLSA Level 3 provenance