Skip to content

fix(deps): update module helm.sh/helm/v3 to v3.18.5 [security] #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update module helm.sh/helm/v3 to v3.18.5 [security] #90

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Aug 6, 2024
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
helm.sh/helm/v3 v3.7.1v3.18.5 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-36055

Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.

Impact

The _strvals_ package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like --set, --set-string, and others that enable the user to pass in strings that are merged into the values. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic.

Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from.

The Helm Client will panic with input to --set, --set-string, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.

Patches

This issue has been resolved in 3.9.4.

Workarounds

SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.

CVE-2022-23524

Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the strvals package that can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the strvals package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.

Impact

The strvals package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like --set, --set-string, and others that enable the user to pass in strings that are merged into the values. The strvals package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing a stack overflow.

Applications that use the strvals package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from.

The Helm Client will panic with input to --set, --set-string, and other value setting flags that causes a stack overflow. Helm is not a long running service so the panic will not affect future uses of the Helm client.

Patches

This issue has been resolved in 3.10.3.

Workarounds

SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the strvals functions.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.

CVE-2023-25165

A Helm contributor discovered an information disclosure vulnerability using the getHostByName template function.

Impact

getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart.

Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.

Patches

The issue has been fixed in Helm 3.11.1.

Workarounds

Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Philipp Stehle at SAP.

CVE-2022-23525

Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _repo_ package that can cause a segmentation violation. Applications that use functions from the _repo_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.

Impact

The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation.

Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from.

The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.

Patches

This issue has been resolved in 3.10.3.

Workarounds

SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.

CVE-2022-23526

Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _chartutil_ package that can cause a segmentation violation. Applications that use functions from the _chartutil_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.

Impact

The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation.

Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from.

The Helm Client will panic with a schema file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.

Patches

This issue has been resolved in 3.10.3.

Workarounds

SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.

CVE-2024-25620

A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.

Impact

When either the Helm client or SDK is used to save a chart whose name within the Chart.yaml file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.

Patches

This issue has been resolved in Helm v3.14.1.

Workarounds

Check all charts used by Helm for path changes in their name as found in the Chart.yaml file. This includes dependencies.

Credits

Disclosed by Dominykas Blyžė at Nearform Ltd.

CVE-2024-26147

A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content.

Impact

When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would occur in Helm.

In the Helm SDK this is found when using the LoadIndexFile or DownloadIndexFile functions in the repo package or the LoadDir function in the plugin package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation.

Patches

This issue has been resolved in Helm v3.14.2.

Workarounds

If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem.

If using Helm SDK versions prior to 3.14.2, calls to affected functions can use recover to catch the panic.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-32386

A Helm contributor discovered that a specially crafted chart archive file can cause Helm to use all available memory and have an out of memory (OOM) termination.

Impact

A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to terminate.

Patches

This issue has been resolved in Helm v3.17.3.

Workarounds

Ensure that any chart archive files being loaded by Helm do not contain files that are large enough to cause the Helm Client or SDK to use up available memory leading to a termination.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-32387

A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow.

Impact

A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow.

Patches

This issue has been resolved in Helm v3.17.3.

Workarounds

Ensure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-53547

A Helm contributor discovered that a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated.

Impact

Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking.

This affects when dependencies are updated. When using the helm command this happens when helm dependency update is run. helm dependency build can write a lock file when one does not exist but this vector requires one to already exist. This affects the Helm SDK when the downloader Manager performs an update.

Patches

This issue has been resolved in Helm v3.18.4

Workarounds

Ensure the Chart.lock file in a chart is not a symlink prior to updating dependencies.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-55199

A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Impact

A malicious chart can point $ref in values.schema.json to a device (e.g. /dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of $ref pointing to /dev/zero.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-55198

A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic.

Impact

There are two areas of YAML validation that were impacted. First, when a Chart.yaml file had a null maintainer or the child or parent of a dependencies import-values could be parsed as something other than a string, helm lint would panic. Second, when an index.yaml had an empty entry in the list of chart versions Helm would panic on interactions with that repository.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Ensure YAML files are formatted as Helm expects prior to processing them with Helm.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

Release Notes

helm/helm (helm.sh/helm/v3)

v3.18.5: Helm v3.18.5

Compare Source

Helm v3.18.5 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Security Advisories
Installation and Upgrading

Download Helm v3.18.5. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 3.19.0 is the next minor release and will be on September 11, 2025
Changelog
  • fix Chart.yaml handling 7799b48 (Matt Farina)
  • Handle messy index files dd8502f (Matt Farina)
  • json schema fix cb8595b (Robert Sirchia)

v3.18.4: Helm v3.18.4

Compare Source

Helm v3.18.4 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Security Advisories
Installation and Upgrading

Download Helm v3.18.4. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 3.18.5 is the next patch release and will be on August 13, 2025
  • 3.19.0 is the next minor release and will be on September 11, 2025
Changelog
  • Disabling linter due to unknown issue f20a4ad (Matt Farina)
  • build(deps): bump the k8s-io group with 7 updates 563b094 (dependabot[bot])
  • Updating link handling 00de613 (Matt Farina)

v3.18.3: Helm 3.18.3

Compare Source

Helm v3.18.3 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Installation and Upgrading

Download Helm v3.18.3. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 3.18.4 is the next patch release and will be on July 09, 2025
  • 3.19.0 is the next minor release and will be on September 11, 2025
Changelog
  • build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0 6838ebc (dependabot[bot])
  • fix: user username password for login 5b9e2f6 (Terry Howe)
  • Update pkg/registry/transport.go 2782412 (Terry Howe)
  • Update pkg/registry/transport.go e66cf6a (Terry Howe)
  • fix: add debug logging to oci transport 191f05c (Terry Howe)

v3.18.2: Helm 3.18.2

Compare Source

Helm v3.18.2 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Installation and Upgrading

Download Helm v3.18.2. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 3.18.3 is the next patch release and will be on July 09, 2025
  • 3.19.0 is the next minor release and will be on September 11, 2025
Changelog
  • fix: legacy docker support broken for login 04cad46 (Terry Howe)
  • Handle an empty registry config file. bc9f8a2 (Matt Farina)

v3.18.1: Helm v3.18.1

Compare Source

Helm v3.18.1 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

Notes:

  • This release fixes regressions around template generation and OCI registry interaction in 3.18.0
  • There are at least 2 known regressions unaddressed in this release. They are being worked on.
    • Empty registry configuration files. When the file exists but it is empty.
    • Login to Docker Hub on some domains fails.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Installation and Upgrading

Download Helm v3.18.1. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 3.18.2 will contain only bug fixes.
  • 3.19.0 on September 11th, 2025 is the next feature release.
Changelog
  • fix(client): skipnode utilization for PreCopy f6f8700 (Brandt Keller)
  • fix(client): layers now returns manifest - remove duplicate from descriptors 4da7015 (Brandt Keller)
  • fix(client): return nil on non-allowed media types 1a8507f (Brandt Keller)
  • Prevent fetching newReference again as we have in calling method 015531c (Benoit Tigeot)
  • Prevent failure when resolving version tags in oras memory store 9db1a12 (Benoit Tigeot)
  • Update pkg/plugin/plugin.go e8bfa0e (Benoit Tigeot)
  • Update pkg/plugin/plugin.go 24b4490 (Benoit Tigeot)
  • Wait for Helm v4 before raising when platformCommand and Command are set 7e8f534 (Benoit Tigeot)
  • Fix 3.18.0 regression: registry login with scheme ea04cea (Scott Rigby)
  • Revert "fix (helm) : toToml` renders int as float [ backport to v3 ]" bec6609 (Matt Farina)

v3.18.0: Helm v3.18.0

Compare Source

Helm v3.18.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Notable Changes
  • Add support for JSON Schema 2020
  • Enabled cpu and memory profiling
  • Add hook annotation to output hook logs to client on error
Installation and Upgrading

Download Helm v3.18.0. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 3.18.1 on June 11th, 2025 will contain only bug fixes.
  • 3.19.0 on September 11th, 2025 is the next feature release.
Changelog
  • build(deps): bump the k8s-io group with 7 updates cc58e3f (dependabot[bot])
  • fix: govulncheck workflow bf1436b (Matthieu MOREL)
  • bump version to v3.18.0 d8edc2a (Robert Sirchia)
  • fix:add proxy support when mTLS configured 48377fe (Rongrong Liu)
  • docs: Note about http fallback for OCI registries cdd7c10 (Terry Howe)
  • Bump net package to avoid CVE on dev-v3 f9ab8f7 (Benoit Tigeot)
  • Bump toml 087fa18 (Benoit Tigeot)
  • backport #​30677to dev3 2a5f83b (dongjiang)
  • build(deps): bump github.com/rubenv/sql-migrate from 1.7.2 to 1.8.0 5df2f30 (dependabot[bot])
  • Add install test for TakeOwnership flag 0906fe7 (Evans Mungai)
  • Fix --take-ownership 4ee3a19 (Patrick Seidensal)
  • build(deps): bump github.com/rubenv/sql-migrate from 1.7.1 to 1.7.2 3538c2a (dependabot[bot])
  • build(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0 6fa95c8 (dependabot[bot])
  • build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0 741b5be (dependabot[bot])
  • Testing text bump 017f9fa (Benoit Tigeot)
  • Permit more Go version and not only 1.23.8 6667252 (Benoit Tigeot)
  • Bumps github.com/distribution/distribution/v3 from 3.0.0-rc.3 to 3.0.0 4ad1ccd (Benoit Tigeot)
  • Unarchiving fix 3ce10e4 (Matt Farina)
  • Fix typo 422c58e (Benoit Tigeot)
  • Report as debug log, the time spent waiting for resources 5e7f12d (Benoit Tigeot)
  • build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27 dcc286c (dependabot[bot])
  • Update pkg/registry/fallback.go 1435ec7 (Terry Howe)
  • automatic fallback to http 674e882 (Terry Howe)
  • chore(oci): upgrade to ORAS v2 c188441 (Terry Howe)
  • Updating to 0.37.0 for x/net 2b12490 (Matt Farina)
  • build(deps): bump the k8s-io group with 7 updates 0648918 (dependabot[bot])
  • build(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0 0911b9c (dependabot[bot])
  • build(deps): bump github.com/opencontainers/image-spec 2f22d55 (dependabot[bot])
  • build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26 89361c9 (dependabot[bot])
  • build(deps): bump golang.org/x/crypto from 0.33.0 to 0.35.0 6d64160 (dependabot[bot])
  • Fix cherry-pick helm.sh/helm/v4 -> helm.sh/helm/v3 bcb83e4 (Scott Rigby)
  • Refactor based on review comment 2aa90b8 (Chris Berry)
  • Refactor based on review comment 5739197 (Chris Berry)
  • Add HookOutputFunc and generic yaml unmarshaller b8e1387 (Chris Berry)
  • clarify fix error message 97b0e11 (Scott Rigby)
  • fix err check 2f79afb (Scott Rigby)
  • remove comments about previous functionality c77f4ec (Scott Rigby)
  • add short circuit return 3cd6afe (Scott Rigby)
  • Update based on review comments 5367001 (Chris Berry)
  • Update based on review comments 3c44515 (Chris Berry)
  • Fix lint 4cb639e (Chris Berry)
  • Tidy up imports 20f859c (Chris)
  • Add hook annotations to output pod logs to client on success and fail ca90972 (Chris Berry)
  • chore: use []error instead of []string a9e2075 (Evans Mungai)
  • Update cmd/helm/profiling.go 996ad84 (Evans Mungai)
  • chore: update profiling doc in CONTRIBUTING.md 867c97e (Evans Mungai)
  • Update CONTRIBUTING guide af24101 (Evans Mungai)
  • Prefer environment variables to CLI flags c7dfa87 (Evans Mungai)
  • Fix linter warning b39411a (Evans Mungai)
  • Move pprof paths to HELM_PPROF env variable 4c50f01 (Evans Mungai)
  • Update CONTRIBUTING.md 3b43f7b (Evans Mungai)
  • Update CONTRIBUTING.md a32e11b (Evans Mungai)
  • Additional review fixes from PR 483ebf9 (Evans Mungai)
  • feat: Add flags to enable CPU and memory profiling 461197f (Evans Mungai)
  • build(deps): bump github.com/distribution/distribution/v3 e7fa545 (dependabot[bot])
  • build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 d1687ba (dependabot[bot])
  • Moving to SetOut and SetErr for Cobra 4c2f88b (Matt Farina)
  • build(deps): bump the k8s-io group with 7 updates a2413aa (dependabot[bot])
  • build(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0 959d643 (dependabot[bot])
  • build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0 3a87c68 (dependabot[bot])
  • build(deps): bump golang.org/x/text from 0.21.0 to 0.22.0 711cef8 (dependabot[bot])
  • build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6 7680623 (dependabot[bot])
  • build(deps): bump github.com/cyphar/filepath-securejoin 03747d9 (dependabot[bot])
  • build(deps): bump github.com/evanphx/json-patch f1db83f (dependabot[bot])
  • build(deps): bump the k8s-io group with 7 updates 3bc3751 (dependabot[bot])
  • fix: check group for resource info match 2ebce78 (Jiasheng Zhu)
  • Bump github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.0 8e86e76 (dependabot[bot])
  • add test for nullifying nested global value 326c1e3 (Ryan Hockstad)
  • Ensuring the file paths are clean prior to passing to securejoin fba9d08 (Matt Farina)
  • Bump github.com/containerd/containerd from 1.7.24 to 1.7.25 a79be7d (dependabot[bot])
  • Bump golang.org/x/crypto from 0.31.0 to 0.32.0 b029d74 (dependabot[bot])
  • Bump golang.org/x/term from 0.27.0 to 0.28.0 a1c0ae8 (dependabot[bot])
  • bump version to v3.17.0 d6db69e (Matt Farina)
  • Bump github.com/moby/term from 0.5.0 to 0.5.2 54ffefb (dependabot[bot])
  • Add test case for removing an entire object ef2eb55 (Ryan Hockstad)
  • Tests for bugfix: Override subcharts with null values #​12879 60fcce1 (Scott Rigby)
  • feat: Added multi-platform plugin hook support to v3 Signed-off-by: Steve Hipwell [email protected] 83dddb1 (Andrew Block)
  • This commit fixes the issue where the yaml.Unmarshaller converts all int values into float64, this passes in option to decoder, which enables conversion of int into . 0a6834f (Althaf M)
  • merge null child chart objects 5a58751 (Ryan Hockstad)

v3.17.4: Helm v3.17.4

Compare Source

Helm v3.17.4 is a patch release, this bring is the security release noted below. This is intended for Helm SDK users. CLI users are recommended to use the latest version of Helm.

Security Advisories

GHSA-557j-xg8c-q2mm: Chart Dependency Updating With Malicious Chart.yaml Content And Symlink

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Te

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependency label Aug 6, 2024
@renovate
Copy link
Author

renovate bot commented Aug 6, 2024
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.16 -> 1.24.0
github.com/sirupsen/logrus v1.8.1 -> v1.9.3
github.com/spf13/cobra v1.2.1 -> v1.9.1
github.com/spf13/pflag v1.0.5 -> v1.0.7
github.com/stretchr/testify v1.7.0 -> v1.10.0
k8s.io/api v0.22.1 -> v0.33.3
k8s.io/apimachinery v0.22.1 -> v0.33.3
k8s.io/cli-runtime v0.22.1 -> v0.33.3
k8s.io/client-go v0.22.1 -> v0.33.3

@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 109ea80 to 5c3fa6b Compare September 11, 2024 14:35
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 5c3fa6b to bc3afb8 Compare November 17, 2024 15:42
@renovate renovate bot changed the title Update module helm.sh/helm/v3 to v3.14.2 [SECURITY] fix(deps): update module helm.sh/helm/v3 to v3.14.2 [security] Dec 2, 2024
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from bc3afb8 to 68ffbbc Compare December 22, 2024 16:38
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 68ffbbc to 1b8a648 Compare March 3, 2025 13:06
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 1b8a648 to 872f37d Compare March 11, 2025 15:11
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 2 times, most recently from 010be3c to 4afddc3 Compare April 10, 2025 17:39
@renovate renovate bot changed the title fix(deps): update module helm.sh/helm/v3 to v3.14.2 [security] fix(deps): update module helm.sh/helm/v3 to v3.17.3 [security] Apr 10, 2025
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 4afddc3 to 5ddddea Compare May 7, 2025 10:49
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 5ddddea to 2bf8038 Compare July 9, 2025 04:54
@renovate renovate bot changed the title fix(deps): update module helm.sh/helm/v3 to v3.17.3 [security] fix(deps): update module helm.sh/helm/v3 to v3.18.4 [security] Jul 9, 2025
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 2bf8038 to 2470565 Compare July 17, 2025 01:32
@renovate renovate bot changed the title fix(deps): update module helm.sh/helm/v3 to v3.18.4 [security] fix(deps): update module helm.sh/helm/v3 to v3.17.4 [security] Jul 17, 2025
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 2470565 to 2c1f2ad Compare August 10, 2025 15:15
@renovate renovate bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 2c1f2ad to c503f65 Compare August 14, 2025 19:05
@renovate renovate bot changed the title fix(deps): update module helm.sh/helm/v3 to v3.17.4 [security] fix(deps): update module helm.sh/helm/v3 to v3.18.5 [security] Aug 14, 2025
@renovate
Copy link
Author

renovate bot commented Dec 15, 2025

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.16 -> 1.24.0
github.com/sirupsen/logrus v1.8.1 -> v1.9.3
github.com/spf13/cobra v1.2.1 -> v1.9.1
github.com/spf13/pflag v1.0.5 -> v1.0.7
github.com/stretchr/testify v1.7.0 -> v1.10.0
k8s.io/api v0.22.1 -> v0.33.3
k8s.io/apimachinery v0.22.1 -> v0.33.3
k8s.io/cli-runtime v0.22.1 -> v0.33.3
k8s.io/client-go v0.22.1 -> v0.33.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependency

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant