Skip to content

fix(CVEs - cherry-pick-3.2): bump expr to v1.17.7#25889

Merged
reggie-k merged 2 commits intoargoproj:release-3.2from
nitishfy:nitish/fix-cve-3.2
Jan 7, 2026
Merged

fix(CVEs - cherry-pick-3.2): bump expr to v1.17.7#25889
reggie-k merged 2 commits intoargoproj:release-3.2from
nitishfy:nitish/fix-cve-3.2

Conversation

@nitishfy
Copy link
Member

@nitishfy nitishfy commented Jan 7, 2026

Related to #25877

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Title of the PR
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@nitishfy
bump expr
0832578 
Signed-off-by: nitishfy <justnitish06@gmail.com>
@nitishfy
bump expr
50701bc 
Signed-off-by: nitishfy <justnitish06@gmail.com>
@nitishfy nitishfy requested a review from a team as a code owner January 7, 2026 10:11
@codecov
Copy link

codecov bot commented Jan 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.09%. Comparing base (51c6375) to head (50701bc).
⚠️ Report is 1 commits behind head on release-3.2.

Additional details and impacted files 
@@               Coverage Diff               @@
##           release-3.2   #25889      +/-   ##
===============================================
+ Coverage        62.06%   62.09%   +0.02%     
===============================================
  Files              351      351              
  Lines            49041    49041              
===============================================
+ Hits             30438    30451      +13     
+ Misses           15673    15658      -15     
- Partials          2930     2932       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@reggie-k reggie-k merged commit b414696 into argoproj:release-3.2 Jan 7, 2026
21 of 22 checks passed
@nitishfy nitishfy changed the title chore(cherry-pick-3.2): bump expr to v1.17.7 fix(CVEs - cherry-pick-3.2): bump expr to v1.17.7 Jan 12, 2026
renovate bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Jan 19, 2026
@renovate
chore(deps): update dependency argoproj/argo-cd to v3.2.5
f533a33 
##### [\`v3.2.5\`](https://github.com/argoproj/argo-cd/releases/tag/v3.2.5)

##### Quick Start

##### Non-HA:

```shell
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/install.yaml
```

##### HA:

```shell
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/ha/install.yaml
```

##### Release Signatures and Provenance

All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.

##### Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the [official blog post](https://blog.argoproj.io/argo-cd-v3-0-release-candidate-a0b933f4e58f)

##### Upgrading

If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.

##### Changelog

##### Features

- [`fafbd44`](argoproj/argo-cd@fafbd44): feat: Cherry-pick to 3.2 update notifications engine to v0.5.1 0.20251223091026 [`8c0c96d`](argoproj/argo-cd@8c0c96d8d530) ([#25930](argoproj/argo-cd#25930)) ([@reggie-k](https://github.com/reggie-k))

##### Bug fixes

- [`d7d9674`](argoproj/argo-cd@d7d9674): fix(appset): do not trigger reconciliation on appsets not part of allowed namespaces when updating a cluster secret (cherry-pick [#25622](argoproj/argo-cd#25622) for 3.2) ([#25911](argoproj/argo-cd#25911)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])
- [`e6f5403`](argoproj/argo-cd@e6f5403): fix: Only show please update resource specification message when spec… (cherry-pick [#25066](argoproj/argo-cd#25066) for 3.2) ([#25895](argoproj/argo-cd#25895)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

##### Documentation

- [`e9d03a6`](argoproj/argo-cd@e9d03a6): docs: Run make codegen for notifications engine changes ([#25958](argoproj/argo-cd#25958)) ([@reggie-k](https://github.com/reggie-k))
- [`b67eb40`](argoproj/argo-cd@b67eb40): docs: link to source hydrator (cherry-pick [#25813](argoproj/argo-cd#25813) for 3.2) ([#25814](argoproj/argo-cd#25814)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

##### Dependency updates

- [`8a0633b`](argoproj/argo-cd@8a0633b): chore(deps): bump go to 1.25.5 (cherry-pick) ([#25805](argoproj/argo-cd#25805)) ([@nitishfy](https://github.com/nitishfy))

##### Other work

- [`b414696`](argoproj/argo-cd@b414696): chore(cherry-pick-3.2): bump `expr` to `v1.17.7` ([#25889](argoproj/argo-cd#25889)) ([@nitishfy](https://github.com/nitishfy))
- [`51c6375`](argoproj/argo-cd@51c6375): ci: test against k8s 1.34.2 (cherry-pick [#25856](argoproj/argo-cd#25856) for 3.2) ([#25859](argoproj/argo-cd#25859)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

**Full Changelog**: <argoproj/argo-cd@v3.2.3...v3.2.5>

<a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>

---
##### [\`v3.2.4\`](https://github.com/argoproj/argo-cd/releases/tag/v3.2.4)

##### Important notice about this release

This release is invalid, please use the v3.2.5 instead.
renovate bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Jan 19, 2026
@renovate
chore(deps): update dependency argoproj/argo-cd to v3.2.5
49c5801 
##### [\`v3.2.5\`](https://github.com/argoproj/argo-cd/releases/tag/v3.2.5)

##### Quick Start

##### Non-HA:

```shell
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/install.yaml
```

##### HA:

```shell
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/ha/install.yaml
```

##### Release Signatures and Provenance

All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.

##### Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the [official blog post](https://blog.argoproj.io/argo-cd-v3-0-release-candidate-a0b933f4e58f)

##### Upgrading

If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.

##### Changelog

##### Features

- [`fafbd44`](argoproj/argo-cd@fafbd44): feat: Cherry-pick to 3.2 update notifications engine to v0.5.1 0.20251223091026 [`8c0c96d`](argoproj/argo-cd@8c0c96d8d530) ([#25930](argoproj/argo-cd#25930)) ([@reggie-k](https://github.com/reggie-k))

##### Bug fixes

- [`d7d9674`](argoproj/argo-cd@d7d9674): fix(appset): do not trigger reconciliation on appsets not part of allowed namespaces when updating a cluster secret (cherry-pick [#25622](argoproj/argo-cd#25622) for 3.2) ([#25911](argoproj/argo-cd#25911)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])
- [`e6f5403`](argoproj/argo-cd@e6f5403): fix: Only show please update resource specification message when spec… (cherry-pick [#25066](argoproj/argo-cd#25066) for 3.2) ([#25895](argoproj/argo-cd#25895)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

##### Documentation

- [`e9d03a6`](argoproj/argo-cd@e9d03a6): docs: Run make codegen for notifications engine changes ([#25958](argoproj/argo-cd#25958)) ([@reggie-k](https://github.com/reggie-k))
- [`b67eb40`](argoproj/argo-cd@b67eb40): docs: link to source hydrator (cherry-pick [#25813](argoproj/argo-cd#25813) for 3.2) ([#25814](argoproj/argo-cd#25814)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

##### Dependency updates

- [`8a0633b`](argoproj/argo-cd@8a0633b): chore(deps): bump go to 1.25.5 (cherry-pick) ([#25805](argoproj/argo-cd#25805)) ([@nitishfy](https://github.com/nitishfy))

##### Other work

- [`b414696`](argoproj/argo-cd@b414696): chore(cherry-pick-3.2): bump `expr` to `v1.17.7` ([#25889](argoproj/argo-cd#25889)) ([@nitishfy](https://github.com/nitishfy))
- [`51c6375`](argoproj/argo-cd@51c6375): ci: test against k8s 1.34.2 (cherry-pick [#25856](argoproj/argo-cd#25856) for 3.2) ([#25859](argoproj/argo-cd#25859)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

**Full Changelog**: <argoproj/argo-cd@v3.2.3...v3.2.5>

<a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>

---
##### [\`v3.2.4\`](https://github.com/argoproj/argo-cd/releases/tag/v3.2.4)

##### Important notice about this release

This release is invalid, please use the v3.2.5 instead.
renovate bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Jan 19, 2026
@renovate
chore(deps): update dependency argoproj/argo-cd to v3.2.5
517673e 
##### [\`v3.2.5\`](https://github.com/argoproj/argo-cd/releases/tag/v3.2.5)

##### Quick Start

##### Non-HA:

```shell
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/install.yaml
```

##### HA:

```shell
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/ha/install.yaml
```

##### Release Signatures and Provenance

All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.

##### Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the [official blog post](https://blog.argoproj.io/argo-cd-v3-0-release-candidate-a0b933f4e58f)

##### Upgrading

If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.

##### Changelog

##### Features

- [`fafbd44`](argoproj/argo-cd@fafbd44): feat: Cherry-pick to 3.2 update notifications engine to v0.5.1 0.20251223091026 [`8c0c96d`](argoproj/argo-cd@8c0c96d8d530) ([#25930](argoproj/argo-cd#25930)) ([@reggie-k](https://github.com/reggie-k))

##### Bug fixes

- [`d7d9674`](argoproj/argo-cd@d7d9674): fix(appset): do not trigger reconciliation on appsets not part of allowed namespaces when updating a cluster secret (cherry-pick [#25622](argoproj/argo-cd#25622) for 3.2) ([#25911](argoproj/argo-cd#25911)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])
- [`e6f5403`](argoproj/argo-cd@e6f5403): fix: Only show please update resource specification message when spec… (cherry-pick [#25066](argoproj/argo-cd#25066) for 3.2) ([#25895](argoproj/argo-cd#25895)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

##### Documentation

- [`e9d03a6`](argoproj/argo-cd@e9d03a6): docs: Run make codegen for notifications engine changes ([#25958](argoproj/argo-cd#25958)) ([@reggie-k](https://github.com/reggie-k))
- [`b67eb40`](argoproj/argo-cd@b67eb40): docs: link to source hydrator (cherry-pick [#25813](argoproj/argo-cd#25813) for 3.2) ([#25814](argoproj/argo-cd#25814)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

##### Dependency updates

- [`8a0633b`](argoproj/argo-cd@8a0633b): chore(deps): bump go to 1.25.5 (cherry-pick) ([#25805](argoproj/argo-cd#25805)) ([@nitishfy](https://github.com/nitishfy))

##### Other work

- [`b414696`](argoproj/argo-cd@b414696): chore(cherry-pick-3.2): bump `expr` to `v1.17.7` ([#25889](argoproj/argo-cd#25889)) ([@nitishfy](https://github.com/nitishfy))
- [`51c6375`](argoproj/argo-cd@51c6375): ci: test against k8s 1.34.2 (cherry-pick [#25856](argoproj/argo-cd#25856) for 3.2) ([#25859](argoproj/argo-cd#25859)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

**Full Changelog**: <argoproj/argo-cd@v3.2.3...v3.2.5>

<a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>

---
##### [\`v3.2.4\`](https://github.com/argoproj/argo-cd/releases/tag/v3.2.4)

##### Important notice about this release

This release is invalid, please use the v3.2.5 instead.
renovate bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Jan 19, 2026
@renovate
chore(deps): update dependency argoproj/argo-cd to v3.2.5
1062384 
##### [\`v3.2.5\`](https://github.com/argoproj/argo-cd/releases/tag/v3.2.5)

##### Quick Start

##### Non-HA:

```shell
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/install.yaml
```

##### HA:

```shell
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/ha/install.yaml
```

##### Release Signatures and Provenance

All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.

##### Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the [official blog post](https://blog.argoproj.io/argo-cd-v3-0-release-candidate-a0b933f4e58f)

##### Upgrading

If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.

##### Changelog

##### Features

- [`fafbd44`](argoproj/argo-cd@fafbd44): feat: Cherry-pick to 3.2 update notifications engine to v0.5.1 0.20251223091026 [`8c0c96d`](argoproj/argo-cd@8c0c96d8d530) ([#25930](argoproj/argo-cd#25930)) ([@reggie-k](https://github.com/reggie-k))

##### Bug fixes

- [`d7d9674`](argoproj/argo-cd@d7d9674): fix(appset): do not trigger reconciliation on appsets not part of allowed namespaces when updating a cluster secret (cherry-pick [#25622](argoproj/argo-cd#25622) for 3.2) ([#25911](argoproj/argo-cd#25911)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])
- [`e6f5403`](argoproj/argo-cd@e6f5403): fix: Only show please update resource specification message when spec… (cherry-pick [#25066](argoproj/argo-cd#25066) for 3.2) ([#25895](argoproj/argo-cd#25895)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

##### Documentation

- [`e9d03a6`](argoproj/argo-cd@e9d03a6): docs: Run make codegen for notifications engine changes ([#25958](argoproj/argo-cd#25958)) ([@reggie-k](https://github.com/reggie-k))
- [`b67eb40`](argoproj/argo-cd@b67eb40): docs: link to source hydrator (cherry-pick [#25813](argoproj/argo-cd#25813) for 3.2) ([#25814](argoproj/argo-cd#25814)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

##### Dependency updates

- [`8a0633b`](argoproj/argo-cd@8a0633b): chore(deps): bump go to 1.25.5 (cherry-pick) ([#25805](argoproj/argo-cd#25805)) ([@nitishfy](https://github.com/nitishfy))

##### Other work

- [`b414696`](argoproj/argo-cd@b414696): chore(cherry-pick-3.2): bump `expr` to `v1.17.7` ([#25889](argoproj/argo-cd#25889)) ([@nitishfy](https://github.com/nitishfy))
- [`51c6375`](argoproj/argo-cd@51c6375): ci: test against k8s 1.34.2 (cherry-pick [#25856](argoproj/argo-cd#25856) for 3.2) ([#25859](argoproj/argo-cd#25859)) ([@argo-cd-cherry-pick-bot](https://github.com/argo-cd-cherry-pick-bot)\[bot])

**Full Changelog**: <argoproj/argo-cd@v3.2.3...v3.2.5>

<a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>

---
##### [\`v3.2.4\`](https://github.com/argoproj/argo-cd/releases/tag/v3.2.4)

##### Important notice about this release

This release is invalid, please use the v3.2.5 instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reggie-k reggie-k reggie-k approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nitishfy @reggie-k

Comments