Skip to content

chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4#16258

Open
renovate[bot] wants to merge 1 commit intorelease-2.13from
renovate/release-2.13-go-helm.sh-helm-v4-vulnerability
Open

chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4#16258
renovate[bot] wants to merge 1 commit intorelease-2.13from
renovate/release-2.13-go-helm.sh-helm-v4-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 13, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Change Age Adoption
helm.sh/helm/v4 require v4.0.2v4.1.4 age adoption

Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

BIT-helm-2026-35206 / CVE-2026-35206 / GHSA-hr2v-4r36-88hr

More information

Details

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name.

Impact

The bug enables writing the Chart's contents (unpackaged/untar'ed) to the output directory <output dir>/, instead of the expected <output dir>/<chart name>/, potentially overwriting the contents of the targeted directory.

Note: a chart name containing POSIX dot-dot, or dot-dot and slashes (as if to refer to parent directories) do not resolve beyond the output directory as designed.

Patches

This issue has been resolved in Helm v3.20.2 and v4.1.3

A Chart with an unexpected name (those specified to be "." or ".."), or a Chart name which results in a non-unique directory will be rejected.

Workarounds

Ensure the the name of the Chart does not comprise/contain POSIX pathname special directory references ie. dot-dot ("..") or dot ("."). In addition, ensuring that the pull --untar flag (or equivalent SDK option) refers to a unique/empty output directory prevents chart extraction from inadvertently overwriting existing files within the specified directory.

Credits

Oleh Konko
@​1seal

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

BIT-helm-2026-35205 / CVE-2026-35205 / GHSA-q5jf-9vfq-h4h7

More information

Details

Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required.

Impact

The bug allows plugin authors to omit provenance (signing) data from plugins, bypassing plugin signature verification upon plugin install/update.

Notably, plugin hooks will be executed as designed on the installed plugin, enabling a malicious plugin to execute arbitrary code.

Patches

This issue has been patched in Helm v4.1.4

Installing/updating a plugin with missing provenance will error if signature verification is required.

Workarounds

Users may manually validate that a plugin archive is not missing provenance data (.prov file) before installation.

Severity

  • CVSS Score: 8.4 / 10 (High)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

BIT-helm-2026-35204 / CVE-2026-35204 / GHSA-vmx8-mqv2-9gmg

More information

Details

Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location.

Impact

A Helm user who installs or updates a plugin that is specially crafted can cause Helm to attempt to write the content of the affected plugin to an arbitrary location on the user's filesystem. Impacted users risk potentially overwriting user and system files which may further compromise the integrity of a system.

Patches

This issue has been patched in Helm v4.1.4

Installing/updating a plugin with a non-SemVer version (which excludes path traversal patterns) will result in an error.

Workarounds

Validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../".

Severity

  • CVSS Score: 8.4 / 10 (High)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

helm/helm (helm.sh/helm/v4)

v4.1.4: Helm v4.1.4

Compare Source

Helm v4.1.4 is a security fix patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

  • GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment
  • GHSA-q5jf-9vfq-h4h7 Plugin verification fails open when .prov is missing, allowing unsigned plugin install
  • GHSA-vmx8-mqv2-9gmg Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

A big thank you to the reporters of these issues (@​maru1009, @​1seal).

Installation and Upgrading

Download Helm v4.1.4. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
  • 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

  • fix: Plugin missing provenance bypass 05fa379 (George Jenkins)
  • fix: Chart dot-name path bug 4e7994d (George Jenkins)
  • ignore error plugin loads (cli, getter) 2581943 (George Jenkins)
  • fix: Plugin version path traversal 36c8539 (George Jenkins)
  • fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow c61e086 (Terry Howe)

v4.1.3: Helm v4.1.3

Compare Source

Helm v4.1.3 is a patch release. Users are encouraged to upgrade for the best experience.

Note there was no 4.1.2 release due to a release automation issue.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Fixed a bug where --dry-run=server was not respecting generateName #​31563
  • Fixed a bug where empty CRD resources caused a crash. Now it prints an error #​31578
  • Fixed a bug where OCI references with tag+digest failed with "invalid byte" error #​31601
  • Fixed a bug where user-provided nil value was not preserved when chart has an empty map or no default for a key #​31644
  • Fixed a regression since Helm 3.18.0 where Pulling charts from OCI repositories that use an index to store both Container Images and Helm Charts under the same tag failed #​31776
  • Fixed a Helm 4 regression where gotemplate white space trimming directly after YAML doc separators, when present after postrendering, caused YAML file corruption #​31868
  • Fixed a bug where FailedStatus is treated as a terminal state, causing upgrades to fail prematurely when cluster autoscalers needed time to provision nodes, or when pods were being deleted during rolling updates #​31897
  • Fixed broken backwards compatibility for deprecated --atomic flag on install command #​31901
  • SDK: Fixed a Windows 'Access Deined' error if multiple processes try to download the same chart version concurrently #​31128
  • SDK: Fixed a bug where users did not receive any logs from the waiter, causing confusion as several minutes could pass with no user feedback #​31717
  • SDK: Fixed a bug where server-side apply defaults did not always match the CLI defaults #​31732
  • SDK: Fixed a Go import issue when downstream tooling attempted to vendor helm.sh/helm/v4/pkg/kube #​31852

Installation and Upgrading

Download Helm v4.1.3. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.2.0 and 3.21.0 are the next minor releases and will be on May 13, 2026
  • 4.1.4 and 3.20.2 are the next patch releases and will be on April 8, 2026

Changelog

  • chore(defaults): server-side apply SDK defaults should always match the CLI defaults c94d381 (Matheus Pimenta)
  • whitespace b36d660 (Austin Abro)
  • use logger with waiter 04a91af (Austin Abro)
  • Remove refactorring changes from coalesce_test.go c3c57db (Evans Mungai)
  • Fix import d47cb2b (Evans Mungai)
  • Update pkg/chart/common/util/coalesce_test.go 790bf92 (Evans Mungai)
  • Fix lint warning f7cec12 (Evans Mungai)
  • Preserve nil values in chart already d94a5c9 (Evans Mungai)
  • fix(values): preserve nil values when chart default is empty map 8c5fe4e (Evans Mungai)
  • chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 217db28 (dependabot[bot])
  • Restored --atomic flag on install command 7cb43e0 (Travis Leeden)
  • fix: bump go.opentelemetry.io/otel/sdk to v1.40.0 for GO-2026-4394 5b26d4f (Terry Howe)
  • fix: bump fluxcd/cli-utils to v0.37.2-flux.1 360c131 (Terry Howe)
  • chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.21.0 to 0.21.1 69a0a92 (dependabot[bot])
  • fix: insert newline after doc separators glued to content by template trimming b868e6a (Matheus Pimenta)
  • fix: correct import comment in statuswait.go from v3 to v4 dbfbea9 (rohansood10)
  • chore(deps): bump the k8s-io group with 7 updates 099192c (dependabot[bot])
  • add image index test 4967ead (Pedro Tôrres)
  • fix pulling charts from OCI indices 2fe6b10 (Pedro Tôrres)
  • fix: handle OCI digest algorithm prefix in chart downloader (#​31601) e3e2d01 (Evans Mungai)
  • fix(install): check nil for restClientGetter and fix tests c15e711 (Manuel Alonso)
  • chore(refactor): better testing and functionality for installing crd df82e68 (Manuel Alonso)
  • fix(test): fix tests and check nil for restclient 4b896ca (Manuel Alonso)
  • fix(test): merge fix correctly 3fc7939 (Manuel Alonso Gonzalez)
  • fix(install): add more tests and check nil file data 6017d2b (Manuel Alonso)
  • fix(test): no check empty resources f451967 (Manuel Alonso)
  • fix(install): check lenght and file nil, add tests fdadff5 (Manuel Alonso)
  • fix(action): crd resources can be empty 10d6067 (Manuel Alonso)
  • fix: casing issue fixed 0fec40f (Mujib Ahasan)
  • fix: error handled correctly 2637498 (Mujib Ahasan)
  • fix: doc string added 961d7d7 (Mujib Ahasan)
  • update: test coverage added for helper function validateNameAndGenerateName 29e4506 (Mujib Ahasan)
  • update: helper function added for the business logic d55b0b9 (Mujib Ahasan)
  • generateName is also considered in logic c1c090e (Mujib Ahasan)
  • update: business logic respected for skipping object missing name 5e09313 (Mujib Ahasan)
  • fixed: --dry-run=server now respect generateName f289d16 (Mujib Ahasan)
  • fix(downloader): safely handle concurrent file writes on Windows bfac739 (Orgad Shaneh)

v4.1.2

Compare Source

v4.1.1: Helm v4.1.1

Compare Source

Helm v4.1.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Notable Changes
  • fix: fine-grained context options for waiting #​31735
  • fix: kstatus do not wait forever on failed resources #​31730
  • fix: Revert "Consider GroupVersionKind when matching resources" #​31772
  • fix: handle nil elements in slice copying #​31751
Installation and Upgrading

Download Helm v4.1.1. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

This release was signed by @​gjenkins8 with key BF88 8333 D96A 1C18 E268 2AAE D79D 67C9 EC01 6739, which can be found at https://keys.openpgp.org/vks/v1/by-fingerprint/BF888333D96A1C18E2682AAED79D67C9EC016739. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 4.2.0 and 3.21.0 are the next minor releases and will be on May 13, 2026
  • 4.1.2 and 3.20.2 are the next patch releases and will be on March 11, 2026
Changelog
  • feat(kstatus): fine-grained context options for waiting 5caf004 (Matheus Pimenta)
  • bugfix(kstatus): do not wait forever on failed resources 2519a88 (Matheus Pimenta)
  • Revert "Consider GroupVersionKind when matching resources" b2c487c (Matheus Pimenta)
  • fix(copystructure): handle nil elements in slice copying 261387a (Philipp Born)

v4.1.0: Helm v4.1.0

Compare Source

Helm v4.1.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Notable Changes
  • Feature: added chart name to dependency logs, namespace to resource waiting logs, and confirmation message when all resources are ready #​31530
  • Feature: improved plugin name validation error messages and field name detection #​31491
  • Feature: improved the --wait flag by allowing explicit strategy selection (including explicit --wait=hookOnly) and preventing SDK timeout errors when timeout is not specified #​31421
  • Feature: allow concurrent dependency build with atomic file write #​30984
  • Feature: added a --no-headers flag to the 'helm repo list' command, allowing users to suppress table headers in the output. Useful for scripting and automation #​31448
  • SDK feature: added a LoadArchive to common loader #​31462
  • SDK feature: introduced support for custom kstatus readers #​31706
  • Fixed bug where a plugin name could already be used by another command #​31427
  • Fixed bug where --server-side flag was not passed to install when using upgrade --install #​31635
  • Fixed bug where HELM_ environment variables were not passed to plugins. this fixes a regression which was blocking some getter plugins #​31613
  • Fixed bug where Helm test --logs failed with hook-delete-policy "hook-failed" or "hook-succeed" #​31579
  • Fixed kube client logging issue #​31560
  • Fixed regression where vendor-specific suffixes were stripped from .Capabilities.KubeVersion.GitVersion, breaking charts that detect managed Kubernetes platforms #​31528
  • Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #​12564
  • SDK: bump k8s API versions to v0.35.0
  • docs: updated helm template help text to document --api-versions #​31683
  • docs: fixed documentation about default wait strategy
Installation and Upgrading

Download Helm v4.1.0. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 4.1.1 and 3.20.1 are the next patch releases, scheduled for March 11, 2026
  • 4.2.0 and 3.21.0 are the next minor releases, scheduled for May 13, 2026
Changelog
  • Update pkg/kube/statuswait.go f46f1ce (Evans Mungai)
  • pkg/kube: introduce support for custom kstatus readers 59ece92 (Matheus Pimenta)
  • chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 de0becd (dependabot[bot])
  • chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0 46e5264 (dependabot[bot])
  • fix(release): fix test compilation error e751a70 (Evans Mungai)
  • Suppress SC2154 without changing behavior 9125b84 (Sarfraj Khan)
  • chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0 0e0c02e (dependabot[bot])
  • Lint sync-repo.sh with ShellCheck d4a2787 (sarfraj89)
  • chore: move Evans Mungai from triage to maintainers fd090cc (Evans Mungai)
  • Replace reflect.Ptr with reflect.Pointer 2d6d9c0 (Mads Jensen)
  • fix: typo in the function names 138f730 (Gergely Brautigam)
  • Add documentation for --api-versions flag in template command c7cc77b (majiayu000)
  • Fixing failing tests for cli-tools update fe1c749 (Matt Farina)
  • chore(deps): bump github.com/fluxcd/cli-utils 5e82698 (dependabot[bot])
  • Replace deprecated NewSimpleClientset a15db7f (George Jenkins)
  • docs(README): add mise alternate installation documentation 04198dc (jylenhof)
  • enable exhaustive linter 9a898af (Brenden Ehlers)
  • fix: add default casess to switch statements 1c119bc (Brenden Ehlers)
  • build: set kube version via debug.BuildInfo c6d9a5b (Branch Vincent)
  • chore(deps): bump github.com/tetratelabs/wazero from 1.10.1 to 1.11.0 97cde79 (dependabot[bot])
  • chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 9123143 (dependabot[bot])
  • doc: update based on review suggestion 55a4aed (Deepak Chethan)
  • test(statuswait): fix Copilot code review suggestion for goroutine in tests d6b35ce (Mohsen Mottaghi)
  • test(statuswait): add more tests suggested by Copilot code review a1543d5 (Mohsen Mottaghi)
  • test(statuswait): add some tests for statuswait dd44f4e (Mohsen Mottaghi)
  • fix: use namespace-scoped watching to avoid cluster-wide LIST permissions 3dd54ed (Mohsen Mottaghi)
  • fix(doc): Update default wait strategy f92ae18 (Deepak)
  • Update to use slog 9772037 (tison)
  • Fix TestCliPluginExitCode 3c6557d (tison)
  • Check plugin name is not used 5196b84 (tison)
  • chore(deps): bump github.com/fluxcd/cli-utils 364a7aa (dependabot[bot])
  • Fix TestConcurrencyDownloadIndex typo 592815e (George Jenkins)
  • Use errors.Is to check for io.EOF and gzip.ErrHeader a490bb3 (Mads Jensen)
  • chore(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0 09ae0d4 (dependabot[bot])
  • chore(deps): bump the k8s-io group with 7 updates 1f8e84d (dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0 e9a0510 (dependabot[bot])
  • chore: fix some comments to improve readability 858cf31 (wangjingcun)
  • chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0 7fb1728 (dependabot[bot])
  • feat: move TerryHowe triage to maintainers e900a25 (Terry Howe)
  • Use latest patch release of Go in releases 8f636b5 (Matt Farina)
  • chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1 ea52f87 (dependabot[bot])
  • fix(upgrade): pass --server-side flag to install when using upgrade --install 2dc581d (Evans Mungai)
  • chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 a9bbffb (dependabot[bot])
  • chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 d195cfa (dependabot[bot])
  • Run the vulnerability check on PR that change the file 24a8258 (Matt Farina)
  • Fix govulncheck in CI bc9462f (Matt Farina)
  • Update the govulncheck.yml to run on change b825a18 (Matt Farina)
  • Enable the sloglint linter a18e59e (Mads Jensen)
  • fix(cli): handle nil config in EnvSettings.Namespace() 8534663 (Zadkiel AHARONIAN)
  • fix(getter): pass settings environment variables 119341d (Zadkiel AHARONIAN)
  • fixes comment in install.go a109ac2 (Stephanie Hohenberg)
  • chore(deps): bump actions/stale from 10.1.0 to 10.1.1 581ab1a (dependabot[bot])
  • chore(deps): bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 e62bf7f (dependabot[bot])
  • fixes tests after merge 2f598ff (Stephanie Hohenberg)
  • fixes lint issue bb9356e (Stephanie Hohenberg)
  • updates tests after rebase from master 8cf4ad7 (Stephanie Hohenberg)
  • Add tests to action package to improve coverage 31131cf (Stephanie Hohenberg)
  • chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 e6b2068 (dependabot[bot])
  • Inform we use a different golangci-lint version than the CI faa8912 (Benoit Tigeot)
  • Deal with golint warning with private executeShutdownFunc 45c5f3a (Benoit Tigeot)
  • Use length check for MetaDependencies instead of nil comparison b33d4ae (Calvin Bui)
  • Code review 70fc5f9 (Benoit Tigeot)
  • Fix linting issue 9f1c8a2 (Benoit Tigeot)
  • Update pkg/action/hooks.go 6bb5bcc (Michelle Fernandez Bieber)
  • added check for nil shutdown d930144 (Michelle Fernandez Bieber)
  • cleaned up empty line 7a61ebf (Michelle Fernandez Bieber)
  • updated comment and made defer of shutdown function return errors as before and not the possible shutdown error 1071477 (Michelle Fernandez Bieber)
  • added shutdown hook that is executed after the logs have been retrieved 7a55758 (Michelle Fernandez Bieber)
  • chore: fix typo in pkg/downloader/chart_downloader.go e71a29c (megha1906)
  • Bump required go version (go.mod version) b859163 (George Jenkins)
  • Use modernize to use newer Golang features. 6cceead (Mads Jensen)
  • Remove two redundant if-checks. 380abe2 (Mads Jensen)
  • Fix kube client logging 936cd32 (Matt Farina)
  • chore(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 cb35947 (dependabot[bot])
  • chore(deps): bump actions/checkout from 5.0.1 to 6.0.0 4fddc64 (dependabot[bot])
  • chore(deps): bump actions/setup-go from 5.5.0 to 6.1.0 b87f2da (dependabot[bot])
  • fix: prevent segmentation violation on empty yaml in multidoc 81d244c (Benoit Tigeot)
  • fix: prevent reporting fallback on version when none specified 40e22de (Benoit Tigeot)
  • chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 c2405ce (dependabot[bot])
  • chore(deps): bump github.com/cyphar/filepath-securejoin 28baa97 (dependabot[bot])
  • bump version to 4.1 63e060f (Matt Farina)
  • fix: add missing context to debug logs 2dc5864 (shuv0id)
  • fix: preserve vendor suffixes in KubeVersion.GitVersion ce273ee (Benoit Tigeot)
  • chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 f6ceae9 (dependabot[bot])
  • fixup test f8a49f1 (George Jenkins)
  • logs a9cdc78 (George Jenkins)
  • fix b1a9760 (George Jenkins)
  • chore: add warning for registry login with namespace 5f3c617 (Terry Howe)
  • style: linting 71591ee (Benoit Tigeot)
  • test: split tests between valid and invalid b296cbe (Benoit Tigeot)
  • test: convert tests to table drive tests 9b242dd (Benoit Tigeot)
  • test: refactor TestMetadataLegacyValidate to be more generic c81a09b (Benoit Tigeot)
  • update tests 8c87024 (yxxhero)
  • fix: Use server-side apply for object create during update 18616e6 (George Jenkins)
  • Copy adopted resource info 855ebb6 (George Jenkins)
  • Refactor environment variable expansion in PrepareCommands and update tests 2d49f0c (yxxhero)
  • fix: correct LDFLAGS path for default Kubernetes version b6a8c65 (Benoit Tigeot)
  • fix: improve plugin name validation err messages early via unmarshalling acf331a (Benoit Tigeot)
  • fix: Make invalid name error message more similar and move tests 9e1e3d2 (Benoit Tigeot)
  • fix: focus only on plugin name but give more info about what we get cf077ce (Benoit Tigeot)
  • Make validation error similar and explicit for both metadatas f4b139a (Benoit Tigeot)
  • fix: improve plugin name validation error messages c04e18e (Benoit Tigeot)
  • Fix syntax errors in the document faa0adc (Fish-pro)
  • chore(deps): bump the k8s-io group with 7 updates c81e267 (dependabot[bot])
  • docs: Fix LFX Health Score badge URL in README.md 40856bf (Michael Crenshaw)
  • chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 fb82e0e (dependabot[bot])
  • chore(deps): bump github.com/tetratelabs/wazero from 1.9.0 to 1.10.1 72a84fb (dependabot[bot])
  • Publish Helm v4 -> helm-latest-version e4353dc (George Jenkins)
  • Adding script to download Helm v4 5ae8586 (Matt Farina)
  • chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 6cd0bf8 (dependabot[bot])
  • refactor: use strings.Builder to improve performance d8c4040 (promalert)
  • chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.20.1 to 0.21.0 [0089a07](https://redirect.github.com/helm/helm/commit/0089a07bb855e2dc8169d5426bf22d

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added area/security Related to security issues, fixes, or improvements dependencies Pull requests that update a dependency file release-2.13 labels Apr 13, 2026
@renovate renovate Bot enabled auto-merge (squash) April 13, 2026 12:08
@renovate renovate Bot requested a review from a team as a code owner April 13, 2026 12:08
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Apr 13, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 13, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 31 additional dependencies were updated

Details:

Package Change
github.com/onsi/gomega v1.38.2 -> v1.39.0
github.com/prometheus/common v0.67.4 -> v0.67.5
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/prometheus v0.60.0 -> v0.62.0
golang.org/x/crypto v0.46.0 -> v0.47.0
golang.org/x/text v0.32.0 -> v0.33.0
golang.org/x/tools v0.40.0 -> v0.41.0
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/protobuf v1.36.10 -> v1.36.11
k8s.io/api v0.34.3 -> v0.35.1
k8s.io/apiextensions-apiserver v0.34.3 -> v0.35.1
k8s.io/apimachinery v0.34.3 -> v0.35.1
k8s.io/client-go v0.34.3 -> v0.35.1
k8s.io/kubectl v0.34.3 -> v0.35.1
sigs.k8s.io/controller-runtime v0.22.4 -> v0.23.1
github.com/BurntSushi/toml v1.5.0 -> v1.6.0
github.com/cyphar/filepath-securejoin v0.5.0 -> v0.6.1
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 -> v2.27.7
github.com/prometheus/procfs v0.17.0 -> v0.19.2
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 -> v0.65.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 -> v1.40.0
golang.org/x/mod v0.31.0 -> v0.32.0
golang.org/x/net v0.48.0 -> v0.49.0
golang.org/x/term v0.38.0 -> v0.39.0
k8s.io/apiserver v0.34.3 -> v0.35.1
k8s.io/code-generator v0.34.3 -> v0.35.1
k8s.io/component-base v0.34.3 -> v0.35.1
k8s.io/gengo/v2 v2.0.0-20250903151518-081d64401ab4 -> v2.0.0-20250922181213-ec3ebc5fd46b
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 -> v6.3.2-0.20260122202528-d9cc6641c482

@renovate renovate Bot added release-2.13 area/security Related to security issues, fixes, or improvements labels Apr 13, 2026
@renovate renovate Bot requested review from Automaat and bartsmykla April 13, 2026 12:08
@renovate renovate Bot changed the title chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4 chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4 - autoclosed Apr 13, 2026
@renovate renovate Bot closed this Apr 13, 2026
auto-merge was automatically disabled April 13, 2026 16:28

Pull request was closed

@renovate renovate Bot deleted the renovate/release-2.13-go-helm.sh-helm-v4-vulnerability branch April 13, 2026 16:28
@renovate renovate Bot changed the title chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4 - autoclosed chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4 Apr 14, 2026
@renovate renovate Bot reopened this Apr 14, 2026
@renovate renovate Bot force-pushed the renovate/release-2.13-go-helm.sh-helm-v4-vulnerability branch 2 times, most recently from dc84a4c to 0c10f09 Compare April 14, 2026 07:21
@renovate renovate Bot changed the title chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4 chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4 - autoclosed Apr 15, 2026
@renovate renovate Bot closed this Apr 15, 2026
@renovate renovate Bot changed the title chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4 - autoclosed chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4 Apr 16, 2026
@renovate renovate Bot reopened this Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/release-2.13-go-helm.sh-helm-v4-vulnerability branch from 0c10f09 to 025f8a9 Compare April 16, 2026 14:11
@renovate
chore(deps): bump helm.sh/helm/v4 from 4.0.2 to 4.1.4
2d3a364 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/release-2.13-go-helm.sh-helm-v4-vulnerability branch from 025f8a9 to 2d3a364 Compare April 29, 2026 11:02
@renovate renovate Bot enabled auto-merge (squash) April 29, 2026 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Automaat Automaat Awaiting requested review from Automaat Automaat is a code owner automatically assigned from kumahq/kuma-maintainers

@bartsmykla bartsmykla Awaiting requested review from bartsmykla bartsmykla is a code owner automatically assigned from kumahq/kuma-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/security Related to security issues, fixes, or improvements dependencies Pull requests that update a dependency file release-2.13

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants