Skip to content

fix(deps): update module helm.sh/helm/v3 to v3.18.5 [security] #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module helm.sh/helm/v3 to v3.18.5 [security] #207

wants to merge 1 commit into from

Conversation

botty-mcbottington[bot]
Copy link
Contributor

@botty-mcbottington botty-mcbottington bot commented Aug 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
helm.sh/helm/v3 v3.18.4 -> v3.18.5 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-55199

A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Impact

A malicious chart can point $ref in values.schema.json to a device (e.g. /dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of $ref pointing to /dev/zero.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-55198

A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic.

Impact

There are two areas of YAML validation that were impacted. First, when a Chart.yaml file had a null maintainer or the child or parent of a dependencies import-values could be parsed as something other than a string, helm lint would panic. Second, when an index.yaml had an empty entry in the list of chart versions Helm would panic on interactions with that repository.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Ensure YAML files are formatted as Helm expects prior to processing them with Helm.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

Release Notes

helm/helm (helm.sh/helm/v3)

v3.18.5: Helm v3.18.5

Compare Source

Helm v3.18.5 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Security Advisories

Installation and Upgrading

Download Helm v3.18.5. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.19.0 is the next minor release and will be on September 11, 2025

Changelog

  • fix Chart.yaml handling 7799b48 (Matt Farina)
  • Handle messy index files dd8502f (Matt Farina)
  • json schema fix cb8595b (Robert Sirchia)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@botty-mcbottington
Copy link
Contributor Author

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated

Details:

Package Change
github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 -> v6.0.2
k8s.io/api v0.33.2 -> v0.33.3
k8s.io/apiextensions-apiserver v0.33.2 -> v0.33.3
k8s.io/apiserver v0.33.2 -> v0.33.3
k8s.io/cli-runtime v0.33.2 -> v0.33.3
k8s.io/client-go v0.33.2 -> v0.33.3
k8s.io/component-base v0.33.2 -> v0.33.3
k8s.io/kubectl v0.33.2 -> v0.33.3

@codecov Codecov
Copy link

codecov bot commented Aug 14, 2025
edited
Loading

❌ 2 Tests Failed:

Tests completed Failed Passed Skipped
300 2 298 0
View the top 2 failed test(s) by shortest run time 
github.com/macropower/kclipper/pkg/chartcmd::TestHelmChartAdd
Stack Traces | 0s run time 
=== RUN   TestHelmChartAdd
=== PAUSE TestHelmChartAdd
=== CONT  TestHelmChartAdd
--- FAIL: TestHelmChartAdd (0.00s)

github.com/macropower/kclipper/pkg/chartcmd::TestHelmChartAdd/app_template
Stack Traces | 3.99s run time 
=== RUN   TestHelmChartAdd/app_template
=== PAUSE TestHelmChartAdd/app_template
=== CONT  TestHelmChartAdd/app_template
2025/10/09 00:34:16 INFO check init before add cmd=chart_add chart_key=app_template chart=app-template
2025/10/09 00:34:16 INFO loading helm repositories cmd=chart_add chart_key=app_template chart=app-template
2025/10/09 00:34:16 INFO loading helm chart files cmd=chart_add chart_key=app_template chart=app-template
2025/10/09 00:34:16 preprocessing spec with option:  minimal flattening
2025/10/09 00:34:17 building a plan for generation
2025/10/09 00:34:17 generation target .../charts/grafana_operator_oci/api
2025/10/09 00:34:17 planning definitions
2025/10/09 00:34:17 rendering 4 models
2025/10/09 00:34:17 rendering 1 templates for model grafana.integreatly.org.v1beta1.GrafanaAlertRuleGroup
2025/10/09 00:34:17 name field grafana.integreatly.org.v1beta1.GrafanaAlertRuleGroup
2025/10/09 00:34:17 package field v1beta1
2025/10/09 00:34:17 type pkg field 
2025/10/09 00:34:17 creating generated file "grafana_integreatly_org_v1beta1_grafana_alert_rule_group.k" in ".../charts/grafana_operator_oci/api/v1beta1" as definition
2025/10/09 00:34:17 executed template asset:model
2025/10/09 00:34:17 rendering 1 templates for model k8sApimachineryPkgApisMetaV1ManagedFieldsEntry
2025/10/09 00:34:17 name field k8sApimachineryPkgApisMetaV1ManagedFieldsEntry
2025/10/09 00:34:17 package field v1beta1
2025/10/09 00:34:17 type pkg field k8s.apimachinery.pkg.apis.meta.v1
2025/10/09 00:34:17 type pkg alias field managed_fields_entry
2025/10/09 00:34:17 creating generated file "managed_fields_entry.k" in ".../charts/grafana_operator_oci/api/v1beta1/k8s/apimachinery/pkg/apis/meta/v1" as definition
2025/10/09 00:34:17 executed template asset:model
2025/10/09 00:34:17 rendering 1 templates for model k8sApimachineryPkgApisMetaV1ObjectMeta
2025/10/09 00:34:17 name field k8sApimachineryPkgApisMetaV1ObjectMeta
2025/10/09 00:34:17 package field v1beta1
2025/10/09 00:34:17 type pkg field k8s.apimachinery.pkg.apis.meta.v1
2025/10/09 00:34:17 type pkg alias field object_meta
2025/10/09 00:34:17 creating generated file "object_meta.k" in ".../charts/grafana_operator_oci/api/v1beta1/k8s/apimachinery/pkg/apis/meta/v1" as definition
2025/10/09 00:34:17 executed template asset:model
2025/10/09 00:34:17 rendering 1 templates for model k8sApimachineryPkgApisMetaV1OwnerReference
2025/10/09 00:34:17 name field k8sApimachineryPkgApisMetaV1OwnerReference
2025/10/09 00:34:17 package field v1beta1
2025/10/09 00:34:17 type pkg field k8s.apimachinery.pkg.apis.meta.v1
2025/10/09 00:34:17 type pkg alias field owner_reference
2025/10/09 00:34:17 creating generated file "owner_reference.k" in ".../charts/grafana_operator_oci/api/v1beta1/k8s/apimachinery/pkg/apis/meta/v1" as definition
2025/10/09 00:34:17 executed template asset:model
2025/10/09 00:34:18 preprocessing spec with option:  minimal flattening
2025/10/09 00:34:19 building a plan for generation
2025/10/09 00:34:19 generation target .../charts/grafana_operator_oci/api
2025/10/09 00:34:19 planning definitions
2025/10/09 00:34:19 rendering 4 models
2025/10/09 00:34:19 rendering 1 templates for model grafana.integreatly.org.v1beta1.GrafanaNotificationPolicy
2025/10/09 00:34:19 name field grafana.integreatly.org.v1beta1.GrafanaNotificationPolicy
2025/10/09 00:34:19 package field v1beta1
2025/10/09 00:34:19 type pkg field 
2025/10/09 00:34:19 creating generated file "grafana_integreatly_org_v1beta1_grafana_notification_policy.k" in ".../charts/grafana_operator_oci/api/v1beta1" as definition
2025/10/09 00:34:19 executed template asset:model
2025/10/09 00:34:19 rendering 1 templates for model k8sApimachineryPkgApisMetaV1ManagedFieldsEntry
2025/10/09 00:34:19 name field k8sApimachineryPkgApisMetaV1ManagedFieldsEntry
2025/10/09 00:34:19 package field v1beta1
2025/10/09 00:34:19 type pkg field k8s.apimachinery.pkg.apis.meta.v1
2025/10/09 00:34:19 type pkg alias field managed_fields_entry
2025/10/09 00:34:19 creating generated file "managed_fields_entry.k" in ".../charts/grafana_operator_oci/api/v1beta1/k8s/apimachinery/pkg/apis/meta/v1" as definition
2025/10/09 00:34:19 executed template asset:model
2025/10/09 00:34:19 rendering 1 templates for model k8sApimachineryPkgApisMetaV1ObjectMeta
2025/10/09 00:34:19 name field k8sApimachineryPkgApisMetaV1ObjectMeta
2025/10/09 00:34:19 package field v1beta1
2025/10/09 00:34:19 type pkg field k8s.apimachinery.pkg.apis.meta.v1
2025/10/09 00:34:19 type pkg alias field object_meta
2025/10/09 00:34:19 creating generated file "object_meta.k" in ".../charts/grafana_operator_oci/api/v1beta1/k8s/apimachinery/pkg/apis/meta/v1" as definition
2025/10/09 00:34:19 executed template asset:model
2025/10/09 00:34:19 rendering 1 templates for model k8sApimachineryPkgApisMetaV1OwnerReference
2025/10/09 00:34:19 name field k8sApimachineryPkgApisMetaV1OwnerReference
2025/10/09 00:34:19 package field v1beta1
2025/10/09 00:34:19 type pkg field k8s.apimachinery.pkg.apis.meta.v1
2025/10/09 00:34:19 type pkg alias field owner_reference
2025/10/09 00:34:19 creating generated file "owner_reference.k" in ".../charts/grafana_operator_oci/api/v1beta1/k8s/apimachinery/pkg/apis/meta/v1" as definition
2025/10/09 00:34:19 executed template asset:model
2025/10/09 00:34:19 preprocessing spec with option:  minimal flattening
2025/10/09 00:34:20 INFO rendering crd resources cmd=chart_add chart_key=app_template chart=app-template
2025/10/09 00:34:20 building a plan for generation
2025/10/09 00:34:20 generation target .../charts/grafana_operator_oci/api
2025/10/09 00:34:20 planning definitions
    add_chart_test.go:155: 
        	Error Trace:	.../pkg/chartcmd/add_chart_test.go:155
        	Error:      	Received unexpected error:
        	            	CRD generation failed: render CRD resources: template: execute helm install: values don't meet the specifications of the schema(s) in the following chart(s):
        	            	app-template:
        	            	failing loading "https://raw.githubusercontent..../bjw-s/helm-charts/common-3.6..../library/common/values.schema.json": invalid file url: https://raw.githubusercontent..../bjw-s/helm-charts/common-3.6..../library/common/values.schema.jsoncommon:
        	            	failing loading "https://raw.githubusercontent..../bjw-s/helm-charts/common-3.6..../common/schemas/serviceAccount.json": invalid file url: https://raw.githubusercontent..../bjw-s/helm-charts/common-3.6..../common/schemas/serviceAccount.json
        	Test:       	TestHelmChartAdd/app_template
--- FAIL: TestHelmChartAdd/app_template (3.99s)

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@botty-mcbottington botty-mcbottington bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 3 times, most recently from ed232d1 to f55fe03 Compare August 16, 2025 04:06
@botty-mcbottington botty-mcbottington bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 5 times, most recently from 7a744f3 to 8a06a8a Compare August 30, 2025 06:10
@botty-mcbottington botty-mcbottington bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 5 times, most recently from 5eab81e to 1bd5452 Compare September 8, 2025 00:33
@botty-mcbottington botty-mcbottington bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 3 times, most recently from 6b3828a to c749fb8 Compare September 9, 2025 00:31
@botty-mcbottington botty-mcbottington bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 4 times, most recently from a94efe0 to c37a2c4 Compare September 25, 2025 00:31
@botty-mcbottington botty-mcbottington bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 8 times, most recently from 8e15440 to 793e9dd Compare October 9, 2025 06:13
@botty-mcbottington botty-mcbottington bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 4 times, most recently from 655322b to 6ab8ccf Compare October 13, 2025 12:14
@botty-mcbottington botty-mcbottington bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 6ab8ccf to 5529835 Compare October 14, 2025 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants