From 828a3b4f7d53529a1e1c086d53b94b6935404159 Mon Sep 17 00:00:00 2001 From: Michael Guarino Date: Sat, 11 Apr 2026 18:12:54 +0000 Subject: [PATCH] Upgrade Helm to v3.20.2 to fix CVE security vulnerability This commit upgrades helm.sh/helm/v3 from v3.20.0 to v3.20.2 to address a security vulnerability related to Chart.yaml extraction directory collapse. The vulnerability allowed specially crafted Charts to write contents to the immediate output directory rather than the expected subdirectory during 'helm pull --untar' operations. Changes: - Updated go.mod: helm.sh/helm/v3 v3.20.0 -> v3.20.2 - Updated go.sum with new dependency checksums Build verification completed successfully. Co-Authored-By: Claude Opus 4.6 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4d850752..2e4e8cd7 100644 --- a/go.mod +++ b/go.mod @@ -60,7 +60,7 @@ require ( gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 gotest.tools/v3 v3.5.1 - helm.sh/helm/v3 v3.20.0 + helm.sh/helm/v3 v3.20.2 k8s.io/api v0.35.1 k8s.io/apimachinery v0.35.2 k8s.io/client-go v0.35.1 diff --git a/go.sum b/go.sum index 7387cb98..31496a62 100644 --- a/go.sum +++ b/go.sum @@ -1031,8 +1031,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.20.0 h1:2M+0qQwnbI1a2CxN7dbmfsWHg/MloeaFMnZCY56as50= -helm.sh/helm/v3 v3.20.0/go.mod h1:rTavWa0lagZOxGfdhu4vgk1OjH2UYCnrDKE2PVC4N0o= +helm.sh/helm/v3 v3.20.2 h1:binM4rvPx5DcNsa1sIt7UZi55lRbu3pZUFmQkSoRh48= +helm.sh/helm/v3 v3.20.2/go.mod h1:Fl1kBaWCpkUrM6IYXPjQ3bdZQfFrogKArqptvueZ6Ww= k8s.io/api v0.35.1 h1:0PO/1FhlK/EQNVK5+txc4FuhQibV25VLSdLMmGpDE/Q= k8s.io/api v0.35.1/go.mod h1:28uR9xlXWml9eT0uaGo6y71xK86JBELShLy4wR1XtxM= k8s.io/apiextensions-apiserver v0.35.1 h1:p5vvALkknlOcAqARwjS20kJffgzHqwyQRM8vHLwgU7w=