chore: update module helm.sh/helm/v3 to v3.18.5 [security] #1437
+48
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
ℹ Artifact update noticeFile name: hack/zstd-dict/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
bot
force-pushed
the
renovate/go-helm.sh-helm-v3-vulnerability
branch
from
d1bc2cb to
e6cb026
Compare
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/go-helm.sh-helm-v3-vulnerability
branch
from
e6cb026 to
e5da26e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update Request | Renovate Bot
This PR contains the following updates:
v3.18.4->v3.18.5GitHub Vulnerability Alerts
CVE-2025-55199
A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.
Impact
A malicious chart can point
$refin values.schema.json to a device (e.g./dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.Patches
This issue has been resolved in Helm v3.18.5.
Workarounds
Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of
$refpointing to/dev/zero.References
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
CVE-2025-55198
A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic.
Impact
There are two areas of YAML validation that were impacted. First, when a
Chart.yamlfile had anullmaintainer or thechildorparentof a dependenciesimport-valuescould be parsed as something other than a string,helm lintwould panic. Second, when anindex.yamlhad an empty entry in the list of chart versions Helm would panic on interactions with that repository.Patches
This issue has been resolved in Helm v3.18.5.
Workarounds
Ensure YAML files are formatted as Helm expects prior to processing them with Helm.
References
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
Release Notes
helm/helm (helm.sh/helm/v3)
v3.18.5Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.