🌱 Update Builder Image group

[cluster-stack-bot]

This PR contains the following updates:

Package	Type	Update	Change
adrienverge/yamllint		minor	v1.37.1 -> v1.38.0
docker.io/aquasec/trivy (source)	stage	minor	0.66.0 -> 0.70.0
docker.io/hadolint/hadolint	stage	minor	v2.13.1-alpine -> v2.14.0-alpine
docker.io/library/alpine	stage	minor	3.22.1 -> 3.23.4
golangci/golangci-lint		minor	v2.4.0 -> v2.12.2
helm/helm		major	v3.19.0 -> v4.2.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

adrienverge/yamllint (adrienverge/yamllint)

v1.38.0

Compare Source

hadolint/hadolint (docker.io/hadolint/hadolint)

v2.14.0

Compare Source

What's Changed

• Enhance INTEGRATION.md with a toc and ordering by @​jammsen in #​1118
• DL3041, DL3033: Handle RPM package epoch by @​m-ildefons in #​1121
• DL3009: Allow either cache or tmpfs mounts by @​m-ildefons in #​1123
• added new rule DL3062 to check go install by @​Danil42Russia in #​1111
• DL3041, DL3033: Handle RPM package with plus sign by @​samcranford in #​1125
• relax dependencies by @​m-ildefons in #​1128
• fixup release workflow by @​m-ildefons in #​1129

New Contributors

• @​jammsen made their first contribution in #​1118
• @​Danil42Russia made their first contribution in #​1111
• @​samcranford made their first contribution in #​1125

Full Changelog: hadolint/hadolint@v2.13.1...v2.14.0

golangci/golangci-lint (golangci/golangci-lint)

v2.12.2

Compare Source

Released on 2026-05-06

1. Linters bug fixes
   • gomodguard_v2: fix blocked configuration
   • gomodguard_v2: from 2.1.0 to 2.1.3
   • iface: from 1.4.1 to 1.4.2

v2.12.1

Compare Source

Released on 2026-05-01

1. Linters bug fixes
   • gomodguard_v2: fix panic with migration suggestion
2. Misc.
   • fix install.sh script (if you are still using an URL based on the branch master, please update to use https://golangci-lint.run/install.sh)

v2.12.0

Compare Source

Released on 2026-05-01

1. New linters
   • Add clickhouselint linter https://github.com/ClickHouse/clickhouse-go-linter
2. Linters new features or changes
   • dupl: from f665c8d to c99c5cf (extended detection)
   • funcorder: from 0.5.0 to 0.6.0 (new option: function)
   • goconst: add an option to ignore strings from tests
   • goconst: from 1.8.2 to 1.10.0 (extended detection)
   • gomodguard_v2: from 1.4.1 to 2.1.0 (major version with new configuration)
   • gosec: from 619ce21 to 2.26.1 (new checks: G124, G708, G709, G710)
   • govet: add inline analyzer
   • makezero: from 2.1.0 to 2.2.1 (support slice type aliases)
   • paralleltest: expose checkcleanup option
   • sloglint: from 0.11.1 to 0.12.0 (new options: allowed-keys, custom-funcs)
   • wsl_v5: from 5.6.0 to 5.8.0 (new option: cuddle-max-statements; new checks: after-decl, after-defer, after-expr, after-go, cuddle-group)
3. Linters bug fixes
   • forbidigo: from 2.3.0 to 2.3.1
   • godot: from 1.5.4 to 1.5.6
   • govet-modernize: from 0.43.0 to 0.44.0
   • ireturn: from 0.4.0 to 0.4.1
   • rowserrcheck: from 1.1.1 to c5f79b8
4. Misc.
   • Decrease cache entropy
   • Embed the JSON schema in the binary
   • Filter env vars when cloning the repository with the custom command

v2.11.4

Compare Source

Released on 2026-03-22

1. Linters bug fixes
   • govet-modernize: from 0.42.0 to 0.43.0
   • noctx: from 0.5.0 to 0.5.1
   • sqlclosecheck: from 0.5.1 to 0.6.0

v2.11.3

Compare Source

Released on 2026-03-10

1. Linters bug fixes
   • gosec: from v2.24.7 to 619ce21

v2.11.2

Compare Source

Released on 2026-03-07

1. Fixes
   • fmt: fix error when using the fmt command with explicit paths.

v2.11.1

Compare Source

Released on 2026-03-06

Due to an error related to AUR, some artifacts of the v2.11.0 release have not been published.

This release contains the same things as v2.11.0.

v2.11.0

Compare Source

Released on 2026-03-06

1. Linters new features or changes
   • errcheck: from 1.9.0 to 1.10.0 (exclude crypto/rand.Read by default)
   • gosec: from 2.23.0 to 2.24.6 (new rules: G113, G118, G119, G120, G121, G122, G123, G408, G707)
   • noctx: from 0.4.0 to 0.5.0 (new detection: httptest.NewRequestWithContext)
   • prealloc: from 1.0.2 to 1.1.0
   • revive: from 1.14.0 to 1.15.0 (⚠️ Breaking change: package-related checks moved from var-naming to a new rule package-naming)
2. Linters bug fixes
   • gocognit: from 1.2.0 to 1.2.1
   • gosec: from 2.24.6 to 2.24.7
   • unqueryvet: from 1.5.3 to 1.5.4

v2.10.1

Compare Source

Released on 2026-02-17

1. Fixes
   • buildssa panic

v2.10.0

Compare Source

Released on 2026-02-17

1. Linters new features or changes
   • ginkgolinter: from 0.22.0 to 0.23.0
   • gosec: from 2.22.11 to 2.23.0 (new rules: G117, G602, G701, G702, G703, G704, G705, G706)
   • staticcheck: from 0.6.1 to 0.7.0
2. Linters bug fixes
   • godoclint: from 0.11.1 to 0.11.2

v2.9.0

Compare Source

Released on 2026-02-10

1. Enhancements
   • 🎉 go1.26 support
2. Linters new features or changes
   • arangolint: from 0.3.1 to 0.4.0 (new rule: detect potential query injections)
   • ginkgolinter: from 0.21.2 to 0.22.0 (support for wrappers)
   • golines: from 0.14.0 to 0.15.0
   • misspell: from 0.7.0 to 0.8.0
   • revive: from v1.13.0 to v1.14.0 (new rules: epoch-naming, use-slices-sort)
   • unqueryvet: from 1.4.0 to 1.5.3 (new options: check-n1, check-sql-injection, check-tx-leaks, allow, custom-rules)
   • wsl_v5: from 5.3.0 to 5.6.0 (new rule: after-block)
3. Linters bug fixes
   • modernize: from 0.41.0 to 0.42.0
   • prealloc: from 1.0.1 to 1.0.2
   • protogetter: from 0.3.18 to 0.3.20
4. Misc.
   • Log information about files when configuration verification
   • Emit an error when no linters enabled
   • Do not collect VCS information when loading code

v2.8.0

Compare Source

Released on 2026-01-07

1. Linters new features or changes
   • godoclint: from 0.10.2 to 0.11.1 (new rule: require-stdlib-doclink)
   • golines: from 442fd00 to 0.14.0
   • gomoddirectives: from 0.7.1 to 0.8.0
   • gosec: from daccba6 to 2.22.11 (new rule: G116)
   • modernize: from 0.39.0 to 0.40.0 (new analyzers: stringscut, unsafefuncs)
   • prealloc: from 1.0.0 to 1.0.1 (message changes)
   • unqueryvet: from 1.3.0 to 1.4.0 (new options: check-aliased-wildcard, check-string-concat, check-format-strings, check-string-builder, check-subqueries, ignored-functions, sql-builders)
2. Linters bug fixes
   • gocritic: from 0.14.2 to 0.14.3
   • errorlint: from 1.8.0 to 1.9.0
   • govet: from 0.39.0 to 0.40.0
   • protogetter: from 0.3.17 to 0.3.18
   • revive: add missing enable-default-rules setting
3. Documentation
   • docs: split installation page

v2.7.2

Compare Source

Released on 2025-12-07

1. Linter bug fixes
   • gosec: from 2.22.10 to daccba6

v2.7.1

Compare Source

Released on 2025-12-04

1. Linter bug fixes
   • modernize: disable stringscut analyzer

v2.7.0

Compare Source

Released on 2025-12-03

1. Bug fixes
   • fix: clone args used by custom command
2. Linters new features or changes
   • nosprintfhostport: from 0.2.0 to 0.3.1 (ignore string literals without a colon)
   • unqueryvet: from 1.2.1 to 1.3.0 (handles const and var declarations)
   • revive: from 1.12.0 to 1.13.0 (new option: enable-default-rules, new rules: forbidden-call-in-wg-go, unnecessary-if, inefficient-map-lookup)
   • modernize: from 0.38.0 to 0.39.0 (new analyzers: plusbuild, stringscut)
3. Linters bug fixes
   • perfsprint: from 0.10.0 to 0.10.1
   • wrapcheck: from 2.11.0 to 2.12.0
   • godoclint: from 0.10.1 to 0.10.2
4. Misc.
   • Add some flags to the custom command
5. Documentation
   • docs: split changelog v1 and v2

v2.6.2

Compare Source

Released on 2025-11-14

1. Bug fixes
   • fmt command with symlinks
   • use file depending on build configuration to invalidate cache
2. Linters bug fixes
   • testableexamples: from 1.0.0 to 1.0.1
   • testpackage: from 1.1.1 to 1.1.2

v2.6.1

Compare Source

Released on 2025-11-04

1. Linters bug fixes
   • copyloopvar: from 1.2.1 to 1.2.2
   • gocritic: from 0.14.0 to 0.14.2

v2.6.0

Compare Source

Released on 2025-10-29

1. New linters
   • Add modernize analyzer suite
2. Linters new features or changes
   • arangolint: from 0.2.0 to 0.3.1
   • dupword: from 0.1.6 to 0.1.7 (new option comments-only)
   • gocritic: from 0.13.0 to 0.14.0 (new rules/checkers: zeroByteRepeat, dupOption)
   • gofumpt: from 0.9.1 to 0.9.2 ("clothe" naked returns is now controlled by the extra-rules option)
   • perfsprint: from 0.9.1 to 0.10.0 (new options: concat-loop, loop-other-ops)
   • wsl: from 5.2.0 to 5.3.0
3. Linters bug fixes
   • dupword: from 0.1.6 to 0.1.7
   • durationcheck: from 0.0.10 to 0.0.11
   • exptostd: from 0.4.4 to 0.4.5
   • fatcontext: from 0.8.1 to 0.9.0
   • forbidigo: from 2.1.0 to 2.3.0
   • ginkgolinter: from 0.21.0 to 0.21.2
   • godoclint: from 0.10.0 to 0.10.1
   • gomoddirectives: from 0.7.0 to 0.7.1
   • gosec: from 2.22.8 to 2.22.10
   • makezero: from 2.0.1 to 2.1.0
   • nilerr: from 0.1.1 to 0.1.2
   • paralleltest: from 1.0.14 to 1.0.15
   • protogetter: from 0.3.16 to 0.3.17
   • unparam: from 0df0534 to 5beb8c8
4. Misc.
   • fix: ignore some files to hash the version for custom build

v2.5.0

Compare Source

Released on 2025-09-21

1. New linters
   • Add godoclint linter https://github.com/godoc-lint/godoc-lint
   • Add unqueryvet linter https://github.com/MirrexOne/unqueryvet
   • Add iotamixing linter https://github.com/AdminBenni/iota-mixing
2. Linters new features or changes
   • embeddedstructfieldcheck: from 0.3.0 to 0.4.0 (new option: empty-line)
   • err113: from aea10b5 to 0.1.1 (skip internals of Is methods for error type)
   • ginkgolinter: from 0.20.0 to 0.21.0 (new option: force-tonot)
   • gofumpt: from 0.8.0 to 0.9.1 (new rule is to "clothe" naked returns for the sake of clarity)
   • ineffassign: from 0.1.0 to 0.2.0 (new option: check-escaping-errors)
   • musttag: from 0.13.1 to 0.14.0 (support interface methods)
   • revive: from 1.11.0 to 1.12.0 (new options: identical-ifelseif-branches, identical-ifelseif-conditions, identical-switch-branches, identical-switch-conditions, package-directory-mismatch, unsecure-url-scheme, use-waitgroup-go, useless-fallthrough)
   • thelper: from 0.6.3 to 0.7.1 (skip t.Helper in functions passed to synctest.Test)
   • wsl_v5: from 5.1.1 to 5.2.0 (improvements related to subexpressions)
3. Linters bug fixes
   • asciicheck: from 0.4.1 to 0.5.0
   • errname: from 1.1.0 to 1.1.1
   • fatcontext: from 0.8.0 to 0.8.1
   • goprintffuncname: from 0.1.0 to 0.1.1
   • godot: from 1.5.1 to 1.5.4
   • gosec: from 2.22.7 to 2.22.8
   • nilerr: from 0.1.1 to a temporary fork
   • nilnil: from 1.1.0 to 1.1.1
   • protogetter: from 0.3.15 to 0.3.16
   • tagliatelle: from 0.7.1 to 0.7.2
   • testifylint: from 1.6.1 to 1.6.4
4. Misc.
   • fix: "no export data" errors are now handled as a standard typecheck error
5. Documentation
   • Improve nolint section about syntax

helm/helm (helm/helm)

v4.2.0: Helm v4.2.0

Compare Source

Helm v4.2.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Switch to goreleaser for release builds
• Kubernetes client libraries to v1.36
• Add mustToToml template function
• deprecate unused --hide-notes and --render-subchart-notes flags
• --dry-run=server now respects generateName:

Installation and Upgrading

Download Helm v4.2.0. The common platform binaries are here:

• MacOS amd64 (checksum / 1376ea697140e4db316736e760d5a47d12afc1524dce704476ef06fd7fdeddc6)
• MacOS arm64 (checksum / f13f959015447b6bc309f9fd506509926543988a39035c088b52522ec95e2acb)
• Linux amd64 (checksum / 97dbeb971be4ac4b27e3839976d9564c0fb35c6f3b1da89dd1e292d236af4096)
• Linux arm (checksum / ae624870b2d50e655b6462daff117eb9d28c4bad45234ef24c1275113540fcb0)
• Linux arm64 (checksum / 1f8de130dfbd04de64978e7b852a7a547be1404956a366608276d2520b678670)
• Linux i386 (checksum / 9cf44acc59081aca98b4d9f09138348836b26761258e02ad2b99616f66eead5c)
• Linux loong64 (checksum / 5b04f0167b8b415a057c1f4f809ede86d5ead840e0aa560db097da5be19f86d0)
• Linux ppc64le (checksum / 48f0637b93247717b725e8d4a8d2cf8df0e2fdea91bdd0e36e2426c2d5c76e4e)
• Linux s390x (checksum / 328e9ed27904f9910026240c4311bb1b0bf91c6fde1634f212097694507a702f)
• Linux riscv64 (checksum / 5d292d57ab1f40e47e373a87187bafa66e8daac4ddc4a1333421c174e8184755)
• Windows amd64 (checksum / 614f68ddc567ac9bfb0c205f869b1f83ba4e0a9aacd26cbae47743ae6082a579)
• Windows arm64 (checksum / e740e4c19b6e2a0b428f7a52c38b7f0b092f0c43ac49870537d7e7fac9cedc07)

This release was signed by @​gjenkins8 with key BF88 8333 D96A 1C18 E268 2AAE D79D 67C9 EC01 6739, which can be found at https://keys.openpgp.org/vks/v1/by-fingerprint/BF888333D96A1C18E2682AAED79D67C9EC016739. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.2.1 will contain only bug fixes
• 4.3.0 is the next feature release

Changelog

• Bump to version v4.2 0646808 (George Jenkins)
• build: Clean up Goreleaser change (#​32098) e23bf3a (Scott Rigby)
• fix: add -extldflags -static to dist target to match build-cross f60ab7c (Terry Howe)
• build: use goreleaser build with manual archive creation 64aa46f (Terry Howe)
• chore: remove build-cross dependency from test-acceptance d199a1a (Terry Howe)
• ci: add fetch-depth 0 to canary checkout for goreleaser 8289940 (Terry Howe)
• fix: address goreleaser build issues flagged in review c075022 (Terry Howe)
• fix: pass VERSION as GORELEASER_CURRENT_TAG to preserve v-prefix in archive names 04885dd (Terry Howe)
• fix: disable goreleaser checksums.txt and restrict zip to windows only 93103ce (Terry Howe)
• fix: use index for optional env var in version_template e49a1dc (Terry Howe)
• fix: canary build file names eaa0910 (Terry Howe)
• Fix archive name 5a75279 (Terry Howe)
• fix goreleaser archive 37284a9 (Terry Howe)
• add support for loong64 45336cc (Terry Howe)
• fix artifact directory a9659b0 (Terry Howe)
• update configuration to v2 e368f17 (Terry Howe)
• remove GOTOOLCHAIN e7bea85 (Terry Howe)
• chore: replace mitchellh/gox with goreleaser 075c096 (Terry Howe)
• chore(deps): bump github.com/distribution/distribution/v3 12f2c41 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 58e8ffd (dependabot[bot])
• chore(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 e61bbfb (dependabot[bot])
• Upgrade kstatus to 1.2 and controller-runtime to 0.24 081c6df (Matheus Pimenta)
• fix: adds topLevel permissions to improve openSSF scores 277d970 (Gagan H R)
• Upgrade Go to 1.26, Kubernetes to 1.36, kstatus to 1.1 a4a9cc7 (Matheus Pimenta)
• fix(templating): hooks conflicting with templates in post-renderers (#​32049) 8f56f24 (Matheus Pimenta)
• docs: fix grammar and spacing in CONTRIBUTING.md db40adb (Mohit)
• chore(deps): bump the k8s-io group with 7 updates 775e794 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 934ace3 (dependabot[bot])
• fix(templating): SplitManifests must preserve line endings for downstream YAML parsers (#​31952) 265c5eb (Matheus Pimenta)
• chore(deps): bump github.com/mattn/go-shellwords from 1.0.12 to 1.0.13 48e2b7d (dependabot[bot])
• Update pkg/chart/common/util/coalesce.go a8e2497 (Evans Mungai)
• test(values): Add test for nil cleanup in partially overridden subchart maps 52fc971 (Johannes Lohmer)
• fix(values): do not copy chart-default nils into coalesced values 0063877 (Johannes Lohmer)
• test(values): add test for subchart nil producing %!s() 6eb4ebf (Johannes Lohmer)
• test(values): add tests for subchart nil value regressions 5cb4e7d (Johannes Lohmer)
• chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 b5c7c80 (dependabot[bot])
• fix(templating): fix wrong YAML separator parsing for post-renderers (#​31941) a27f1ad (Matheus Pimenta)
• fix: add debug logging to HTTP getter for helm pull c26be60 (Cairon)
• chore(deps): bump golang.org/x/crypto from 0.49.0 to 0.50.0 953f5f0 (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.41.0 to 0.42.0 10fc5f3 (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.35.0 to 0.36.0 d89e7c6 (dependabot[bot])
• chore: Update release notes script for Helm v4 8a95461 (George Jenkins)
• refactor(cli): share RetryingRoundTripper via pkg/kubeenv 213c869 (Sumit Solanki)
• chore(deps): bump github.com/lib/pq from 1.12.2 to 1.12.3 bd5027a (dependabot[bot])
• fix: unnecessary-format lint issues from merge 087736b (George Jenkins)
• fix: Plugin missing provenance bypass 586eb57 (George Jenkins)
• chore(deps): bump github.com/fluxcd/cli-utils c8c5dfa (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp 998466c (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp b0cec58 (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp 6ebfb29 (dependabot[bot])
• test(kube): fix flaky WaitForDelete test by avoiding informer sync race a7f8443 (Terry Howe)
• test(kube): fix flaky WaitForDelete timing in status wait tests 4c0d21f (Terry Howe)
• chore(deps): bump github.com/distribution/distribution/v3 08dea9c (dependabot[bot])
• Minor nit: fix import instructions to comply with canonical import paths de58531 (Anmol Virdi)
• chore(deps): bump github.com/distribution/distribution/v3 9b1ad4c (dependabot[bot])
• fix(action): return correct error variable in prepareUpgrade 8ef2d45 (Rhys McNeill)
• chore(deps): bump github.com/lib/pq from 1.12.1 to 1.12.2 cd7cf76 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.30.7 to 4.35.1 45ee55b (dependabot[bot])
• chore(deps): bump github.com/lib/pq from 1.12.0 to 1.12.1 9a06741 (dependabot[bot])
• chore(deps): bump actions/setup-go from 6.2.0 to 6.4.0 d1e31ca (dependabot[bot])
• fix(kube): clarify server-side apply patch errors f257c95 (abhay1999)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 7025480 (Terry Howe)
• refactor(cli): decouple EnvSettings from pkg/kube 64f1d0a (Sumit Solanki)
• docs(registry): fix incorrect and improve clarity of comments in client.go 85bf56e (Debasish Mohanty)
• refactor(cli): decouple EnvSettings from pkg/kube to avoid import cycles 1549937 (Sumit Solanki)
• chore(deps): bump github.com/ProtonMail/go-crypto from 1.3.0 to 1.4.1 c7a75b1 (dependabot[bot])
• chore(deps): bump github.com/lib/pq from 1.11.2 to 1.12.0 3a7573a (dependabot[bot])
• chore(deps): bump github.com/fatih/color from 1.18.0 to 1.19.0 0229da1 (dependabot[bot])
• docs(engine): fix misleading toTOML doc comment c1a5a6e (Ilya Kiselev)
• feat(engine): add mustToToml template function b075f7a (Ilya Kiselev)
• chore: fix unnecessary-format issues from revive 7edfff3 (Matthieu MOREL)
• chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 37185d2 (dependabot[bot])
• chore: fix bool-compare issues from testifylint 071558d (Matthieu MOREL)
• chore: enable perfsprint linter 6249489 (Matthieu MOREL)
• ignore error plugin loads (cli, getter) 47a0840 (George Jenkins)
• chore(deps): bump golang.org/x/crypto from 0.48.0 to 0.49.0 3d06fd1 (dependabot[bot])
• fix(kube): remove legacy import comments from test files e64d628 (Terry Howe)
• pkg/kube: remove legacy import comments d7cdc9e (abhay1999)
• fix: Plugin version path traversal 36dcc27 (George Jenkins)
• chore(deps): bump golang.org/x/term from 0.40.0 to 0.41.0 c4be7af (dependabot[bot])
• chore: fix some minor issues in the comments 259f181 (tsinglua)
• fix: Chart dot-name path bug 6018499 (George Jenkins)
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.23.1 to 0.23.3 74e7cf8 (dependabot[bot])
• fix: insert newline after doc separators glued to content by template trimming af94abf (Matheus Pimenta)
• chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 16073b1 (dependabot[bot])
• chore: enable modernize linter (#​31860) e31a078 (Matthieu MOREL)
• Restored --atomic flag on install command 16573f8 (Travis Leeden)
• fix: bump go.opentelemetry.io/otel/sdk to v1.40.0 for GO-2026-4394 b550ce9 (Terry Howe)
• fix: bump fluxcd/cli-utils to v0.37.2-flux.1 1dfa77e (Terry Howe)
• Update pkg/cmd/status.go 5d40f17 (Matthieu MOREL)
• chore(internal): enable perfsprint linter (#​31871) d4f6193 (Matthieu MOREL)
• chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 82d9bed (dependabot[bot])
• chore(pkg): fix perfsprint linter issues part 6 dc0e3f1 (Matthieu MOREL)
• chore(pkg): enable perfsprint linter e3c74fd (Matthieu MOREL)
• chore(pkg): enable perfsprint linter 1d2d63c (Matthieu MOREL)
• chore(pkg): enable perfsprint linter 63f03c0 (Matthieu MOREL)
• chore(pkg): enable perfsprint linter c25c988 (Matthieu MOREL)
• chore(pkg): enable perfsprint linter 0fecfd0 (Matthieu MOREL)
• chore(internal): enable perfsprint linter 6524162 (Matthieu MOREL)
• chore(pkg): enable perfsprint linter 6c2cb2f (Matthieu MOREL)
• chore(internal): enable perfsprint linter 9409226 (Matthieu MOREL)
• Replace unneeded use of t.Fatalf with t.Fatal 36cb3a2 (Mads Jensen)
• fix: enable nolinlint linter 5b6c6bb (Matthieu MOREL)
• fixup strings.Cut variables b667317 (George Jenkins)
• chore: Improve AGENTS.md 956c724 (George Jenkins)
• chore: fixes 92b64e8 (George Jenkins)
• fix: correct import comment in statuswait.go from v3 to v4 c59c140 (rohansood10)
• fix: handle OCI digest algorithm prefix in chart downloader (#​31601) ee01860 (Evans Mungai)
• chore(deps): bump actions/stale from 10.1.1 to 10.2.0 304d25f (dependabot[bot])
• chore(deps): bump the k8s-io group with 7 updates 0b13436 (dependabot[bot])
• feat(release): add internal/release/v2 package for chart v3 support (#​31709) 4a91f3a (Evans Mungai)
• chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 7823853 (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.39.0 to 0.40.0 aec7ace (dependabot[bot])
• chore(deps): bump github.com/lib/pq from 1.11.1 to 1.11.2 a23b638 (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.33.0 to 0.34.0 5cddc95 (dependabot[bot])
• chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.21.0 to 0.21.1 2e266c3 (dependabot[bot])
• fix(pkg): errorlint linter 259f76a (Matthieu MOREL)
• fix(internal): errorlint linter 0254182 (Matthieu MOREL)
• fix(pkg): errorlint linter 6d1490e (Matthieu MOREL)
• fix(pkg): errorlint linter 4d0ae7f (Matthieu MOREL)
• fix(internal): errorlint linter abecafa (Matthieu MOREL)
• fix(pkg): errorlint linter 4330bde (Matthieu MOREL)
• fix(pkg): errorlint linter c8989d9 (Matthieu MOREL)
• fix(cmd): errorlint linter edbd705 (Matthieu MOREL)
• chore: new KEYS entry for George Jenkins 5638c35 (George Jenkins)
• fix(downloader): safely handle concurrent file writes on Windows 76eb37c (Orgad Shaneh)
• fix(install): check nil for restClientGetter and fix tests 9817a68 (Manuel Alonso)
• feat(create): add --chart-api-version flag (when HELM_EXPERIMENTAL_CHART_V3 env var is set) (#​31592) 5aac320 (Evans Mungai)
• chore(pkg): fix modernize linter 0d75d86 (Matthieu MOREL)
• chore(internal): fix modernize linter 859292e (Matthieu MOREL)
• chore(pkg): fix modernize linter 5cc2e55 (Matthieu MOREL)
• chore(pkg): fix modernize linter ba38159 (Matthieu MOREL)
• chore(internal): fix modernize linter e2d184c (Matthieu MOREL)
• chore(pkg): fix modernize linter 111d4e6 (Matthieu MOREL)
• add image index test e8f386b (Pedro Tôrres)
• fix pulling charts from OCI indices d983696 (Pedro Tôrres)
• chore(deps): bump github.com/lib/pq from 1.10.9 to 1.11.1 9c9c3a6 (dependabot[bot])
• Revert "Consider GroupVersionKind when matching resources" 787b61c (Matheus Pimenta)
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.23.0 to 0.23.1 becf9bf (dependabot[bot])
• fix(template): deprecate unused --hide-notes and --render-subchart-notes flags 6d5f56f (Scott Rigby)
• chore(deps): bump github.com/fluxcd/cli-utils b53198e (dependabot[bot])
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 b59e533 (dependabot[bot])
• whitespace ec07265 (Austin Abro)
• fix(copystructure): handle nil elements in slice copying e3829eb (Philipp Born)
• use logger with waiter 63b40a7 (Austin Abro)
• feat(kstatus): fine-grained context options for waiting b0b35f1 (Matheus Pimenta)
• Apply suggestions from code review 26e28e8 (George Jenkins)
• Remove legacy sync-repo.sh script 97fd007 (Jeevan Yewale)
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.23.0 5262007 (dependabot[bot])
• docs: document uninstall using cascade foreground flag e70d59d (Evans Mungai)
• bugfix(kstatus): do not wait forever on failed resources bbec77c (Matheus Pimenta)
• Modernize Helm v3 CONTRIBUTING.md 443a2a6 (George Jenkins)
• chore(defaults): server-side apply SDK defaults should always match the CLI defaults c1cc625 (Matheus Pimenta)
• chore: clarify --wait flag help text 828038a (Evans Mungai)
• chore(deps): bump actions/setup-go from 6.1.0 to 6.2.0 e223771 (dependabot[bot])
• chore(refactor): better testing and functionality for installing crd 6501ef4 (Manuel Alonso)
• bugfix(storage): fix storage not getting logger from driver a8eb527 (Matheus Pimenta)
• chore(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 da1d68a (dependabot[bot])
• fix(test): fix tests and check nil for restclient 0f949a9 (Manuel Alonso)
• fix(test): merge fix correctly 561410a (Manuel Alonso Gonzalez)
• Remove refactorring changes from coalesce_test.go 0298b2f (Evans Mungai)
• Fix import b8937ad (Evans Mungai)
• Update pkg/chart/common/util/coalesce_test.go a333bba (Evans Mungai)
• Fix rollback for missing resources 374aeb4 (Feruzjon Muyassarov)
• fix(install): add more tests and check nil file data 00f0a48 (Manuel Alonso)
• fix(test): no check empty resources 0357e8d (Manuel Alonso)
• fix(install): check lenght and file nil, add tests 52235cc (Manuel Alonso)
• fix(action): crd resources can be empty 268593b (Manuel Alonso)
• fix: casing issue fixed 1709114 (Mujib Ahasan)
• fix: error handled correctly 9486062 (Mujib Ahasan)
• fix: doc string added 12e8b71 (Mujib Ahasan)
• Fix lint warning 3416dd5 (Evans Mungai)
• Preserve nil values in chart already 679f051 (Evans Mungai)
• fix(values): preserve nil values when chart default is empty map 292fe70 (Evans Mungai)
• update: test coverage added for helper function validateNameAndGenerateName 1154099 (Mujib Ahasan)
• update: helper function added for the business logic 522d2fe (Mujib Ahasan)
• generateName is also considered in logic 6769fb6 (Mujib Ahasan)
• fxi: test concurrency download index 64bae71 (Terry Howe)
• update: business logic respected for skipping object missing name b357bca (Mujib Ahasan)
• fixed: --dry-run=server now respect generateName 2820ebe (Mujib Ahasan)
• Make error message instructional for the case of lock file being out of date 1836c59 (Andreas Sommer)

New Contributors

• @​JeevanYewale made their first contribution in #​31742
• @​tamcore made their first contribution in #​31751
• @​orgads made their first contribution in #​31128
• @​manute made their first contribution in #​31578
• @​Mujib-Ahasan made their first contribution in #​31563
• @​rohansood10 made their first contribution in #​31852
• @​tleed5 made their first contribution in #​31901
• @​tsinglua made their first contribution in #​31921
• @​abhay1999 made their first contribution in #​31931
• @​Mentigen made their first contribution in #​31957
• @​Debasish-87 made their first contribution in #​31973
• @​AnmolVirdi made their first contribution in #​32014
• @​Y0-L0 made their first contribution in #​31979
• @​MohitSalvi16 made their first contribution in #​32057
• @​rhysmcneill made their first contribution in #​32008
• @​cairon-ab made their first contribution in #​32034
• @​gaganhr94 made their first contribution in #​31923
• @​isumitsolanki made their first contribution in #​31970

Full Changelog: helm/helm@v4.1.0...v4.2.0

v4.1.4: Helm v4.1.4

Compare Source

Helm v4.1.4 is a security fix patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

• GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment
• GHSA-q5jf-9vfq-h4h7 Plugin verification fails open when .prov is missing, allowing unsigned plugin install
• GHSA-vmx8-mqv2-9gmg Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

A big thank you to the reporters of these issues (@​maru1009, [@​1seal](https://redirect.gi

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

[cluster-stack-bot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Command failed: BUILD_IMAGE_TOKEN=**redacted** BUILD_IMAGE_USER=kranurag7 CI=true ./hack/upgrade-builder-image.sh
+ set -o errexit
+ set -o nounset
+ set -o pipefail
+++ dirname ./hack/upgrade-builder-image.sh
++ realpath ./hack/..
+ REPO_ROOT=/tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator
+ cd /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator
+ source /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/hack/semver-upgrade.sh
++ set -o errexit
++ set -o nounset
++ set -o pipefail
++ set -x
+ '[' true = true ']'
+ echo **redacted**
+ docker login ghcr.io -u kranurag7 --password-stdin
++ git fetch --quiet origin main
++ git show origin/main:.builder-image-version.txt
+ export VERSION=1.1.34
+ VERSION=1.1.34
++ semver_upgrade patch 1.1.34
++ IFS=.
++ read -r version minor patch
++ case "$1" in
++ tag=1.1.35
++ echo 1.1.35
+ export NEW_VERSION=1.1.35
+ NEW_VERSION=1.1.35
+ echo 1.1.35
+ echo 'Wrote new version 1.1.35 to .builder-image-version.txt'
+ docker manifest inspect ghcr.io/sovereigncloudstack/cso-builder:1.1.34
+ echo 0
+ sed -i -e '/^BUILDER_IMAGE_VERSION /s/:=.*$/:= 1.1.35/' Makefile
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/build.yml
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/kubebuilder-markers-checker.yml
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/pr-lint.yml
+ sed -i -e '/image: ghcr\.io\/sovereigncloudstack\/cso-builder:/s/:.*$/: ghcr\.io\/sovereigncloudstack\/cso-builder:1.1.35/' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/pr-lint.yml
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/pr-verify.yml
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/release.yml
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/schedule-cache-cleaner-cso-image.yml
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/schedule-scan-image.yml
+ sed -i -e '/image: ghcr\.io\/sovereigncloudstack\/cso-builder:/s/:.*$/: ghcr\.io\/sovereigncloudstack\/cso-builder:1.1.35/' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/schedule-scan-image.yml
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/schedule-update-bot.yaml
+ for FILE in ${REPO_ROOT}/.github/workflows/*
+ grep 'image: ghcr.io/sovereigncloudstack/cso-builder' /tmp/renovate/repos/github/SovereignCloudStack/cluster-stack-operator/.github/workflows/test.yml
+ docker build -t ghcr.io/sovereigncloudstack/cso-builder:1.1.35 ./images/builder
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            Install the buildx component to build images with BuildKit:
            https://docs.docker.com/go/buildx/

The command '/bin/sh -c apk add --no-cache curl &&     curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s ${GOLANGCI_VERSION}' returned a non-zero code: 1