Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates Helm (v3 and v4) dependencies to address CVE-2026-35206, and propagates the resulting Kubernetes + related transitive dependency bumps across the Go workspace modules.
Changes:
- Bump
helm.sh/helm/v3(e.g., intooling/olm-bundle-repkg) to v3.20.2. - Bump
helm.sh/helm/v4(e.g., intestandtooling/helmtest) to v4.1.4. - Align a broad set of transitive dependencies (notably
k8s.io/*from v0.34.3 → v0.35.1 and related ecosystem libs) across modules.
Reviewed changes
Copilot reviewed 18 out of 36 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tooling/tenant-quota/go.mod | Bumps k8s.io/apimachinery / k8s.io/component-base to v0.35.1 (indirect cleanup). |
| tooling/tenant-quota/go.sum | Updates sums for the Kubernetes bumps. |
| tooling/templatize/go.mod | Updates transitive deps including helm.sh/helm/v4 and multiple k8s libs; retains a Helm v4 replace. |
| tooling/secret-sync/go.mod | Bumps k8s.io/apimachinery to v0.35.1. |
| tooling/secret-sync/go.sum | Updates sums for the Kubernetes bump. |
| tooling/prometheus-rules/go.mod | Bumps k8s.io/apimachinery/k8s.io/api and related transitive deps. |
| tooling/prometheus-rules/go.sum | Updates sums to match the new dependency graph. |
| tooling/pipeline-documentation/go.mod | Bumps k8s.io/apimachinery to v0.35.1 (indirect). |
| tooling/pipeline-documentation/go.sum | Updates sums for the Kubernetes bump. |
| tooling/olm-bundle-repkg/go.mod | Bumps helm.sh/helm/v3 to v3.20.2 and updates k8s/controller-runtime/tooling transitive deps. |
| tooling/olm-bundle-repkg/go.sum | Updates sums for Helm v3 + Kubernetes dependency upgrades. |
| tooling/image-updater/go.mod | Bumps k8s.io/apimachinery to v0.35.1 and prunes indirect deps. |
| tooling/image-updater/go.sum | Updates sums for the Kubernetes bump. |
| tooling/helmtest/go.mod | Bumps helm.sh/helm/v4 to v4.1.4 and refreshes transitive deps. |
| tooling/hcpctl/go.mod | Bumps multiple k8s.io/* deps to v0.35.1 and refreshes transitive deps. |
| tooling/hcpctl/go.sum | Updates sums for the new Kubernetes dependency set. |
| tooling/grafanactl/go.mod | Bumps k8s.io/apimachinery to v0.35.1 (indirect). |
| tooling/grafanactl/go.sum | Updates sums for the Kubernetes bump. |
| tooling/cleanup-sweeper/go.mod | Bumps k8s.io/apimachinery to v0.35.1. |
| tooling/cleanup-sweeper/go.sum | Updates sums for the Kubernetes bump. |
| test/go.mod | Bumps helm.sh/helm/v4 to v4.1.4 and several k8s.io/* deps to v0.35.1. |
| test-integration/go.mod | Bumps k8s.io/apimachinery/k8s.io/client-go to v0.35.1 and related transitive deps. |
| test-integration/go.sum | Updates sums for Kubernetes and other transitive upgrades. |
| sessiongate/go.mod | Bumps k8s.io/* deps to v0.35.1 and updates structured-merge-diff/controller-runtime. |
| sessiongate/go.sum | Updates sums for the Kubernetes ecosystem upgrades. |
| internal/go.mod | Bumps k8s.io/apimachinery/k8s.io/component-base to v0.35.1 and updates transitive deps. |
| internal/go.sum | Updates sums for the updated dependency graph. |
| frontend/go.mod | Bumps otelhttp and k8s.io/* deps; updates grpc-gateway/genproto/etc. |
| frontend/go.sum | Updates sums for the new dependency set. |
| backend/go.mod | Bumps otelhttp and k8s.io/* deps; updates grpc-gateway/genproto/etc. |
| backend/go.sum | Updates sums for the updated dependency graph. |
| admin/server/go.mod | Bumps k8s.io/apimachinery/k8s.io/client-go to v0.35.1 and related transitive deps. |
| admin/server/go.sum | Updates sums for the new Kubernetes dependency set. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 18 out of 36 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| golang.org/x/text v0.35.0 | ||
| helm.sh/helm/v3 v3.18.5 | ||
| k8s.io/api v0.34.3 | ||
| k8s.io/apiextensions-apiserver v0.34.3 | ||
| k8s.io/apimachinery v0.34.3 | ||
| helm.sh/helm/v3 v3.20.2 | ||
| k8s.io/api v0.35.1 |
There was a problem hiding this comment.
This module was bumped to helm.sh/helm/v3 v3.20.2, but the repo’s bingo-managed Helm CLI still appears pinned to helm-v3.16.3 (via .bingo/Variables.mk / .bingo/helm.mod). If CI/dev workflows use that helm binary for chart extraction, the CVE this PR is addressing may still be present in the toolchain. Consider bumping the bingo Helm version in the repo as well (or documenting/ensuring the old binary isn’t used for untrusted chart extraction).
There was a problem hiding this comment.
@copilot The bingo-managed Helm CLI binary is a separate concern from the helm.sh/helm/v3 Go library dependency. They serve different purposes — the CLI is used for chart rendering at deploy time, while the Go module is used as a library in our tooling code. Version alignment between them is not required.
Bumps helm.sh/helm/v3 to v3.20.2 and helm.sh/helm/v4 to v4.1.4. This requires k8s.io/apimachinery v0.35.1 which changed the validate.ImmutableByReflect/ImmutableByCompare, validate.Enum, and validate.NewDiscriminatedUnionMembership APIs.
|
/test lint |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 25 out of 43 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@raelga: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Nit: the GHSA link in the PR body points to |
|
@hbhushan3 Fixed the GHSA link to GHSA-hr2v-4r36-88hr. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hbhushan3, raelga The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
https://redhat.atlassian.net/browse/AROSLSRE-667
What
Bump
helm.sh/helm/v3from v3.18.5 to v3.20.2 andhelm.sh/helm/v4from v4.0.0-beta.2 to latest in tooling/olm-bundle-repkg, test, tooling/helmtest.Why
Fixes CVE-2026-35206 (Moderate) — "Helm Chart extraction output directory collapse via Chart.yaml name dot-segment".
Resolves Dependabot alerts: #211, #212, #213
Testing
go buildpassesgo mod tidycleango work synccleanSpecial notes for your reviewer
Helm bump pulls k8s dependency updates across the workspace via
go work sync.