fix(deps): update module helm.sh/helm/v3 to v3.17.4 [security]#175
Merged
botty-mcbottington[bot] merged 1 commit intomainfrom Jul 23, 2025
Merged
Conversation
35c8d6e to
cab9c7a
Compare
172bb51 to
2d5e381
Compare
2d5e381 to
a91c75c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v3.17.3->v3.17.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-53547
A Helm contributor discovered that a specially crafted
Chart.yamlfile along with a specially linkedChart.lockfile can lead to local code execution when dependencies are updated.Impact
Fields in a
Chart.yamlfile, that are carried over to aChart.lockfile when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., abash.rcfile or shell script). If theChart.lockfile is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking.This affects when dependencies are updated. When using the
helmcommand this happens whenhelm dependency updateis run.helm dependency buildcan write a lock file when one does not exist but this vector requires one to already exist. This affects the Helm SDK when the downloaderManagerperforms an update.Patches
This issue has been resolved in Helm v3.18.4
Workarounds
Ensure the
Chart.lockfile in a chart is not a symlink prior to updating dependencies.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
Release Notes
helm/helm (helm.sh/helm/v3)
v3.17.4: Helm v3.17.4Compare Source
Helm v3.17.4 is a patch release, this bring is the security release noted below. This is intended for Helm SDK users. CLI users are recommended to use the latest version of Helm.
Security Advisories
GHSA-557j-xg8c-q2mm: Chart Dependency Updating With Malicious Chart.yaml Content And Symlink
The community keeps growing, and we'd love to see you there!
Installation and Upgrading
Download Helm v3.17.4. The common platform binaries are here:
The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash.What's Next
Changelog
0e59b9e(Luis Rascao)3663598(Robert Sirchia)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.