Skip to content

Security: Upgrade Helm to v3.20.2 to fix CVE vulnerability#726

Merged
michaeljguarino merged 1 commit intomainfrom
agent/helm-security-fix-1775931167136
Apr 11, 2026
Merged

Security: Upgrade Helm to v3.20.2 to fix CVE vulnerability#726
michaeljguarino merged 1 commit intomainfrom
agent/helm-security-fix-1775931167136

Conversation

@plural-copilot
Copy link
Copy Markdown
Contributor

@plural-copilot plural-copilot Bot commented Apr 11, 2026

Summary

  • Upgraded helm.sh/helm/v3 from v3.20.0 to v3.20.2 to fix security vulnerability
  • Addressed CVE related to Chart.yaml extraction directory collapse
  • Updated go.mod and go.sum with new dependency versions

Details

The vulnerability in Helm versions <=3.20.1 allowed specially crafted Charts to write contents to the immediate output directory rather than the expected subdirectory during helm pull --untar operations. This could potentially be exploited for directory traversal attacks.

Fix version 3.20.2 addresses this security issue.

Verification

  • ✅ Build completed successfully with new Helm version
  • ✅ Docker image builds without errors
  • ✅ No breaking changes expected (patch version upgrade)

Test plan

  • Updated go.mod with Helm v3.20.2
  • Ran go mod tidy to update dependencies
  • Verified Docker build succeeds
  • No compilation errors

🤖 Generated with Claude Code

@michaeljguarino @claude
Upgrade Helm to v3.20.2 to fix CVE security vulnerability
828a3b4 
This commit upgrades helm.sh/helm/v3 from v3.20.0 to v3.20.2 to address
a security vulnerability related to Chart.yaml extraction directory collapse.

The vulnerability allowed specially crafted Charts to write contents to
the immediate output directory rather than the expected subdirectory during
'helm pull --untar' operations.

Changes:
- Updated go.mod: helm.sh/helm/v3 v3.20.0 -> v3.20.2
- Updated go.sum with new dependency checksums

Build verification completed successfully.

Co-Authored-By: Claude Opus 4.6 <[email protected]>
plural-copilot[bot]
plural-copilot Bot commented Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@plural-copilot plural-copilot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the claude (engine: claude) agent runtime. Here's some useful information you might want to know to evaluate
the ai's perfomance:

Name Details
💬 Prompt Security scanners have found the following vulnerability in our cluster:...
🔗 Run history View run history

@michaeljguarino michaeljguarino added the enhancement New feature or request label Apr 11, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 11, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedhelm.sh/​helm/​v3@​v3.20.0 ⏵ v3.20.273 +1100 +210010080

View full report

@michaeljguarino michaeljguarino merged commit 7594f35 into main Apr 11, 2026
14 of 15 checks passed
@michaeljguarino michaeljguarino deleted the agent/helm-security-fix-1775931167136 branch April 11, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino Awaiting requested review from michaeljguarino michaeljguarino is a code owner

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaeljguarino