Skip to content

Bump the go_modules group across 1 directory with 4 updates#37

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go_modules-d05243a9d7
Open

Bump the go_modules group across 1 directory with 4 updates#37
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go_modules-d05243a9d7

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 24, 2026

Bumps the go_modules group with 3 updates in the / directory: helm.sh/helm/v4, github.com/docker/cli and github.com/moby/spdystream.

Updates helm.sh/helm/v4 from 4.0.5 to 4.1.4

Release notes

Sourced from helm.sh/helm/v4's releases.

Helm v4.1.4 is a security fix patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

  • GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment
  • GHSA-q5jf-9vfq-h4h7 Plugin verification fails open when .prov is missing, allowing unsigned plugin install
  • GHSA-vmx8-mqv2-9gmg Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

A big thank you to the reporters of these issues (@​maru1009, @​1seal).

Installation and Upgrading

Download Helm v4.1.4. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
  • 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

  • fix: Plugin missing provenance bypass 05fa37973dc9e42b76e1d2883494c87174b6074f (George Jenkins)
  • fix: Chart dot-name path bug 4e7994d4467182f535b6797c94b5b0e994a91436 (George Jenkins)
  • ignore error plugin loads (cli, getter) 25819432bf87ac0b54f0d3fa54982add2cac609e (George Jenkins)
  • fix: Plugin version path traversal 36c8539e99bc42d7aef9b87d136254662d04f027 (George Jenkins)
  • fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow c61e0860ec797330a4c26a78dde7020cdc6743b1 (Terry Howe)

Helm v4.1.3 is a patch release. Users are encouraged to upgrade for the best experience.

... (truncated)

Commits
  • 05fa379 fix: Plugin missing provenance bypass
  • 4e7994d fix: Chart dot-name path bug
  • 2581943 ignore error plugin loads (cli, getter)
  • 36c8539 fix: Plugin version path traversal
  • c61e086 fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow
  • c94d381 chore(defaults): server-side apply SDK defaults should always match the CLI d...
  • b36d660 whitespace
  • 04a91af use logger with waiter
  • c3c57db Remove refactorring changes from coalesce_test.go
  • d47cb2b Fix import
  • Additional commits viewable in compare view

Updates github.com/cloudflare/circl from 1.6.1 to 1.6.3

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

CIRCL v1.6.2

  • New SLH-DSA, improvements in ML-DSA for arm64.
  • Tested compilation on WASM.

What's Changed

New Contributors

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

Commits
  • 24ae53c Release CIRCL v1.6.3
  • 581020b Rename method to oddMultiplesProjective.
  • 12209a4 Removing unused cmov for jacobian points.
  • fcba359 ecc/p384: use of complete projective formulas for scalar multiplication.
  • 5e1bae8 ecc/p384: handle point doubling in point addition with Jacobian coordinates.
  • 3416046 Check opts for nil value.
  • a763d47 Release CIRCL v1.6.2
  • 3c70bf9 Bump x/crypto x/sys dependencies.
  • 3f0f15b Revert to using package-declared HPKE errors for shortkem instead of standard...
  • 23491bd Adding generic Power2Round method.
  • Additional commits viewable in compare view

Updates github.com/docker/cli from 29.1.3+incompatible to 29.2.0+incompatible

Commits
  • 0b9d198 Merge pull request #6764 from vvoland/update-docker
  • 9c9ec73 vendor: github.com/moby/moby/client v0.2.2
  • bab3e81 vendor: github.com/moby/moby/api v1.53.0
  • 2e64fc1 Merge pull request #6367 from thaJeztah/template_slicejoin
  • 1f2ba2a Merge pull request #6760 from thaJeztah/container_create_fix_error
  • e34a342 templates: make "join" work with non-string slices and map values
  • a86356d Merge pull request #6763 from thaJeztah/bump_mapstructure
  • 771660a vendor: github.com/go-viper/mapstructure/v2 v2.5.0
  • 9cff36b Merge pull request #6762 from thaJeztah/bump_x_deps
  • 08ed2bc cli/command/container: make injecting config.json failures a warning
  • Additional commits viewable in compare view

Updates github.com/moby/spdystream from 0.5.0 to 0.5.1

Release notes

Sourced from github.com/moby/spdystream's releases.

v0.5.1

What's Changed

Security

Fix memory amplification in SPDY frame parsing leads to denial of service (CVE-2026-35469 / GHSA-pc3f-x583-g7j2)

Changes

Full Changelog: moby/spdystream@v0.5.0...v0.5.1

Commits
  • c59e5d7 Merge pull request #109 from thaJeztah/use_ioutil
  • 2fd0155 use ioutil.Discard for go1.13 compatibility
  • ef6121f Merge commit from fork
  • 241cec9 compare with signed Int for 32-bit Arm
  • 21c3864 Add options to customize limits
  • acf9b45 spdy: update godoc for MaxDataLength
  • eb63605 spdy: limit header-size and header-count
  • 2f21da4 spdy: fix header block byte accounting
  • 5976b66 spdy: enforce 24-bit frame length limits
  • cf0ec5d Guard against oversized SPDY frames
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the go_modules group across 1 directory with 4 updates
e5a34ee 
Bumps the go_modules group with 3 updates in the / directory: [helm.sh/helm/v4](https://github.com/helm/helm), [github.com/docker/cli](https://github.com/docker/cli) and [github.com/moby/spdystream](https://github.com/moby/spdystream).


Updates `helm.sh/helm/v4` from 4.0.5 to 4.1.4
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v4.0.5...v4.1.4)

Updates `github.com/cloudflare/circl` from 1.6.1 to 1.6.3
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](cloudflare/circl@v1.6.1...v1.6.3)

Updates `github.com/docker/cli` from 29.1.3+incompatible to 29.2.0+incompatible
- [Commits](docker/cli@v29.1.3...v29.2.0)

Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1
- [Release notes](https://github.com/moby/spdystream/releases)
- [Commits](moby/spdystream@v0.5.0...v0.5.1)

---
updated-dependencies:
- dependency-name: helm.sh/helm/v4
  dependency-version: 4.1.4
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/cloudflare/circl
  dependency-version: 1.6.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/docker/cli
  dependency-version: 29.2.0+incompatible
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/moby/spdystream
  dependency-version: 0.5.1
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants