Skip to content

fix: upgrade helm.sh/helm/v3 to v3.17.4 to address security vulnerabilities #1555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 6, 2025
Merged

fix: upgrade helm.sh/helm/v3 to v3.17.4 to address security vulnerabilities #1555

merged 1 commit into from
Oct 6, 2025

Conversation

inishchith
Copy link
Contributor

@inishchith inishchith commented Sep 29, 2025
edited
Loading

Description

  • upgrade helm.sh/helm/v3 to v3.17.4 to address security vulnerabilities

This commit upgrades the Helm dependency from v3.17.1 to v3.17.4 to fix multiple security vulnerabilities identified by Trivy security scanning:

The Helm upgrade requires bumping Kubernetes client packages from v0.32.1 to v0.32.2 (patch version) as transitive dependencies. These are backward compatible updates with no breaking changes.

Note: CVE-2025-55198 and CVE-2025-55199 remain present as they require Helm v3.18.5, which would necessitate a K8s minor version upgrade.

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: Fixes: dapr/dapr#9086

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

  • Code compiles correctly
  • Created/updated tests
  • Extended the documentation

@inishchith inishchith requested review from a team as code owners September 29, 2025 21:57
@inishchith inishchith changed the title fix: upgrade helm.sh/helm/v3 to v3.17.4 to address security vulnerabi… fix: upgrade helm.sh/helm/v3 to v3.17.4 to address security vulnerabilities Sep 29, 2025
@inishchith
Copy link
Contributor Author

@yaron2 @JoshVanL - could you take a look whenever?

@yaron2
Copy link
Member

yaron2 commented Oct 2, 2025
edited
Loading

Can you please base this PR against the 1.16 branch?

@inishchith
fix: upgrade helm.sh/helm/v3 to v3.17.4 to address security vulnerabi…
4384607 
…lities

This commit upgrades the Helm dependency from v3.17.1 to v3.17.4 to fix
multiple security vulnerabilities identified by Trivy security scanning:

- CVE-2025-53547 (HIGH): Helm Chart Code Execution
- CVE-2025-32386 (MEDIUM): Helm Allows A Specially Crafted Chart Archive
- CVE-2025-32387 (MEDIUM): Helm Allows A Specially Crafted JSON Schema

The Helm upgrade requires bumping Kubernetes client packages from v0.32.1
to v0.32.2 (patch version) as transitive dependencies. These are backward
compatible updates with no breaking changes.

Note: CVE-2025-55198 and CVE-2025-55199 remain present as they require
Helm v3.18.5, which would necessitate a K8s minor version upgrade.

Fixes: dapr/dapr#9086

Co-authored-by: @cursoragent
Signed-off-by: inishchith <inishchith@gmail.com>
@inishchith inishchith changed the base branch from master to release-1.16 October 2, 2025 06:44
@inishchith inishchith force-pushed the fix/upgrade-helm-v3.17.4-security-fixes branch from cd74253 to 4384607 Compare October 2, 2025 06:44
@inishchith
Copy link
Contributor Author

@yaron2 - done!

@yaron2 yaron2 merged commit b741268 into dapr:release-1.16 Oct 6, 2025
32 of 33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaron2 yaron2 yaron2 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Vulnerabilities in DAPR Binary(Slim Mode) - Helm Dependencies

2 participants

@inishchith @yaron2