Update module helm.sh/helm/v3 to v3.20.2 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
helm.sh/helm/v3	v3.18.3 → v3.20.2

---

Helm vulnerable to Code Injection through malicious chart.yaml content

CVE-2025-53547 / GHSA-557j-xg8c-q2mm

More information

Details

A Helm contributor discovered that a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated.

Impact

Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking.

This affects when dependencies are updated. When using the helm command this happens when helm dependency update is run. helm dependency build can write a lock file when one does not exist but this vector requires one to already exist. This affects the Helm SDK when the downloader Manager performs an update.

Patches

This issue has been resolved in Helm v3.18.4

Workarounds

Ensure the Chart.lock file in a chart is not a symlink prior to updating dependencies.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

Severity

• CVSS Score: 8.5 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H

References

• https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm
• https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571
• https://nvd.nist.gov/vuln/detail/CVE-2025-53547
• https://news.ycombinator.com/item?id=44506696
• https://github.com/advisories/GHSA-557j-xg8c-q2mm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

CVE-2025-55199 / GHSA-9h84-qmv7-982p

More information

Details

A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Impact

A malicious chart can point $ref in values.schema.json to a device (e.g. /dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of $ref pointing to /dev/zero.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

• https://github.com/helm/helm/security/advisories/GHSA-9h84-qmv7-982p
• https://github.com/helm/helm/commit/b78692c18f0fb38fe5ba4571a674de067a4c53a5
• https://nvd.nist.gov/vuln/detail/CVE-2025-55199
• https://github.com/advisories/GHSA-9h84-qmv7-982p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Helm May Panic Due To Incorrect YAML Content

CVE-2025-55198 / GHSA-f9f8-9pmf-xv68

More information

Details

A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic.

Impact

There are two areas of YAML validation that were impacted. First, when a Chart.yaml file had a null maintainer or the child or parent of a dependencies import-values could be parsed as something other than a string, helm lint would panic. Second, when an index.yaml had an empty entry in the list of chart versions Helm would panic on interactions with that repository.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Ensure YAML files are formatted as Helm expects prior to processing them with Helm.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

• https://github.com/helm/helm/security/advisories/GHSA-f9f8-9pmf-xv68
• https://github.com/helm/helm/commit/ec5f59e2db56533d042a124f5bae54dd87b558e6
• https://nvd.nist.gov/vuln/detail/CVE-2025-55198
• https://github.com/advisories/GHSA-f9f8-9pmf-xv68

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

CVE-2026-35206 / GHSA-hr2v-4r36-88hr

More information

Details

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name.

Impact

The bug enables writing the Chart's contents (unpackaged/untar'ed) to the output directory <output dir>/, instead of the expected <output dir>/<chart name>/, potentially overwriting the contents of the targeted directory.

Note: a chart name containing POSIX dot-dot, or dot-dot and slashes (as if to refer to parent directories) do not resolve beyond the output directory as designed.

Patches

This issue has been resolved in Helm v3.20.2 and v4.1.3

A Chart with an unexpected name (those specified to be "." or ".."), or a Chart name which results in a non-unique directory will be rejected.

Workarounds

Ensure the the name of the Chart does not comprise/contain POSIX pathname special directory references ie. dot-dot ("..") or dot ("."). In addition, ensuring that the pull --untar flag (or equivalent SDK option) refers to a unique/empty output directory prevents chart extraction from inadvertently overwriting existing files within the specified directory.

Credits

Oleh Konko
@​1seal

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr
• https://nvd.nist.gov/vuln/detail/CVE-2026-35206
• https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436
• https://github.com/helm/helm/releases/tag/v4.1.4
• https://github.com/advisories/GHSA-hr2v-4r36-88hr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

helm/helm (helm.sh/helm/v3)

v3.20.2: Helm v3.20.2

Compare Source

v3.20.2

Helm v3.20.2 is a security patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

• GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

Installation and Upgrading

Download Helm v3.20.2. The common platform binaries are here:

• MacOS amd64 (checksum / 7de04301f28b902a74f6286ed941cadc86ee5e6a9086a18f2ccf1f548e99d618)
• MacOS arm64 (checksum / 139c794c22f16b579d08ddd3008c8038b9bb2814f35b5bcca91f50a1f458978d)
• Linux amd64 (checksum / 258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea)
• Linux arm (checksum / a8a614c740399ff1ef32bcea6be6e4523f17e3376f9cf55c192cc48c8f2d1f19)
• Linux arm64 (checksum / 5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691)
• Linux i386 (checksum / 88e4c1834307cdbc9f3b80920e1a383e4ba50bb488fb0be1b1fbd4918bb6ae73)
• Linux ppc64le (checksum / 98bb26a2f3c0b0c1a50db3181dff192554e0c204a07427d98d6b01e259f23cbe)
• Linux s390x (checksum / 584dd77ef8096d6ef939a1822f72840e749fc8311b2b13ae94df5f786862a56b)
• Linux riscv64 (checksum / 957391d0710d72678acd09959b5dc77888cd007a78a4b99944d3b2fc7e1895ca)
• Windows amd64 (checksum / 24e8e5b71bab4ee17e6f989931ecf4fb144f9916cbe9990c0b6b2ec7b925c454)
• Windows arm64 (checksum / 7c940a73a6882f50b69aec3282549da4a49917669db18fc503db930fb74b9789)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
• 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

• fix: Chart dot-name path bug 8fb76d6 (George Jenkins)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 3a8927e (Terry Howe)

v3.20.1: Helm v3.20.1

Compare Source

Helm v3.20.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Backport of #​31644: Fixed a bug where user-provided nil value was not preserved when chart has an empty map or no default for a key
• Backport of #​31601: Fixed a bug where OCI references with tag+digest failed with "invalid byte" error

Installation and Upgrading

Download Helm v3.20.1. The common platform binaries are here:

• MacOS amd64 (checksum / 580515b544d5c966edc6f782c9ae88e21a9e10c786a7d6c5fd4b52613f321076)
• MacOS arm64 (checksum / 75cc96ac3fe8b8b9928eb051e55698e98d1e026967b6bffe4f0f3c538a551b65)
• Linux amd64 (checksum / 0165ee4a2db012cc657381001e593e981f42aa5707acdd50658326790c9d0dc3)
• Linux arm (checksum / 758375df78fb8f91f4056244bda539710a73be79284b24b4bdad68384348ca33)
• Linux arm64 (checksum / 56b9d1b0e0efbb739be6e68a37860ace8ec9c7d3e6424e3b55d4c459bc3a0401)
• Linux i386 (checksum / 22b350307d5e5897b3a14f096cb6b2212cc03c22ba29ab7b4ee3e64ab9f3f190)
• Linux ppc64le (checksum / 77b7d9bc62b209c044b873bc773055c5c0d17ef055e54c683f33209ebbe8883c)
• Linux s390x (checksum / 3c43d45149a425c7bf15ba3653ddee13e7b1a4dd6d4534397b6f317f83c51b58)
• Linux riscv64 (checksum / 0eeae246112b4780e61651f9fbe6d778eebf8c8eccca590139b97d167d1b8aeb)
• Windows amd64 (checksum / 16d5256f4c2cde0745acb922ba88b7759dfced4bf547b99381084211f81c8629)
• Windows arm64 (checksum / 2aac2b87e92c32d44aa81c6412286d9db7e43b22b4c8ac112b68cf69185429bd)

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.2.0 and 3.21.0 are the next minor releases and will be on May 13, 2026
• 4.1.4 and 3.20.2 are the next patch releases and will be on April 8, 2026

Changelog

• chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
• add image index test 90e1056 (Pedro Tôrres)
• fix pulling charts from OCI indices 911f2e9 (Pedro Tôrres)
• Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
• Fix import 45c12f7 (Evans Mungai)
• Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
• Fix lint warning 09f5129 (Evans Mungai)
• Preserve nil values in chart already 417deb2 (Evans Mungai)
• fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)

v3.20.0: Helm v3.20.0

Compare Source

Helm v3.20.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• SDK: bump k8s API versions to v0.35.0
• v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #​12564
• v3 backport: Bump Go version to v1.25

Installation and Upgrading

Download Helm v3.20.0. The common platform binaries are here:

• MacOS amd64 (checksum / 724aef60f737ca73cfcc77924219dbfb229dde8492b2722cb372da617fd77367)
• MacOS arm64 (checksum / 1cb8022ef9c88026adf236cbdf02a80bf7678632d1c39d3d8045e815959ab20e)
• Linux amd64 (checksum / dbb4c8fc8e19d159d1a63dda8db655f9ffa4aac1b9a6b188b34a40957119b286)
• Linux arm (checksum / e66b9bcb51130f372b4750b2da83679e59d04633bfa825a1936c0b1039035bf0)
• Linux arm64 (checksum / bfb14953295d5324d47ab55f3dfba6da28d46c848978c8fbf412d4271bdc29f1)
• Linux i386 (checksum / e8e39f6df8b1c6d9d0f98f658d619c22c5a249a72975510d367def5e19adc7eb)
• Linux ppc64le (checksum / 3a44cf2df45274f907743997b9cef069e94589238324cf5116f9a3c092c743bf)
• Linux s390x (checksum / f38b6bb56db05fb7da82668d0cc82470a07fe17a5f881378d536cee68384c974)
• Linux riscv64 (checksum / b4336a2bf9b9a914897cb36b4343d4fd583cb4703dc2478d696a667391f30f2c)
• Windows amd64 (checksum / f9c7f686788d7b78775d3a3592fd98596aa825010cb9d157c9fbe3baabee1084)
• Windows arm64 (checksum / 4095cb1c46e29e9a7487fdbbee384d14656d3fa43dd8ef789061db6e29f0457b)

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.1.1 and 3.20.1 are the next patch releases, scheduled for March 11, 2026
• 4.2.0 and 3.21.0 are the next minor releases, scheduled for May 13, 2026

Changelog

• bump version to v3.20 f6e17f6 (Scott Rigby)
• chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0 4f5a655 (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 65c504a (dependabot[bot])
• chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0 f3b8af4 (dependabot[bot])
• chore(deps): bump the k8s-io group with 7 updates 89c2c61 (dependabot[bot])
• [dev-v3] Replace deprecated NewSimpleClientset 526076e (George Jenkins)
• [dev-v3] Bump Go v1.25, golangci-lint v2 0ae8e4f (George Jenkins)
• chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 e0d2595 (dependabot[bot])
• chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30 858acb1 (dependabot[bot])
• fix(rollback): errors.Is instead of string comp 0cd9a60 (Hidde Beydals)
• fix(uninstall): supersede deployed releases 8bb0b37 (Hidde Beydals)
• Use latest patch release of Go in releases 930ba6f (Matt Farina)
• chore(deps): bump the k8s-io group with 7 updates 582211c (dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0 585c25c (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0 6f17d46 (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 46ff427 (dependabot[bot])
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 28b813a (dependabot[bot])
• chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1 5dde5d6 (dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 362900b (dependabot[bot])
• chore(deps): bump github.com/cyphar/filepath-securejoin ec61de5 (dependabot[bot])
• chore(deps): bump the k8s-io group with 7 updates a490607 (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0 8509bcc (dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 d495a94 (dependabot[bot])
• Remove dev-v3 helm-latest-version publish 01dc6cc (George Jenkins)
• chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 6647f84 (dependabot[bot])
• chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 b548118 (dependabot[bot])
• Revert "pkg/registry: Login option for passing TLS config in memory" 6a67b55 (Scott Rigby)
• chore(deps): bump github.com/cyphar/filepath-securejoin 6d4f8c0 (dependabot[bot])
• jsonschema: warn and ignore unresolved URN $ref to match v3.18.4 3f0da15 (Benoit Tigeot)
• Fix helm pull untar dir check with repo urls e5e101c (Luna Stadler)
• chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 6aae923 (dependabot[bot])
• chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 1900c6a (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0 43e9297 (dependabot[bot])
• chore(deps): bump github.com/cyphar/filepath-securejoin d347e2b (dependabot[bot])
• [backport] fix: get-helm-3 script use helm3-latest-version bd337b4 (George Jenkins)
• pkg/registry: Login option for passing TLS config in memory b80959f (Matheus Pimenta)
• chore(deps): bump the k8s-io group with 7 updates 1ac9d34 (dependabot[bot])
• Fix deprecation warning 9a366b4 (Benoit Tigeot)
• chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 0c5a17e (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 b999021 (dependabot[bot])
• Avoid "panic: interface conversion: interface {} is nil" 2fe49f9 (Benoit Tigeot)
• bump version to v3.19.0 c3610ab (Scott Rigby)
• chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 73b449f (dependabot[bot])
• fix: set repo authorizer in registry.Client.Resolve() ffbc537 (Eric Stroczynski)
• fix null merge f0b699e (Ben Foster)
• Add timeout flag to repo add and update flags 79a9cc5 (Reinhard Nägele)

v3.19.5: Helm v3.19.5

Compare Source

Helm v3.19.5 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Fixed bug where removing subchart value via override resulted in warning #​31118
• Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #​12556

Installation and Upgrading

Download Helm v3.19.5. The common platform binaries are here:

• MacOS amd64 (checksum / 57f4a847c349382b7cc742a6434ef25f88f0928a113d8cf49084b464878ef0b9)
• MacOS arm64 (checksum / 195e24e587f423f15a78feebab04583ceee68323598575a0e8b3b11b43fd26fe)
• Linux amd64 (checksum / a0a5e8c592ed3f376ac110715eff214730c7422f9a44d96cf98117d2b8b0e6c0)
• Linux arm (checksum / 1367926ea842729b4312fbf800234d15bcaa419c92201727b776da4550078a09)
• Linux arm64 (checksum / ce02147ffee6d993bf8ae97a44a22e9e1daf0b69d2d5b69a0c8cf6706445ccf5)
• Linux i386 (checksum / 54ec170590a6bfb26990c645426f92089d9eb574190c00620ca793d92b5891d5)
• Linux ppc64le (checksum / a51ba349875e2a219c909ae802435db403ea6924ca4725acb73f520da36e5f45)
• Linux s390x (checksum / 071f19deabaf2326a7ca54c3143934e2001c61bd106fa2949bf53d1e7452ecd0)
• Linux riscv64 (checksum / a33b2df76300d33008a2b47107f289a0de31d461e6bfb2354bf1fd747ccecc9b)
• Windows amd64 (checksum / f258b0d17a4c914ad453f9d8cc21643dddd354f4fbad4c7c595cf3480221379e)
• Windows arm64 (checksum / 232bccce9fe4212a22acc210a555edc75e101b26fb9a9eb1442c32bda8d102bf)

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.1.0 and 3.20.0 is the next minor releases and will be on January 21, 2026
• 4.1.1 and 3.20.1 are the next patch releases and will be on March 11, 2026

Changelog

• fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
• fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
• fix null merge 578564e (Ben Foster)

v3.19.4: Helm v3.19.4

Compare Source

Helm v3.19.4 is a security fix for a Go CVE in the previous tag. This patch release rebuilds the Helm v3.19.3 release with the latest Go toolchain, to fix the Go CVE. Users are encouraged to upgrade.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.19.4. The common platform binaries are here:

• MacOS amd64 (checksum / d9c9b1fc499c54282c4127c60cdd506da2c6202506b708a2b45fb6dfdb318f43)
• MacOS arm64 (checksum / 7e82ca63fe80a298cecefad61d0c10bc47963ff3551e94ab6470be6393a6a74b)
• Linux amd64 (checksum / 759c656fbd9c11e6a47784ecbeac6ad1eb16a9e76d202e51163ab78504848862)
• Linux arm (checksum / fcbb21b657c46ad646542964c262c4efb595bc60621e34273c1a2bb92eaff1dc)
• Linux arm64 (checksum / 9e1064f5de43745bdedbff2722a1674d0397bc4b4d8d8196d52a2b730909fe62)
• Linux i386 (checksum / 5bbf5541cb021c021a7f5b3e59e3808cc09678aa2650ece24c78f8a277466c0b)
• Linux ppc64le (checksum / a38d8f75406f9bc3e12d1ebf8819fd563a5156ada6fe665402732932eec9c743)
• Linux s390x (checksum / d153b3a316ce3f2936e601d94db5909aae4fbd5d1a4b28760fad2dd18c2bb749)
• Linux riscv64 (checksum / 9d90a7532b426e5d99edfa9fa93e1dba4729f96a3b493974e847651a9aa34020)
• Windows amd64 (checksum / 18e7d1b970dfb6f4f8ddbbd1659d75d90ca818a47519411c4cc305b918508d36)
• Windows arm64 (checksum / da870dbb870e5cad243f5c7dca54f27be289237a97d84077c885769a06394223)

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.19.5 and 4.0.4 are the next patch releases and will be on January 14, 2026
• 3.20.0 and 4.1.0 is the next minor releases and will be on January 21, 2026

Changelog

• Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
• chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
• chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1 (dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
• chore(deps): bump the k8s-io group with 7 updates edb1579 (dependabot[bot])

v3.19.3

Compare Source

v3.19.2: Helm v3.19.2

Compare Source

Helm v3.19.2 is a patch release. It is a rebuild of the v3.19.1 release with no code changes.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.19.2. The common platform binaries are here:

• MacOS amd64 (checksum / 7ef4416cdef4c2d78a09e1c8f07a51e945dc0343c883a46b1f628deab52690b7)
• MacOS arm64 (checksum / f0847f899479b66a6dd8d9fcd452e8db2562e4cf3f7de28103f9fcf2b824f1d5)
• Linux amd64 (checksum / 2114c9dea2844dce6d0ee2d792a9aae846be8cf53d5b19dc2988b5a0e8fec26e)
• Linux arm (checksum / 20bcb0aad82172335914e30ae3efd020d28abc1b470b4b565e67aff152c0e4ee)
• Linux arm64 (checksum / 566e9f3a5a83a81e4b03503ae37e368edd52d699619e8a9bb1fdf21561ae0e88)
• Linux i386 (checksum / 54932ecf2c46c6d3cd9926d28d56e18e70b42467d8ad682844c64cbe8f3dfc11)
• Linux ppc64le (checksum / 70d782fb208ebe67b5c508f6e5910a0b75f9b2c99ee3c569a9265aba147d6a37)
• Linux s390x (checksum / 69d2a38afba43c9cd49b0bc6031d77230208506ad2b3c2772b3ad13436639e93)
• Linux riscv64 (checksum / b60da5690e66acf89df796d11be91cc2052d6194a655b4d6ea5ee5c01112192b)
• Windows amd64 (checksum / 8b3ea37bcd7c5eda68eadd278690498fb886a17ec541b449216ab3b45748600e)
• Windows arm64 (checksum / ed37c24ac0f18721fe61182d24f55d8fd0d072052d3e7393338abaf10452b523)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.19.3 and 4.0.1 are the next patch releases and will be on December 10, 2025
• 3.20.0 and 4.1.0 is the next minor releases and will be on January 21, 2026

Changelog

• [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)

v3.19.1: Helm v3.19.1

Compare Source

Helm v3.19.1 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.19.1. The common platform binaries are here:

• MacOS amd64 (checksum / 567f50c5855c45e85ecfa50846bf30adad5d68e1d35ff216866b4897e91bcb80)
• MacOS arm64 (checksum / 080f320cfc4ee3816fd6c8f73820f4b3d941b10f709e69bf9afd78f8f8e7c92a)
• Linux amd64 (checksum / 966bed9b1e0dda11268f59bd7268c3cd3e308b37b070546e1d78a02526ff63f2)
• Linux arm (checksum / cd21c7ee767b4138e13ca856f102732cae7270c1bbe6d080a3d98153953550ac)
• Linux arm64 (checksum / ceed150305a1d1ef4a37923a7f66931a6807c34a38ea487fa8340e102dd2c7f7)
• Linux i386 (checksum / be3b70efa7b0ddaddd60d94ef0a37b69e22a5ee05efbec579729cdaacc2e7c5e)
• Linux ppc64le (checksum / acb8a92d873cc2ae2dd44593d88a0bc3a78eb7abd6b3784c3fced9e005401018)
• Linux s390x (checksum / 279dcdeaa9f3b42c8558e6e1815466852a80bd373f9a9e83ae7f724ff2cda17f)
• Linux riscv64 (checksum / ed0a8b03c2163157a948a67702d1884f4936575f9be953c673748b41bd2a9881)
• Windows amd64 (checksum / 3fd3ab4a47364c04c51e0e7387e0598aa2c8c43dd535128665aa43e695cec11e)
• Windows arm64 (checksum / 361b04b599ada09be194461cd0347db20276849c22f57adc697963d57a515c6a)

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.0.0 is the next major release and will be on November 12, 2025
• 3.19.2 and 4.0.01 are the next patch releases and will be on December 10, 2025
• 3.20.0 and 4.1.0 is the next minor releases and will be on January 21, 2026

Changelog

• chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 4f953c2 (dependabot[bot])
• jsonschema: warn and ignore unresolved URN $ref to match v3.18.4 6801f4d (Benoit Tigeot)
• Avoid "panic: interface conversion: interface {} is nil" 2f619be (Benoit Tigeot)
• Fix helm pull untar dir check with repo urls 8112d47 (Luna Stadler)
• Fix deprecation warning 5dff7ce (Benoit Tigeot)
• chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 2dad4d2 (dependabot[bot])
• Add timeout flag to repo add and update flags a833710 (Reinhard Nägele)
• chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.43.0 2e12c81 (Dirk Müller)

v3.19.0: Helm v3.19.0

Compare Source

Helm v3.19.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Fixed a helm pull regression from 3.18 - error pulling OCI charts with --password #​31230
• Fixed a helm lint regression from Helm 3.18 - rejected JSON Schema $ref URLs that worked in 3.17.x #​31166
• Fixed go mod tidy #​31154
• Fixed k8s version parsing not matching original #​31091
• Fixed charts failing when using a redirect registry #​31087
• Fixed missing debug logging for OCI transport
• Fixed broken legacy docker support for login #​30941
• Fixed bugs from the move to ORAS v2
• Fixed processing all hook deletions on failure #​30673
• Feature for helm create added httproute from gateway-api to create chart template #​30658

Installation and Upgrading

Download Helm v3.19.0. The common platform binaries are here:

• MacOS amd64 (checksum / 09a108c0abda42e45af172be65c49125354bf7cd178dbe10435e94540e49c7b9)
• MacOS arm64 (checksum / 31513e1193da4eb4ae042eb5f98ef9aca7890cfa136f4707c8d4f70e2115bef6)
• Linux amd64 (checksum / a7f81ce08007091b86d8bd696eb4d86b8d0f2e1b9f6c714be62f82f96a594496)
• Linux arm (checksum / 8708367b8e8bed9bdf8429bb57536e4223cdca96245dffc205cb0cb670b151f4)
• Linux arm64 (checksum / 440cf7add0aee27ebc93fada965523c1dc2e0ab340d4348da2215737fc0d76ad)
• Linux i386 (checksum / ca0329cd1b09267e7c63c563e32462265949c31512b537dd6615d0b5190040fc)
• Linux ppc64le (checksum / f57ea04d7fa62cc3e90a831eb67edb1400c810df6083875bee3a7c195a795ce4)
• Linux s390x (checksum / 0dff2f249f71690e3b420ebb5efc573eb26a51b4a614c4391c8c7fa3e47863f2)
• Linux riscv64 (checksum / 978af545a3d72a253ce1d4c03c9febb509a239a48b2581107e548883ab61a227)
• Windows amd64 (checksum / 6488630c2e5d5945ed990fa02fd9e99f9c6792cdbcd79eb264b6cfb90179d2d1)
• Windows arm64 (checksum / 488f7530a1776da1b46b14e988bf305c9d7419c78e7e73aeb92f198a41c9ef6b)

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.19.1 will contain only bug fixes.
• 3.20.0 is the next feature release.

Changelog

• bump version to v3.19.0 [3d8990f](https://redirect.github.com/hel

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 14 additional dependencies were updated

Details:

Package	Change
github.com/spf13/pflag	v1.0.6 -> v1.0.7
golang.org/x/sync	v0.15.0 -> v0.16.0
golang.org/x/sys	v0.33.0 -> v0.34.0
golang.org/x/term	v0.32.0 -> v0.33.0
golang.org/x/text	v0.26.0 -> v0.27.0
k8s.io/api	v0.33.1 -> v0.33.3
k8s.io/apiextensions-apiserver	v0.33.1 -> v0.33.3
k8s.io/apimachinery	v0.33.1 -> v0.33.3
k8s.io/apiserver	v0.33.1 -> v0.33.3
k8s.io/cli-runtime	v0.33.1 -> v0.33.3
k8s.io/client-go	v0.33.1 -> v0.33.3
k8s.io/component-base	v0.33.1 -> v0.33.3
k8s.io/kubectl	v0.33.1 -> v0.33.3
sigs.k8s.io/yaml	v1.4.0 -> v1.5.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 37 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.4 -> 1.25.0
github.com/BurntSushi/toml	v1.5.0 -> v1.6.0
github.com/Masterminds/semver/v3	v3.3.0 -> v3.4.0
github.com/containerd/containerd	v1.7.27 -> v1.7.30
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.6.1
github.com/emicklei/go-restful/v3	v3.11.0 -> v3.12.2
github.com/fxamacker/cbor/v2	v2.7.0 -> v2.9.0
github.com/google/gnostic-models	v0.6.9 -> v0.7.0
github.com/modern-go/reflect2	v1.0.2 -> v1.0.3-0.20250322232337-35a7c28c31ee
github.com/rubenv/sql-migrate	v1.8.0 -> v1.8.1
github.com/spf13/cobra	v1.9.1 -> v1.10.2
github.com/spf13/pflag	v1.0.6 -> v1.0.10
go.opentelemetry.io/otel	v1.33.0 -> v1.36.0
go.opentelemetry.io/otel/trace	v1.33.0 -> v1.36.0
golang.org/x/crypto	v0.39.0 -> v0.46.0
golang.org/x/net	v0.40.0 -> v0.48.0
golang.org/x/oauth2	v0.28.0 -> v0.30.0
golang.org/x/sync	v0.15.0 -> v0.19.0
golang.org/x/sys	v0.33.0 -> v0.40.0
golang.org/x/term	v0.32.0 -> v0.39.0
golang.org/x/text	v0.26.0 -> v0.33.0
golang.org/x/time	v0.9.0 -> v0.12.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20241209162323-e6fa225c2576 -> v0.0.0-20250528174236-200df99c418a
google.golang.org/grpc	v1.68.1 -> v1.72.2
k8s.io/api	v0.33.1 -> v0.35.1
k8s.io/apiextensions-apiserver	v0.33.1 -> v0.35.1
k8s.io/apimachinery	v0.33.1 -> v0.35.1
k8s.io/apiserver	v0.33.1 -> v0.35.1
k8s.io/cli-runtime	v0.33.1 -> v0.35.1
k8s.io/client-go	v0.33.1 -> v0.35.1
k8s.io/component-base	v0.33.1 -> v0.35.1
k8s.io/kube-openapi	v0.0.0-20250318190949-c8a335a9a2ff -> v0.0.0-20250910181357-589584f1c912
k8s.io/kubectl	v0.33.1 -> v0.35.1
k8s.io/utils	v0.0.0-20241104100929-3ea5e8cea738 -> v0.0.0-20251002143259-bc988d571ff4
sigs.k8s.io/json	v0.0.0-20241010143419-9aa6b5e7a4b3 -> v0.0.0-20250730193827-2d320260d730
sigs.k8s.io/kustomize/api	v0.19.0 -> v0.20.1
sigs.k8s.io/kustomize/kyaml	v0.19.0 -> v0.20.1
sigs.k8s.io/yaml	v1.4.0 -> v1.6.0