[VULN-62334] Update helm.sh/helm/v3 dependency to v3.20.2

[tbavelier]

What does this PR do?

• Updates a helm dependency

Motivation

• https://nvd.nist.gov/vuln/detail/CVE-2026-35206

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: vX.Y.Z
• Cluster Agent: vX.Y.Z

Describe your test plan

Verified locally trivy image does not return the CVE from this branch (main tag) compared to main (main2 tag)

╰─❯ trivy image tbdatadog/operator:main2
2026-05-04T15:43:05+02:00       INFO    [vuln] Vulnerability scanning is enabled
2026-05-04T15:43:05+02:00       INFO    [secret] Secret scanning is enabled
2026-05-04T15:43:05+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-05-04T15:43:05+02:00       INFO    [secret] Please see https://trivy.dev/docs/v0.69/guide/scanner/secret#recommendation for faster secret detection
2026-05-04T15:43:06+02:00       INFO    Detected OS     family="redhat" version="10.1"
2026-05-04T15:43:06+02:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="10" pkg_num=23
2026-05-04T15:43:06+02:00       INFO    Number of language-specific files       num=3
2026-05-04T15:43:06+02:00       INFO    [gobinary] Detecting vulnerabilities...

Report Summary

┌────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                 Target                 │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ tbdatadog/operator:main2 (redhat 10.1) │  redhat  │        0        │    -    │
├────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ helpers                                │ gobinary │        0        │    -    │
├────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ manager                                │ gobinary │        0        │    -    │
├────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ yaml-mapper                            │ gobinary │        1        │    -    │
└────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


yaml-mapper (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3 │ CVE-2026-35206 │ MEDIUM   │ fixed  │ v3.18.5           │ 3.20.2        │ github.com/helm/helm: Helm: Files written to unexpected │
│                 │                │          │        │                   │               │ directory via specially crafted Chart                   │
│                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-35206              │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

📣 Notices:
  - Version 0.70.0 of Trivy is now available, current version is 0.69.3

To suppress version checks, run Trivy scans with the --skip-version-check flag

╭─ ~/dd/datadog-operator main !1 ?1                                                                                                                        3.12  15:43:06
╰─❯ trivy image tbdatadog/operator:main
2026-05-04T15:43:11+02:00       INFO    [vuln] Vulnerability scanning is enabled
2026-05-04T15:43:11+02:00       INFO    [secret] Secret scanning is enabled
2026-05-04T15:43:11+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-05-04T15:43:11+02:00       INFO    [secret] Please see https://trivy.dev/docs/v0.69/guide/scanner/secret#recommendation for faster secret detection
2026-05-04T15:43:11+02:00       INFO    Detected OS     family="redhat" version="10.1"
2026-05-04T15:43:11+02:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="10" pkg_num=23
2026-05-04T15:43:11+02:00       INFO    Number of language-specific files       num=3
2026-05-04T15:43:11+02:00       INFO    [gobinary] Detecting vulnerabilities...

Report Summary

┌───────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                 │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ tbdatadog/operator:main (redhat 10.1) │  redhat  │        0        │    -    │
├───────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ helpers                               │ gobinary │        0        │    -    │
├───────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ manager                               │ gobinary │        0        │    -    │
├───────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ yaml-mapper                           │ gobinary │        0        │    -    │
└───────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


📣 Notices:
  - Version 0.70.0 of Trivy is now available, current version is 0.69.3

To suppress version checks, run Trivy scans with the --skip-version-check flag

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7d9beac252

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.41%. Comparing base (1ed0fbc) to head (0f49d6d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2969   +/-   ##
=======================================
  Coverage   41.41%   41.41%           
=======================================
  Files         327      327           
  Lines       28891    28891           
=======================================
  Hits        11964    11964           
  Misses      16072    16072           
  Partials      855      855           

Flag	Coverage Δ
unittests	41.41% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1ed0fbc...0f49d6d. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tbavelier]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🎉

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".