fix(deps): update module helm.sh/helm/v3 to v3.18.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
helm.sh/helm/v3	v3.18.4 -> v3.18.5

GitHub Vulnerability Alerts

CVE-2025-55199

A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Impact

A malicious chart can point $ref in values.schema.json to a device (e.g. /dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of $ref pointing to /dev/zero.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-55198

A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic.

Impact

There are two areas of YAML validation that were impacted. First, when a Chart.yaml file had a null maintainer or the child or parent of a dependencies import-values could be parsed as something other than a string, helm lint would panic. Second, when an index.yaml had an empty entry in the list of chart versions Helm would panic on interactions with that repository.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Ensure YAML files are formatted as Helm expects prior to processing them with Helm.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

---

Release Notes

helm/helm (helm.sh/helm/v3)

v3.18.5

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 8 additional dependencies were updated

Details:

Package	Change
k8s.io/api	v0.33.2 -> v0.33.3
k8s.io/apiextensions-apiserver	v0.33.2 -> v0.33.3
k8s.io/apimachinery	v0.33.2 -> v0.33.3
k8s.io/cli-runtime	v0.33.2 -> v0.33.3
k8s.io/client-go	v0.33.2 -> v0.33.3
k8s.io/kubectl	v0.33.2 -> v0.33.3
k8s.io/apiserver	v0.33.2 -> v0.33.3
k8s.io/component-base	v0.33.2 -> v0.33.3