Skip to content

chore(deps): bump the go_modules group across 2 directories with 3 updates#137

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go_modules-1238264c1b
Open

chore(deps): bump the go_modules group across 2 directories with 3 updates#137
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go_modules-1238264c1b

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 10, 2026

Bumps the go_modules group with 1 update in the / directory: helm.sh/helm/v3.
Bumps the go_modules group with 2 updates in the /e2e directory: github.com/go-git/go-git/v5 and github.com/moby/buildkit.

Updates helm.sh/helm/v3 from 3.20.1 to 3.20.2

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.20.2

v3.20.2

Helm v3.20.2 is a security patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

  • GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

Installation and Upgrading

Download Helm v3.20.2. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
  • 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

  • fix: Chart dot-name path bug 8fb76d6ab555577e98e23b7500009537a471feee (George Jenkins)
  • fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 3a8927e275c50cecde273872dad2a5576bd46375 (Terry Howe)
Commits
  • 8fb76d6 fix: Chart dot-name path bug
  • 3a8927e fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow
  • See full diff in compare view

Updates github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.1

What's Changed

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits
  • 5e23dfd Merge pull request #1937 from pjbgf/idx-v5
  • 6b38a32 Merge pull request #1935 from pjbgf/index-v5
  • cd757fc plumbing: format/idxfile, Fix version and fanout checks
  • 3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
  • dbe10b6 plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git
  • e9b65df plumbing: format/index, Improve v4 entry name validation
  • adad18d Merge pull request #1930 from go-git/renovate/releases/v5.x-go-github.com-clo...
  • 29470bd build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]
  • bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
  • 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
  • Additional commits viewable in compare view

Updates github.com/moby/buildkit from 0.12.5 to 0.28.1

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.28.1

Welcome to the v0.28.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn

Notable Changes

  • Fix insufficient validation of Git URL #ref:subdir fragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg
  • Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. GHSA-4c29-8rgm-jvjj
  • Fix a panic when processing invalid .dockerignore patterns during COPY. #6610 moby/patternmatcher#9

Dependency Changes

  • github.com/moby/patternmatcher v0.6.0 -> v0.6.1

Previous release can be found at v0.28.0

v0.28.0

buildkit 0.28.0

Welcome to the v0.28.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn
  • Jonathan A. Sternberg
  • Akihiro Suda
  • Amr Mahdi
  • Dan Duvall
  • David Karlsson
  • Jonas Geiler
  • Kevin L.
  • rsteube

... (truncated)

Commits
  • 45b038c git: normalize and validate subdir paths
  • f5462c2 git: harden ref arg handling
  • 71577a5 source: extract SafeFileName into shared pathutil package
  • df43783 source/http: use os.Root for saved file operations
  • 9ce6f62 source/http: sanitize downloaded filenames
  • 099cf80 executor: validate container IDs centrally
  • 2642113 Merge pull request #6610 from thaJeztah/0.28_backport_bump_patternmatcher
  • 802da78 vendor: github.com/moby/patternmatcher v0.6.1
  • 5245d86 Merge pull request #6551 from tonistiigi/v0.28-cherry-picks
  • 90ee5de vendor: update x/net to v0.51.0
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the go_modules group across 2 directories with 3 up…
ec841f9 
…dates

Bumps the go_modules group with 1 update in the / directory: [helm.sh/helm/v3](https://github.com/helm/helm).
Bumps the go_modules group with 2 updates in the /e2e directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) and [github.com/moby/buildkit](https://github.com/moby/buildkit).


Updates `helm.sh/helm/v3` from 3.20.1 to 3.20.2
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v3.20.1...v3.20.2)

Updates `github.com/go-git/go-git/v5` from 5.16.5 to 5.17.1
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.16.5...v5.17.1)

Updates `github.com/moby/buildkit` from 0.12.5 to 0.28.1
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.12.5...v0.28.1)

---
updated-dependencies:
- dependency-name: helm.sh/helm/v3
  dependency-version: 3.20.2
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.17.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 10, 2026
@dependabot dependabot bot mentioned this pull request Apr 10, 2026
Closed
@konflux-ci-qe-bot
Copy link
Copy Markdown

konflux-ci-qe-bot commented Apr 10, 2026

@dependabot[bot]: The following matrix E2E test has Failed, say /retest to rerun failed tests.

Total child pipelines: 2
Failed child pipelines: 2

Failed child pipelines

PipelineRun Name Status Rerun command Build Log Test Log
tsf-e2e-4.20-z49j4 Failed /retest View Pipeline Log View Test Logs
tsf-e2e-4.21-fzw4b Failed /retest View Pipeline Log View Test Logs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@konflux-ci-qe-bot