Skip to content

build(deps): bump helm.sh/helm/v4 from 4.1.0 to 4.1.4#249

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/helm.sh/helm/v4-4.1.4
Open

build(deps): bump helm.sh/helm/v4 from 4.1.0 to 4.1.4#249
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/helm.sh/helm/v4-4.1.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 9, 2026

Bumps helm.sh/helm/v4 from 4.1.0 to 4.1.4.

Release notes

Sourced from helm.sh/helm/v4's releases.

Helm v4.1.4 is a security fix patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

  • GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment
  • GHSA-q5jf-9vfq-h4h7 Plugin verification fails open when .prov is missing, allowing unsigned plugin install
  • GHSA-vmx8-mqv2-9gmg Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

A big thank you to the reporters of these issues (@​maru1009, @​1seal).

Installation and Upgrading

Download Helm v4.1.4. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
  • 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

  • fix: Plugin missing provenance bypass 05fa37973dc9e42b76e1d2883494c87174b6074f (George Jenkins)
  • fix: Chart dot-name path bug 4e7994d4467182f535b6797c94b5b0e994a91436 (George Jenkins)
  • ignore error plugin loads (cli, getter) 25819432bf87ac0b54f0d3fa54982add2cac609e (George Jenkins)
  • fix: Plugin version path traversal 36c8539e99bc42d7aef9b87d136254662d04f027 (George Jenkins)
  • fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow c61e0860ec797330a4c26a78dde7020cdc6743b1 (Terry Howe)

Helm v4.1.3 is a patch release. Users are encouraged to upgrade for the best experience.

... (truncated)

Commits
  • 05fa379 fix: Plugin missing provenance bypass
  • 4e7994d fix: Chart dot-name path bug
  • 2581943 ignore error plugin loads (cli, getter)
  • 36c8539 fix: Plugin version path traversal
  • c61e086 fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow
  • c94d381 chore(defaults): server-side apply SDK defaults should always match the CLI d...
  • b36d660 whitespace
  • 04a91af use logger with waiter
  • c3c57db Remove refactorring changes from coalesce_test.go
  • d47cb2b Fix import
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump helm.sh/helm/v4 from 4.1.0 to 4.1.4
7b2cfc8 
Bumps [helm.sh/helm/v4](https://github.com/helm/helm) from 4.1.0 to 4.1.4.
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v4.1.0...v4.1.4)

---
updated-dependencies:
- dependency-name: helm.sh/helm/v4
  dependency-version: 4.1.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 9, 2026
@dependabot dependabot bot mentioned this pull request Apr 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants