fix(deps): update go major updates (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.15.1 → v5.2.1
helm.sh/helm/v3	v3.20.2 → v4.2.2

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v5.2.1

Compare Source

Security

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

---

• revert PR #​3009 changes to just disabling path escaping by default in static methods/middleware by @​aldas in #​3016

Closes GHSA-vfp3-v2gw-7wfq more completely: the previous fix (#​3009) rejected explicitly encoded
separators at the handler level; this patch makes the no-unescape behavior the default so new configurations are safe without extra opt-out steps.

What changed: DisablePathUnescaping (on StaticConfig and StaticDirectoryHandlerConfig) is deprecated and replaced by EnablePathUnescaping (default false). Path unescaping is now opt-in.

What this protects: With EnablePathUnescaping: false (new default), encoded separators (%2F, %5C) are never decoded before routing or file lookup, so they cannot
bypass route-level authentication or other middleware guards.

What this does NOT protect: Serving a directory with Static, StaticFS, or StaticDirectoryHandler exposes its entire subtree. Sibling routes are not a reliable
ACL boundary — attach authorization middleware directly to the static mount, or serve sensitive sub-trees under separate guarded routes.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

// Static middleware
e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
    EnablePathUnescaping: true, // only safe when NOT relying on route-based ACL guards
    ...
}))

// StaticDirectoryHandler
middleware.StaticDirectoryHandler(fs, &middleware.StaticDirectoryHandlerConfig{
    EnablePathUnescaping: true,
})

Full Changelog: labstack/echo@v5.2.0...v5.2.1

v5.2.0

Compare Source

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in #​3009
• fix(middleware/static): don't double-unescape request path (#​2599) by @​vishr in #​3006

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @​a-tt-om and @​oran-gugu for reporting.

Enhancements

• feat(middleware): optional RateLimiterStoreContext for response headers (#​2961) by @​vishr in #​3007
• perf: optimize core hot paths (chain, context, binding, responses) by @​vishr in #​3008
• fix(binder): include field name in bind conversion errors (#​2629) by @​vishr in #​3005
• fix(binder): serialize BindingError to structured JSON (#​2771) by @​vishr in #​3004
• fix(binder): MustUnixTime docs say time.Time, not time.Duration by @​c-tonneslan in #​2988
• fix(middleware): reset ContentLength after gzip decompression by @​shblue21 in #​3000
• fix(middleware/proxy): append RealIP to X-Forwarded-For for WebSocket requests by @​kawaway in #​2994
• Fix proxy panic when balancer has no targets by @​shblue21 in #​2977
• fix(middleware): correct documented KeyAuth KeyLookup default by @​leestana01 in #​2992
• test: lock in v5 group route method-handling (405 + OPTIONS) by @​vishr in #​3003
• docs: liveness signals in README + public ROADMAP by @​vishr in #​3002
• Fix typos in CSRFConfig comments by @​shblue21 in #​2979
• refactor: modernize code usage using gofix by @​kumapower17 in #​2970
• refactor: replace Split in loops with more efficient SplitSeq by @​box4wangjing in #​2969
• refactor: use the built-in max/min to simplify the code by @​criciss in #​2966
• Update GitHub actions deps versions by @​aldas in #​2971

New Contributors

• @​criciss made their first contribution in #​2966
• @​box4wangjing made their first contribution in #​2969
• @​shblue21 made their first contribution in #​2977
• @​c-tonneslan made their first contribution in #​2988
• @​leestana01 made their first contribution in #​2992
• @​kawaway made their first contribution in #​2994

Full Changelog: labstack/echo@v5.1.1...v5.2.0

v5.1.1

Compare Source

Security

• Context.Scheme() should validate values taken from header by @​aldas in #​2953

Thanks to @​shblue21 for reporting this issue.

Enhancements

• Add golangci linter configuration by @​aldas in #​2930
• Make StartConfig listener creation context-aware by @​EricGusmao in #​2936
• fix(lint): resolve staticcheck issues and improve code quality by @​itsllyaz in #​2941
• Context.Scheme should validate values taken from header by @​aldas in #​2953
• chore: fix typos in httperror.go by @​tisonkun in #​2958
• Context.Json should not unwrap response by @​aldas in #​2964

v5.1.0

Compare Source

Security

This change does not break the API contract, but it does introduce breaking changes in logic/behavior.
If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

• Remove legacy IP extraction logic from context.RealIP method by @​aldas in #​2933

Enhancements

• Add echo-opentelemetry to the README.md by @​aldas in #​2908
• fix: correct spelling mistakes in comments and field name by @​crawfordxx in #​2916
• Add https://github.com/labstack/echo-prometheus to the middleware list in README.md by @​aldas in #​2919
• Add StartConfig.Listener so server with custom Listener is easier to create by @​aldas in #​2920
• Fix rate limiter documentation for default burst value by @​karesansui-u in #​2925
• Add doc comments to clarify usage of File related methods and leading slash handling by @​aldas in #​2928
• Add NewDefaultFS function to help create filesystem that allows absolute paths by @​aldas in #​2931
• Do not set http.Server.WriteTimeout in StartConfig by @​aldas in #​2932

v5.0.4

Compare Source

Enhancements

• Remove unused import 'errors' from README example by @​kumapower17 in #​2889
• Fix Graceful shutdown: after http.Server.Serve returns we need to wait for graceful shutdown goroutine to finish by @​aldas in #​2898
• Update location of oapi-codegen in README by @​mromaszewicz in #​2896
• Add Go 1.26 to CI flow by @​aldas in #​2899
• Add new function echo.StatusCode by @​suwakei in #​2892
• CSRF: support older token-based CSRF protection handler that want to render token into template by @​aldas in #​2894
• Add echo.ResolveResponseStatus function to help middleware/handlers determine HTTP status code and echo.Response by @​aldas in #​2900

v5.0.3

Compare Source

Security

• Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21.

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Exposure is restricted to the active process working directory and its subfolders.

v5.0.2

Compare Source

Security

• Fix Static middleware with config.Browse=true lists all files/subfolders from config.Filesystem root and not starting from config.Root in #​2887

v5.0.1

Compare Source

• Panic MW: will now return a custom PanicStackError with stack trace by @​aldas in #​2871
• Docs: add missing err parameter to DenyHandler example by @​cgalibern in #​2878
• improve: improve websocket checks in IsWebSocket() [per RFC 6455] by @​raju-mechatronics in #​2875
• fix: Context.Json() should not send status code before serialization is complete by @​aldas in #​2877

v5.0.0

Compare Source

Echo v5 is maintenance release with major breaking changes

• Context is now struct instead of interface and we can add method to it in the future in minor versions.
• Adds new Router interface for possible new routing implementations.
• Drops old logging interface and uses moderm log/slog instead.
• Rearranges alot of methods/function signatures to make them more consistent.

Upgrade notes and v4 support:

• Echo v4 is supported with security* updates and bug fixes until 2026-12-31
• If you are using Echo in a production environment, it is recommended to wait until after 2026-03-31 before upgrading.
• Until 2026-03-31, any critical issues requiring breaking v5 API changes will be addressed, even if this violates semantic versioning.

See API_CHANGES_V5.md for public API changes between v4 and v5, notes on upgrading.

Upgrading TLDR:

If you are using Linux you can migrate easier parts like that:

find . -type f -name "*.go" -exec sed -i 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i 's/echo\/v4/echo\/v5/g' {} +

macOS

find . -type f -name "*.go" -exec sed -i '' 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i '' 's/echo\/v4/echo\/v5/g' {} +

or in your favorite IDE

Replace all:

1. echo.Context -> *echo.Context
2. echo/v4 -> echo/v5

This should solve most of the issues. Probably the hardest part is updating all the tests.

v4.15.4

Compare Source

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#​3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.

---

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

Full Changelog: labstack/echo@v4.15.3...v4.15.4

v4.15.3: - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Compare Source

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in #​3011

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#​3009, released in v5.2.0). Thanks to @​a-tt-om and @​oran-gugu for reporting.

Full Changelog: labstack/echo@v4.15.2...v4.15.3

v4.15.2: - Context.Scheme() header validation

Compare Source

Security

• Context.Scheme() should validate values taken from header by @​aldas in #​2962

Thanks to @​shblue21 for reporting this issue.

Full Changelog: labstack/echo@v4.15.1...v4.15.2

helm/helm (helm.sh/helm/v3)

v4.2.2: Helm v4.2.2

Compare Source

Helm v4.2.2 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Revert: Fixed a race condition in WaitForDelete where the status observer canceled the watch too early, causing intermittent failures when running a full test suite #​32214

Installation and Upgrading

Download Helm v4.2.2. The common platform binaries are here:

• MacOS amd64 (checksum / 10c1e36ee8c5f2e2ee25a16599cb03ab74c0953cd889cacb980a49ba4b6574ba)
• MacOS arm64 (checksum / 5410a0dae3d5d91f45653b161260d9301aabc4ae80ae50a6605d66884b6df8ea)
• Linux amd64 (checksum / 9adafecab4d406853bba163a70e9f104f47dbbf65ce24b7653bae7e36150bcb6)
• Linux arm (checksum / 7e9490169874695e04ab1af47c5620621fc13c84219a258fcc1afdcd40ca7438)
• Linux arm64 (checksum / 78803142087a0069fa4b50d3f32a84d3ef25c14d1ee8a40fbccf86a6216d2f36)
• Linux i386 (checksum / 8e1fdcda4a476ffc5d1179c7f16d33a3d54267efa08fd720f7678277d68bc2d5)
• Linux loong64 (checksum / b8bfe96b8b0b0e2af51af4a00ef521cc5a7e03793aea3568cf8500a63ae05041)
• Linux ppc64le (checksum / 814a80fd98eb9e4c5a9d610f3b9c15ffe120c2f5e39df16a2f491723ebc90126)
• Linux s390x (checksum / d84cdf1123f20cfbef19a2af1cd6afe8b00626bd9846bccb9dae978c810c8274)
• Linux riscv64 (checksum / f07c105180dff2619ab45134b9b47b7845387e8f3299e12ebe0efb87c7548717)
• Windows amd64 (checksum / 5fad8562e98c34fa5af3ef904086a5874a6701050f9bf36e30238c975df94dcd)
• Windows arm64 (checksum / 2e993d6a1dd8197a33e65d8e90b26df9d248ff3501701dea401856aa265a2dab)

This release was signed by @​gjenkins8 with key BF88 8333 D96A 1C18 E268 2AAE D79D 67C9 EC01 6739, which can be found at https://keys.openpgp.org/vks/v1/by-fingerprint/BF888333D96A1C18E2682AAED79D67C9EC016739. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.2.3 and 3.21.2 are the next patch releases scheduled for July 8, 2026
• 4.3.0 and 3.22.0 are the next minor releases scheduled for September 9, 2026

Changelog

• Revert "fix(kube): prevent spurious early exit in WaitForDelete during informer sync" b05881c (George Jenkins)

Full Changelog: helm/helm@v4.2.1...v4.2.2

v4.2.1: Helm v4.2.1

Compare Source

Helm v4.2.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Fixed data race detected by -race flag when concurrent goroutines (upgrade + rollback, install + uninstall) both call GetWaiterWithOptions on the same FailingKubeClient instance #​31925
• Fixed helm command success messages writing to stderr instead of stdout. Now correctly outputing to stdout #​32056
• Fixed Helm 4 emitting "unable to find exact version" when using version range constraints #​31757
• Fixed a race condition in WaitForDelete where the status observer canceled the watch too early, causing intermittent failures when running a full test suite #​32081
• Bumped golang.org/x/net to v0.55.0 to address GO-2026-5026 #​32153
• Fixed SDK errors by upgrading dependencies: cli-utils 1.2.1, controller-runtime 0.24.1 and k8s 1.36.1 #​32128
• Dependency updates

Installation and Upgrading

Download Helm v4.2.1. The common platform binaries are here:

• MacOS amd64 (checksum / 2a21c9f368d608bcf6eb794ebc06514eb6b529a846b60fe4a43dea7bcce65228)
• MacOS arm64 (checksum / 896472d2ec0740c60f64a9df0fc30d478beee38a1a2a6ed91aa6e6ee177c1575)
• Linux amd64 (checksum / 479dca836e5b45e8bd222400c5591b0e3a647378f03ff96597180db97c17fdae)
• Linux arm (checksum / 49e8f7856de6eab170dc09671cfb0578cc455d820df5b0f54e6453058dc0e3f3)
• Linux arm64 (checksum / 596b9a73d366c1e72ce67d595c22805480e30914593aafbc9f547694e72814db)
• Linux i386 (checksum / e038eab680f22b1cebe68fd0536cf2397b0c10798dcb23c28e500e0804ec1a55)
• Linux loong64 (checksum / 8ae26f15638d951c4ed21d0d3018b8800a137646e5e5151a3856cf324c2852ae)
• Linux ppc64le (checksum / 6f34eca5e314e941577a07be6c8b356f66b9cdefbed1175da1e7916368febcfc)
• Linux s390x (checksum / e6355691887d4185b7e077f058483c04f353229feb7d4a72edc3ebe0b8738a6a)
• Linux riscv64 (checksum / 16a4299f14ff1ffa79bb22115051911c662fa2ecdd90e85b65d7d143e8de9d02)
• Windows amd64 (checksum / 6e7fa7839444b8ddc407c5bcdb1edd1024f57d09c2db971dec511ee2f2616eb0)
• Windows arm64 (checksum / ae4c9acd0d9acd1f9e9da2f60105f793f65fd49ab7c03c6c7d13804c3b885657)

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.2.2 and 3.21.2 are the next patch releases scheduled for July 8, 2026
• 4.3.0 and 3.22.0 are the next minor releases scheduled for September 9, 2026

Changelog

• fix: protect FailingKubeClient.RecordedWaitOptions from data race (#​31925) d591a19 (Terry Howe)
• fix: route registry client output to stdout instead of stderr (#​32056) 2a9fcae (Terry Howe)
• chore(deps): bump oras.land/oras-go/v2 from 2.6.0 to 2.6.1 ffa5bd6 (dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 9f9dbaf (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.43.0 to 0.44.0 64a2891 (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.37.0 to 0.38.0 e54a4a2 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 acb762b (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 768586d (dependabot[bot])
• fix(version): avoid false range detection on prerelease x/X eabfae5 (Benoit Tigeot)
• fix(version): version range || can has no space e3fd51f (Benoit Tigeot)
• feat: report in debug the version we select with version range arg 1e47395 (Benoit Tigeot)
• fix: prevent warning when using version range constraints a33e239 (Benoit Tigeot)
• fix(kube): always propagate context.Canceled in WaitForDelete fa06d44 (Terry Howe)
• fix(kube): prevent spurious early exit in WaitForDelete during informer sync 360d483 (Terry Howe)
• chore(deps): bump github.com/tetratelabs/wazero from 1.11.0 to 1.12.0 7651edf (dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 b132e7e (dependabot[bot])
• fix(deps): bump golang.org/x/net to v0.55.0 to address GO-2026-5026 eee491a (Terry Howe)
• chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 3e3c575 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 c4ce2bb (dependabot[bot])
• chore(deps): bump actions/stale from 10.2.0 to 10.3.0 3892dc2 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.4 to 4.35.5 c4bbb62 (dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 a0d7f16 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 8a3de05 (dependabot[bot])
• fix(upstream): upgrade to cli-utils 1.2.1, controller-runtime 0.24.1 and k8s 1.36.1 57a4803 (Matheus Pimenta)
• chore(deps): bump github.com/fluxcd/cli-utils from 1.2.0 to 1.2.1 b33ae02 (dependabot[bot])

Full Changelog: helm/helm@v4.2.0...v4.2.1

v4.2.0: Helm v4.2.0

Compare Source

Helm v4.2.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Switch to goreleaser for release builds
• Kubernetes client libraries to v1.36
• Add mustToToml template function
• deprecate unused --hide-notes and --render-subchart-notes flags
• --dry-run=server now respects generateName:

Installation and Upgrading

Download Helm v4.2.0. The common platform binaries are here:

• MacOS amd64 (checksum / 1376ea697140e4db316736e760d5a47d12afc1524dce704476ef06fd7fdeddc6)
• MacOS arm64 (checksum / f13f959015447b6bc309f9fd506509926543988a39035c088b52522ec95e2acb)
• Linux amd64 (checksum / 97dbeb971be4ac4b27e3839976d9564c0fb35c6f3b1da89dd1e292d236af4096)
• Linux arm (checksum / ae624870b2d50e655b6462daff117eb9d28c4bad45234ef24c1275113540fcb0)
• Linux arm64 (checksum / 1f8de130dfbd04de64978e7b852a7a547be1404956a366608276d2520b678670)
• Linux i386 (checksum / 9cf44acc59081aca98b4d9f09138348836b26761258e02ad2b99616f66eead5c)
• Linux loong64 (checksum / 5b04f0167b8b415a057c1f4f809ede86d5ead840e0aa560db097da5be19f86d0)
• Linux ppc64le (checksum / 48f0637b93247717b725e8d4a8d2cf8df0e2fdea91bdd0e36e2426c2d5c76e4e)
• Linux s390x (checksum / 328e9ed27904f9910026240c4311bb1b0bf91c6fde1634f212097694507a702f)
• Linux riscv64 (checksum / 5d292d57ab1f40e47e373a87187bafa66e8daac4ddc4a1333421c174e8184755)
• Windows amd64 (checksum / 614f68ddc567ac9bfb0c205f869b1f83ba4e0a9aacd26cbae47743ae6082a579)
• Windows arm64 (checksum / e740e4c19b6e2a0b428f7a52c38b7f0b092f0c43ac49870537d7e7fac9cedc07)

This release was signed by @​gjenkins8 with key BF88 8333 D96A 1C18 E268 2AAE D79D 67C9 EC01 6739, which can be found at https://keys.openpgp.org/vks/v1/by-fingerprint/BF888333D96A1C18E2682AAED79D67C9EC016739. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.2.1 will contain only bug fixes
• 4.3.0 is the next feature release

Changelog

• Bump to version v4.2 0646808 (George Jenkins)
• build: Clean up Goreleaser change (#​32098) e23bf3a (Scott Rigby)
• fix: add -extldflags -static to dist target to match build-cross f60ab7c (Terry Howe)
• build: use goreleaser build with manual archive creation 64aa46f (Terry Howe)
• chore: remove build-cross dependency from test-acceptance d199a1a (Terry Howe)
• ci: add fetch-depth 0 to canary checkout for goreleaser 8289940 (Terry Howe)
• fix: address goreleaser build issues flagged in review c075022 (Terry Howe)
• fix: pass VERSION as GORELEASER_CURRENT_TAG to preserve v-prefix in archive names 04885dd (Terry Howe)
• fix: disable goreleaser checksums.txt and restrict zip to windows only 93103ce (Terry Howe)
• fix: use index for optional env var in version_template e49a1dc (Terry Howe)
• fix: canary build file names eaa0910 (Terry Howe)
• Fix archive name 5a75279 (Terry Howe)
• fix goreleaser archive 37284a9 (Terry Howe)
• add support for loong64 45336cc (Terry Howe)
• fix artifact directory a9659b0 (Terry Howe)
• update configuration to v2 e368f17 (Terry Howe)
• remove GOTOOLCHAIN e7bea85 (Terry Howe)
• chore: replace mitchellh/gox with goreleaser 075c096 (Terry Howe)
• chore(deps): bump github.com/distribution/distribution/v3 12f2c41 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 58e8ffd (dependabot[bot])
• chore(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 e61bbfb (dependabot[bot])
• Upgrade kstatus to 1.2 and controller-runtime to 0.24 081c6df (Matheus Pimenta)
• fix: adds topLevel permissions to improve openSSF scores 277d970 (Gagan H R)
• Upgrade Go to 1.26, Kubernetes to 1.36, kstatus to 1.1 a4a9cc7 (Matheus Pimenta)
• fix(templating): hooks conflicting with templates in post-renderers (#​32049) 8f56f24 (Matheus Pimenta)
• docs: fix grammar and spacing in CONTRIBUTING.md db40adb (Mohit)
• chore(deps): bump the k8s-io group with 7 updates 775e794 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 934ace3 (dependabot[bot])
• fix(templating): SplitManifests must preserve line endings for downstream YAML parsers (#​31952) 265c5eb (Matheus Pimenta)
• chore(deps): bump github.com/mattn/go-shellwords from 1.0.12 to 1.0.13 48e2b7d (dependabot[bot])
• Update pkg/chart/common/util/coalesce.go a8e2497 (Evans Mungai)
• test(values): Add test for nil cleanup in partially overridden subchart maps 52fc971 (Johannes Lohmer)
• fix(values): do not copy chart-default nils into coalesced values 0063877 (Johannes Lohmer)
• test(values): add test for subchart nil producing %!s() 6eb4ebf (Johannes Lohmer)
• test(values): add tests for subchart nil value regressions 5cb4e7d (Johannes Lohmer)
• chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 b5c7c80 (dependabot[bot])
• fix(templating): fix wrong YAML separator parsing for post-renderers (#​31941) a27f1ad (Matheus Pimenta)
• fix: add debug logging to HTTP getter for helm pull c26be60 (Cairon)
• chore(deps): bump golang.org/x/crypto from 0.49.0 to 0.50.0 953f5f0 (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.41.0 to 0.42.0 10fc5f3 (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.35.0 to 0.36.0 d89e7c6 (dependabot[bot])
• chore: Update release notes script for Helm v4 8a95461 (George Jenkins)
• refactor(cli): share RetryingRoundTripper via pkg/kubeenv 213c869 (Sumit Solanki)
• chore(deps): bump github.com/lib/pq from 1.12.2 to 1.12.3 bd5027a (dependabot[bot])
• fix: unnecessary-format lint issues from merge 087736b (George Jenkins)
• fix: Plugin missing provenance bypass 586eb57 (George Jenkins)
• chore(deps): bump github.com/fluxcd/cli-utils c8c5dfa (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp 998466c (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp b0cec58 (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp 6ebfb29 (dependabot[bot])
• test(kube): fix flaky WaitForDelete test by avoiding informer sync race a7f8443 (Terry Howe)
• test(kube): fix flaky WaitForDelete timing in status wait tests 4c0d21f (Terry Howe)
• chore(deps): bump github.com/distribution/distribution/v3 08dea9c (dependabot[bot])
• Minor nit: fix import instructions to comply with canonical import paths de58531 (Anmol Virdi)
• chore(deps): bump github.com/distribution/distribution/v3 9b1ad4c (dependabot[bot])
• fix(action): return correct error variable in prepareUpgrade 8ef2d45 (Rhys McNeill)
• chore(deps): bump github.com/lib/pq from 1.12.1 to 1.12.2 cd7cf76 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.30.7 to 4.35.1 45ee55b (dependabot[bot])
• chore(deps): bump github.com/lib/pq from 1.12.0 to 1.12.1 9a06741 (dependabot[bot])
• chore(deps): bump actions/setup-go from 6.2.0 to 6.4.0 d1e31ca (dependabot[bot])
• fix(kube): clarify server-side apply patch errors f257c95 (abhay1999)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 7025480 (Terry Howe)
• refactor(cli): decouple EnvSettings from pkg/kube 64f1d0a (Sumit Solanki)
• docs(registry): fix incorrect and improve clarity of comments in client.go 85bf56e (Debasish Mohanty)
• refactor(cli): decouple EnvSettings from pkg/kube to avoid import cycles 1549937 (Sumit Solanki)
• chore(deps): bump github.com/ProtonMail/go-crypto from 1.3.0 to 1.4.1 c7a75b1 (dependabot[bot])
• chore(deps): bump github.com/lib/pq from 1.11.2 to 1.12.0 3a7573a (dependabot[bot])
• chore(deps): bump github.com/fatih/color from 1.18.0 to 1.19.0 0229da1 (dependabot[bot])
• docs(engine): fix misleading toTOML doc comment c1a5a6e (Ilya Kiselev)
• feat(engine): add mustToToml template function b075f7a (Ilya Kiselev)
• chore: fix unnecessary-format issues from revive 7edfff3 (Matthieu MOREL)
• chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 37185d2 (dependabot[bot])
• chore: fix bool-compare issues from testifylint 071558d (Matthieu MOREL)
• chore: enable perfsprint linter 6249489 (Matthieu MOREL)
• ignore error plugin loads (cli, getter) 47a0840 (George Jenkins)
• chore(deps): bump golang.org/x/crypto from 0.48.0 to 0.49.0 3d06fd1 (dependabot[bot])
• fix(kube): remove legacy import comments from test files e64d628 (Terry Howe)
• pkg/kube: remove legacy import comments d7cdc9e (abhay1999)
• fix: Plugin version path traversal 36dcc27 (George Jenkins)
• chore(deps): bump golang.org/x/term from 0.40.0 to 0.41.0 c4be7af (dependabot[bot])
• chore: fix some minor issues in the comments 259f181 (tsinglua)
• fix: Chart dot-name path bug [6018499](https://

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 3am on sunday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 38 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.1 -> 1.26.0
github.com/labstack/echo/v5	v5.2.1 -> v5.2.1
helm.sh/helm/v4	v4.2.2 -> v4.2.2
k8s.io/api	v0.35.3 -> v0.36.2
k8s.io/apiextensions-apiserver	v0.35.3 -> v0.36.2
k8s.io/apimachinery	v0.35.3 -> v0.36.2
k8s.io/cli-runtime	v0.35.3 -> v0.36.2
k8s.io/client-go	v0.35.3 -> v0.36.2
sigs.k8s.io/controller-runtime	v0.23.3 -> v0.24.1
github.com/Masterminds/semver/v3	v3.4.0 -> v3.5.0
github.com/containerd/containerd	v1.7.30 -> v1.7.32
github.com/emicklei/go-restful/v3	v3.12.2 -> v3.13.0
github.com/fatih/color	v1.18.0 -> v1.19.0
github.com/klauspost/compress	v1.18.2 -> v1.18.4
github.com/lib/pq	v1.10.9 -> v1.12.3
github.com/moby/spdystream	v0.5.0 -> v0.5.1
github.com/sirupsen/logrus	v1.9.3 -> v1.9.4
go.yaml.in/yaml/v2	v2.4.3 -> v2.4.4
golang.org/x/crypto	v0.47.0 -> v0.53.0
golang.org/x/mod	v0.32.0 -> v0.36.0
golang.org/x/net	v0.49.0 -> v0.55.0
golang.org/x/oauth2	v0.34.0 -> v0.36.0
golang.org/x/sync	v0.19.0 -> v0.21.0
golang.org/x/sys	v0.40.0 -> v0.46.0
golang.org/x/term	v0.39.0 -> v0.44.0
golang.org/x/text	v0.33.0 -> v0.38.0
golang.org/x/time	v0.14.0 -> v0.15.0
golang.org/x/tools	v0.41.0 -> v0.45.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260406210006-6f92a3bedf2d
google.golang.org/grpc	v1.78.0 -> v1.80.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/apiserver	v0.35.3 -> v0.36.2
k8s.io/component-base	v0.35.3 -> v0.36.2
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-openapi	v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/kubectl	v0.35.1 -> v0.36.2
k8s.io/utils	v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2
oras.land/oras-go/v2	v2.6.0 -> v2.6.1
sigs.k8s.io/structured-merge-diff/v6	v6.3.2-0.20260122202528-d9cc6641c482 -> v6.3.2