chore(deps): update module helm.sh/helm/v3 to v4

[red-hat-konflux]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
helm.sh/helm/v3	v3.21.0 → v4.2.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

helm/helm (helm.sh/helm/v3)

v4.2.0: Helm v4.2.0

Compare Source

Helm v4.2.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Switch to goreleaser for release builds
• Kubernetes client libraries to v1.36
• Add mustToToml template function
• deprecate unused --hide-notes and --render-subchart-notes flags
• --dry-run=server now respects generateName:

Installation and Upgrading

Download Helm v4.2.0. The common platform binaries are here:

• MacOS amd64 (checksum / 1376ea697140e4db316736e760d5a47d12afc1524dce704476ef06fd7fdeddc6)
• MacOS arm64 (checksum / f13f959015447b6bc309f9fd506509926543988a39035c088b52522ec95e2acb)
• Linux amd64 (checksum / 97dbeb971be4ac4b27e3839976d9564c0fb35c6f3b1da89dd1e292d236af4096)
• Linux arm (checksum / ae624870b2d50e655b6462daff117eb9d28c4bad45234ef24c1275113540fcb0)
• Linux arm64 (checksum / 1f8de130dfbd04de64978e7b852a7a547be1404956a366608276d2520b678670)
• Linux i386 (checksum / 9cf44acc59081aca98b4d9f09138348836b26761258e02ad2b99616f66eead5c)
• Linux loong64 (checksum / 5b04f0167b8b415a057c1f4f809ede86d5ead840e0aa560db097da5be19f86d0)
• Linux ppc64le (checksum / 48f0637b93247717b725e8d4a8d2cf8df0e2fdea91bdd0e36e2426c2d5c76e4e)
• Linux s390x (checksum / 328e9ed27904f9910026240c4311bb1b0bf91c6fde1634f212097694507a702f)
• Linux riscv64 (checksum / 5d292d57ab1f40e47e373a87187bafa66e8daac4ddc4a1333421c174e8184755)
• Windows amd64 (checksum / 614f68ddc567ac9bfb0c205f869b1f83ba4e0a9aacd26cbae47743ae6082a579)
• Windows arm64 (checksum / e740e4c19b6e2a0b428f7a52c38b7f0b092f0c43ac49870537d7e7fac9cedc07)

This release was signed by @​gjenkins8 with key BF88 8333 D96A 1C18 E268 2AAE D79D 67C9 EC01 6739, which can be found at https://keys.openpgp.org/vks/v1/by-fingerprint/BF888333D96A1C18E2682AAED79D67C9EC016739. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.2.1 will contain only bug fixes
• 4.3.0 is the next feature release

Changelog

• Bump to version v4.2 0646808 (George Jenkins)
• build: Clean up Goreleaser change (#​32098) e23bf3a (Scott Rigby)
• fix: add -extldflags -static to dist target to match build-cross f60ab7c (Terry Howe)
• build: use goreleaser build with manual archive creation 64aa46f (Terry Howe)
• chore: remove build-cross dependency from test-acceptance d199a1a (Terry Howe)
• ci: add fetch-depth 0 to canary checkout for goreleaser 8289940 (Terry Howe)
• fix: address goreleaser build issues flagged in review c075022 (Terry Howe)
• fix: pass VERSION as GORELEASER_CURRENT_TAG to preserve v-prefix in archive names 04885dd (Terry Howe)
• fix: disable goreleaser checksums.txt and restrict zip to windows only 93103ce (Terry Howe)
• fix: use index for optional env var in version_template e49a1dc (Terry Howe)
• fix: canary build file names eaa0910 (Terry Howe)
• Fix archive name 5a75279 (Terry Howe)
• fix goreleaser archive 37284a9 (Terry Howe)
• add support for loong64 45336cc (Terry Howe)
• fix artifact directory a9659b0 (Terry Howe)
• update configuration to v2 e368f17 (Terry Howe)
• remove GOTOOLCHAIN e7bea85 (Terry Howe)
• chore: replace mitchellh/gox with goreleaser 075c096 (Terry Howe)
• chore(deps): bump github.com/distribution/distribution/v3 12f2c41 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 58e8ffd (dependabot[bot])
• chore(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 e61bbfb (dependabot[bot])
• Upgrade kstatus to 1.2 and controller-runtime to 0.24 081c6df (Matheus Pimenta)
• fix: adds topLevel permissions to improve openSSF scores 277d970 (Gagan H R)
• Upgrade Go to 1.26, Kubernetes to 1.36, kstatus to 1.1 a4a9cc7 (Matheus Pimenta)
• fix(templating): hooks conflicting with templates in post-renderers (#​32049) 8f56f24 (Matheus Pimenta)
• docs: fix grammar and spacing in CONTRIBUTING.md db40adb (Mohit)
• chore(deps): bump the k8s-io group with 7 updates 775e794 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 934ace3 (dependabot[bot])
• fix(templating): SplitManifests must preserve line endings for downstream YAML parsers (#​31952) 265c5eb (Matheus Pimenta)
• chore(deps): bump github.com/mattn/go-shellwords from 1.0.12 to 1.0.13 48e2b7d (dependabot[bot])
• Update pkg/chart/common/util/coalesce.go a8e2497 (Evans Mungai)
• test(values): Add test for nil cleanup in partially overridden subchart maps 52fc971 (Johannes Lohmer)
• fix(values): do not copy chart-default nils into coalesced values 0063877 (Johannes Lohmer)
• test(values): add test for subchart nil producing %!s() 6eb4ebf (Johannes Lohmer)
• test(values): add tests for subchart nil value regressions 5cb4e7d (Johannes Lohmer)
• chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 b5c7c80 (dependabot[bot])
• fix(templating): fix wrong YAML separator parsing for post-renderers (#​31941) a27f1ad (Matheus Pimenta)
• fix: add debug logging to HTTP getter for helm pull c26be60 (Cairon)
• chore(deps): bump golang.org/x/crypto from 0.49.0 to 0.50.0 953f5f0 (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.41.0 to 0.42.0 10fc5f3 (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.35.0 to 0.36.0 d89e7c6 (dependabot[bot])
• chore: Update release notes script for Helm v4 8a95461 (George Jenkins)
• refactor(cli): share RetryingRoundTripper via pkg/kubeenv 213c869 (Sumit Solanki)
• chore(deps): bump github.com/lib/pq from 1.12.2 to 1.12.3 bd5027a (dependabot[bot])
• fix: unnecessary-format lint issues from merge 087736b (George Jenkins)
• fix: Plugin missing provenance bypass 586eb57 (George Jenkins)
• chore(deps): bump github.com/fluxcd/cli-utils c8c5dfa (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp 998466c (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp b0cec58 (dependabot[bot])
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp 6ebfb29 (dependabot[bot])
• test(kube): fix flaky WaitForDelete test by avoiding informer sync race a7f8443 (Terry Howe)
• test(kube): fix flaky WaitForDelete timing in status wait tests 4c0d21f (Terry Howe)
• chore(deps): bump github.com/distribution/distribution/v3 08dea9c (dependabot[bot])
• Minor nit: fix import instructions to comply with canonical import paths de58531 (Anmol Virdi)
• chore(deps): bump github.com/distribution/distribution/v3 9b1ad4c (dependabot[bot])
• fix(action): return correct error variable in prepareUpgrade 8ef2d45 (Rhys McNeill)
• chore(deps): bump github.com/lib/pq from 1.12.1 to 1.12.2 cd7cf76 (dependabot[bot])
• chore(deps): bump github/codeql-action from 4.30.7 to 4.35.1 45ee55b (dependabot[bot])
• chore(deps): bump github.com/lib/pq from 1.12.0 to 1.12.1 9a06741 (dependabot[bot])
• chore(deps): bump actions/setup-go from 6.2.0 to 6.4.0 d1e31ca (dependabot[bot])
• fix(kube): clarify server-side apply patch errors f257c95 (abhay1999)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 7025480 (Terry Howe)
• refactor(cli): decouple EnvSettings from pkg/kube 64f1d0a (Sumit Solanki)
• docs(registry): fix incorrect and improve clarity of comments in client.go 85bf56e (Debasish Mohanty)
• refactor(cli): decouple EnvSettings from pkg/kube to avoid import cycles 1549937 (Sumit Solanki)
• chore(deps): bump github.com/ProtonMail/go-crypto from 1.3.0 to 1.4.1 c7a75b1 (dependabot[bot])
• chore(deps): bump github.com/lib/pq from 1.11.2 to 1.12.0 3a7573a (dependabot[bot])
• chore(deps): bump github.com/fatih/color from 1.18.0 to 1.19.0 0229da1 (dependabot[bot])
• docs(engine): fix misleading toTOML doc comment c1a5a6e (Ilya Kiselev)
• feat(engine): add mustToToml template function b075f7a (Ilya Kiselev)
• chore: fix unnecessary-format issues from revive 7edfff3 (Matthieu MOREL)
• chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 37185d2 (dependabot[bot])
• chore: fix bool-compare issues from testifylint 071558d (Matthieu MOREL)
• chore: enable perfsprint linter 6249489 (Matthieu MOREL)
• ignore error plugin loads (cli, getter) 47a0840 (George Jenkins)
• chore(deps): bump golang.org/x/crypto from 0.48.0 to 0.49.0 3d06fd1 (dependabot[bot])
• fix(kube): remove legacy import comments from test files e64d628 (Terry Howe)
• pkg/kube: remove legacy import comments d7cdc9e (abhay1999)
• fix: Plugin version path traversal 36dcc27 (George Jenkins)
• chore(deps): bump golang.org/x/term from 0.40.0 to 0.41.0 c4be7af (dependabot[bot])
• chore: fix some minor issues in the comments 259f181 (tsinglua)
• fix: Chart dot-name path bug 6018499 (George Jenkins)
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.23.1 to 0.23.3 74e7cf8 (dependabot[bot])
• fix: insert newline after doc separators glued to content by template trimming af94abf (Matheus Pimenta)
• chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 16073b1 (dependabot[bot])
• chore: enable modernize linter (#​31860) e31a078 (Matthieu MOREL)
• Restored --atomic flag on install command 16573f8 (Travis Leeden)
• fix: bump go.opentelemetry.io/otel/sdk to v1.40.0 for GO-2026-4394 b550ce9 (Terry Howe)
• fix: bump fluxcd/cli-utils to v0.37.2-flux.1 1dfa77e (Terry Howe)
• Update pkg/cmd/status.go 5d40f17 (Matthieu MOREL)
• chore(internal): enable perfsprint linter (#​31871) d4f6193 (Matthieu MOREL)
• chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 82d9bed (dependabot[bot])
• chore(pkg): fix perfsprint linter issues part 6 dc0e3f1 (Matthieu MOREL)
• chore(pkg): enable perfsprint linter e3c74fd (Matthieu MOREL)
• chore(pkg): enable perfsprint linter 1d2d63c (Matthieu MOREL)
• chore(pkg): enable perfsprint linter 63f03c0 (Matthieu MOREL)
• chore(pkg): enable perfsprint linter c25c988 (Matthieu MOREL)
• chore(pkg): enable perfsprint linter 0fecfd0 (Matthieu MOREL)
• chore(internal): enable perfsprint linter 6524162 (Matthieu MOREL)
• chore(pkg): enable perfsprint linter 6c2cb2f (Matthieu MOREL)
• chore(internal): enable perfsprint linter 9409226 (Matthieu MOREL)
• Replace unneeded use of t.Fatalf with t.Fatal 36cb3a2 (Mads Jensen)
• fix: enable nolinlint linter 5b6c6bb (Matthieu MOREL)
• fixup strings.Cut variables b667317 (George Jenkins)
• chore: Improve AGENTS.md 956c724 (George Jenkins)
• chore: fixes 92b64e8 (George Jenkins)
• fix: correct import comment in statuswait.go from v3 to v4 c59c140 (rohansood10)
• fix: handle OCI digest algorithm prefix in chart downloader (#​31601) ee01860 (Evans Mungai)
• chore(deps): bump actions/stale from 10.1.1 to 10.2.0 304d25f (dependabot[bot])
• chore(deps): bump the k8s-io group with 7 updates 0b13436 (dependabot[bot])
• feat(release): add internal/release/v2 package for chart v3 support (#​31709) 4a91f3a (Evans Mungai)
• chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 7823853 (dependabot[bot])
• chore(deps): bump golang.org/x/term from 0.39.0 to 0.40.0 aec7ace (dependabot[bot])
• chore(deps): bump github.com/lib/pq from 1.11.1 to 1.11.2 a23b638 (dependabot[bot])
• chore(deps): bump golang.org/x/text from 0.33.0 to 0.34.0 5cddc95 (dependabot[bot])
• chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.21.0 to 0.21.1 2e266c3 (dependabot[bot])
• fix(pkg): errorlint linter 259f76a (Matthieu MOREL)
• fix(internal): errorlint linter 0254182 (Matthieu MOREL)
• fix(pkg): errorlint linter 6d1490e (Matthieu MOREL)
• fix(pkg): errorlint linter 4d0ae7f (Matthieu MOREL)
• fix(internal): errorlint linter abecafa (Matthieu MOREL)
• fix(pkg): errorlint linter 4330bde (Matthieu MOREL)
• fix(pkg): errorlint linter c8989d9 (Matthieu MOREL)
• fix(cmd): errorlint linter edbd705 (Matthieu MOREL)
• chore: new KEYS entry for George Jenkins 5638c35 (George Jenkins)
• fix(downloader): safely handle concurrent file writes on Windows 76eb37c (Orgad Shaneh)
• fix(install): check nil for restClientGetter and fix tests 9817a68 (Manuel Alonso)
• feat(create): add --chart-api-version flag (when HELM_EXPERIMENTAL_CHART_V3 env var is set) (#​31592) 5aac320 (Evans Mungai)
• chore(pkg): fix modernize linter 0d75d86 (Matthieu MOREL)
• chore(internal): fix modernize linter 859292e (Matthieu MOREL)
• chore(pkg): fix modernize linter 5cc2e55 (Matthieu MOREL)
• chore(pkg): fix modernize linter ba38159 (Matthieu MOREL)
• chore(internal): fix modernize linter e2d184c (Matthieu MOREL)
• chore(pkg): fix modernize linter 111d4e6 (Matthieu MOREL)
• add image index test e8f386b (Pedro Tôrres)
• fix pulling charts from OCI indices d983696 (Pedro Tôrres)
• chore(deps): bump github.com/lib/pq from 1.10.9 to 1.11.1 9c9c3a6 (dependabot[bot])
• Revert "Consider GroupVersionKind when matching resources" 787b61c (Matheus Pimenta)
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.23.0 to 0.23.1 becf9bf (dependabot[bot])
• fix(template): deprecate unused --hide-notes and --render-subchart-notes flags 6d5f56f (Scott Rigby)
• chore(deps): bump github.com/fluxcd/cli-utils b53198e (dependabot[bot])
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 b59e533 (dependabot[bot])
• whitespace ec07265 (Austin Abro)
• fix(copystructure): handle nil elements in slice copying e3829eb (Philipp Born)
• use logger with waiter 63b40a7 (Austin Abro)
• feat(kstatus): fine-grained context options for waiting b0b35f1 (Matheus Pimenta)
• Apply suggestions from code review 26e28e8 (George Jenkins)
• Remove legacy sync-repo.sh script 97fd007 (Jeevan Yewale)
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.23.0 5262007 (dependabot[bot])
• docs: document uninstall using cascade foreground flag e70d59d (Evans Mungai)
• bugfix(kstatus): do not wait forever on failed resources bbec77c (Matheus Pimenta)
• Modernize Helm v3 CONTRIBUTING.md 443a2a6 (George Jenkins)
• chore(defaults): server-side apply SDK defaults should always match the CLI defaults c1cc625 (Matheus Pimenta)
• chore: clarify --wait flag help text 828038a (Evans Mungai)
• chore(deps): bump actions/setup-go from 6.1.0 to 6.2.0 e223771 (dependabot[bot])
• chore(refactor): better testing and functionality for installing crd 6501ef4 (Manuel Alonso)
• bugfix(storage): fix storage not getting logger from driver a8eb527 (Matheus Pimenta)
• chore(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 da1d68a (dependabot[bot])
• fix(test): fix tests and check nil for restclient 0f949a9 (Manuel Alonso)
• fix(test): merge fix correctly 561410a (Manuel Alonso Gonzalez)
• Remove refactorring changes from coalesce_test.go 0298b2f (Evans Mungai)
• Fix import b8937ad (Evans Mungai)
• Update pkg/chart/common/util/coalesce_test.go a333bba (Evans Mungai)
• Fix rollback for missing resources 374aeb4 (Feruzjon Muyassarov)
• fix(install): add more tests and check nil file data 00f0a48 (Manuel Alonso)
• fix(test): no check empty resources 0357e8d (Manuel Alonso)
• fix(install): check lenght and file nil, add tests 52235cc (Manuel Alonso)
• fix(action): crd resources can be empty 268593b (Manuel Alonso)
• fix: casing issue fixed 1709114 (Mujib Ahasan)
• fix: error handled correctly 9486062 (Mujib Ahasan)
• fix: doc string added 12e8b71 (Mujib Ahasan)
• Fix lint warning 3416dd5 (Evans Mungai)
• Preserve nil values in chart already 679f051 (Evans Mungai)
• fix(values): preserve nil values when chart default is empty map 292fe70 (Evans Mungai)
• update: test coverage added for helper function validateNameAndGenerateName 1154099 (Mujib Ahasan)
• update: helper function added for the business logic 522d2fe (Mujib Ahasan)
• generateName is also considered in logic 6769fb6 (Mujib Ahasan)
• fxi: test concurrency download index 64bae71 (Terry Howe)
• update: business logic respected for skipping object missing name b357bca (Mujib Ahasan)
• fixed: --dry-run=server now respect generateName 2820ebe (Mujib Ahasan)
• Make error message instructional for the case of lock file being out of date 1836c59 (Andreas Sommer)

New Contributors

• @​JeevanYewale made their first contribution in #​31742
• @​tamcore made their first contribution in #​31751
• @​orgads made their first contribution in #​31128
• @​manute made their first contribution in #​31578
• @​Mujib-Ahasan made their first contribution in #​31563
• @​rohansood10 made their first contribution in #​31852
• @​tleed5 made their first contribution in #​31901
• @​tsinglua made their first contribution in #​31921
• @​abhay1999 made their first contribution in #​31931
• @​Mentigen made their first contribution in #​31957
• @​Debasish-87 made their first contribution in #​31973
• @​AnmolVirdi made their first contribution in #​32014
• @​Y0-L0 made their first contribution in #​31979
• @​MohitSalvi16 made their first contribution in #​32057
• @​rhysmcneill made their first contribution in #​32008
• @​cairon-ab made their first contribution in #​32034
• @​gaganhr94 made their first contribution in #​31923
• @​isumitsolanki made their first contribution in #​31970

Full Changelog: helm/helm@v4.1.0...v4.2.0

v4.1.4: Helm v4.1.4

Compare Source

Helm v4.1.4 is a security fix patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

• GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment
• GHSA-q5jf-9vfq-h4h7 Plugin verification fails open when .prov is missing, allowing unsigned plugin install
• GHSA-vmx8-mqv2-9gmg Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

A big thank you to the reporters of these issues (@​maru1009, @​1seal).

Installation and Upgrading

Download Helm v4.1.4. The common platform binaries are here:

• MacOS amd64 (checksum / abf09c8503ad1d8ef76d3737a058c3456a998aae5f5966fce4bb3031aeb1654e)
• MacOS arm64 (checksum / 7c2eca678e8001fa863cdf8cbf6ac1b3799f9404a89eb55c08260ef5732e658d)
• Linux amd64 (checksum / 70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09)
• Linux arm (checksum / c4a7d37032379cc7e82c9c76487d1041b193c9a0fbb4b8f3790230899b830a4f)
• Linux arm64 (checksum / 13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1)
• Linux i386 (checksum / 3e9bcefb85293854367bea931d669bb742974bbd978b3960df921ed129ff40f9)
• Linux ppc64le (checksum / 35a48f5db5c655b4471b37be75e76bfb2b23fc8a95d0fa2f0f344f0694336358)
• Linux s390x (checksum / c5653d0b3687f008dc48f80219906b574af3b623ddc114f92383327299ad935e)
• Linux riscv64 (checksum / 9d747ed5761a6a5c15aa7ad108b65aee917d8e33448690e83a6451b6a48748e6)
• Windows amd64 (checksum / bd60f567f667631a2c9b698dfabe5e3cd52eaaf4264163c0a9cae566db8560e8)
• Windows arm64 (checksum / d0a651026da4a26b28bdfc3d455ce3dfacbc267182dc2225c2172b1dcc549643)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
• 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

• fix: Plugin missing provenance bypass 05fa379 (George Jenkins)
• fix: Chart dot-name path bug 4e7994d (George Jenkins)
• ignore error plugin loads (cli, getter) 2581943 (George Jenkins)
• fix: Plugin version path traversal 36c8539 (George Jenkins)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow c61e086 (Terry Howe)

v4.1.3: Helm v4.1.3

Compare Source

Helm v4.1.3 is a patch release. Users are encouraged to upgrade for the best experience.

Note there was no 4.1.2 release due to a release automation issue.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Fixed a bug where --dry-run=server was not respecting generateName #​31563
• Fixed a bug where empty CRD resources caused a crash. Now it prints an error #​31578
• Fixed a bug where OCI references with tag+digest failed with "invalid byte" error #​31601
• Fixed a bug where user-provided nil value was not preserved when chart has an empty map or no default for a key #​31644
• Fixed a regression since Helm 3.18.0 where Pulling charts from OCI repositories that use an index to store both Container Images and Helm Charts under the same tag failed #​31776
• Fixed a Helm 4 regression where gotemplate white space trimming directly after YAML doc separators, when present after postrendering, caused YAML file corruption #​31868
• Fixed a bug where FailedStatus is treated as a terminal state, causing upgrades to fail prematurely when cluster autoscalers needed time to provision nodes, or when pods were being deleted during rolling updates #​31897
• Fixed broken backwards compatibility for deprecated --atomic flag on install command #​31901
• SDK: Fixed a Windows 'Access Deined' error if multiple processes try to download the same chart version concurrently #​31128
• SDK: Fixed a bug where users did not receive any logs from the waiter, causing confusion as several minutes could pass with no user feedback #​31717
• SDK: Fixed a bug where server-side apply defaults did not always match the CLI defaults #​31732
• SDK: Fixed a Go import issue when downstream tooling attempted to vendor helm.sh/helm/v4/pkg/kube #​31852

Installation and Upgrading

Download Helm v4.1.3. The common platform binaries are here:

• MacOS amd64 (checksum / 742132e11cc08a81c97f70180cd714ae8376f8c896247a7b14ae1f51838b5a0b)
• MacOS arm64 (checksum / 21c02fe2f7e27d08e24a6bf93103f9d2b25aab6f13f91814b2cfabc99b108a5e)
• Linux amd64 (checksum / 02ce9722d541238f81459938b84cf47df2fdf1187493b4bfb2346754d82a4700)
• Linux arm (checksum / 5ea614cd1562e682e213e07f3632b76f9d7b4b0917918e820c515a9030a59951)
• Linux arm64 (checksum / 5db45e027cc8de4677ec869e5d803fc7631b0bab1c1eb62ac603a62d22359a43)
• Linux i386 (checksum / 6cbf1f7cca1f4917a0d4a593a22b7c6ec88207e159196eac94f8eaaad8730431)
• Linux loong64 (checksum / BlobNotFoundThe specified blob does not exist.
  RequestId:a97d6fdb-301e-0045-72a5-b120d7000000
  Time:2026-03-11T22:20:16.6057319Z)
• Linux ppc64le (checksum / 413c21ea07f85beb952807b45cafbcd3bb0ff50aa3ed66e8e87b47bebf2312ce)
• Linux s390x (checksum / c1a5c613429ca50e70ebed3e7535d272805ed4a7aa61c1af20d85121a07e7bcd)
• Linux riscv64 (checksum / 0a0beb5b30c24947d71586a7c6bcd774e207ce42b072b046513cf0cff46106a8)
• Windows amd64 (checksum / a69356c872fca122650e8c392341c5c49c19da004353514611118087ea2ee7cf)
• Windows arm64 (checksum / 6b05bec8659014df56ede28068a216451b6401d0fbbfd2dadffbef908cd03ff5)

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.2.0 and 3.21.0 are the next minor releases and will be on May 13, 2026
• 4.1.4 and 3.20.2 are the next patch releases and will be on April 8, 2026

Changelog

• chore(defaults): server-side apply SDK defaults should always match the CLI defaults c94d381 (Matheus Pimenta)
• whitespace b36d660 (Austin Abro)
• use logger with waiter 04a91af (Austin Abro)
• Remove refactorring changes from coalesce_test.go c3c57db (Evans Mungai)
• Fix import d47cb2b (Evans Mungai)
• Update pkg/chart/common/util/coalesce_test.go 790bf92 (Evans Mungai)
• Fix lint warning f7cec12 (Evans Mungai)
• Preserve nil values in chart already d94a5c9 (Evans Mungai)
• fix(values): preserve nil values when chart default is empty map 8c5fe4e (Evans Mungai)
• chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 217db28 (dependabot[bot])
• Restored --atomic flag on install command 7cb43e0 (Travis Leeden)
• fix: bump go.opentelemetry.io/otel/sdk to v1.40.0 for GO-2026-4394 5b26d4f (Terry Howe)
• fix: bump fluxcd/cli-utils to v0.37.2-flux.1 360c131 (Terry Howe)
• chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.21.0 to 0.21.1 69a0a92 (dependabot[bot])
• fix: insert newline after doc separators glued to content by template trimming b868e6a (Matheus Pimenta)
• fix: correct import comment in statuswait.go from v3 to v4 dbfbea9 (rohansood10)
• chore(deps): bump the k8s-io group with 7 updates 099192c (dependabot[bot])
• add image index test 4967ead (Pedro Tôrres)
• fix pulling charts from OCI indices 2fe6b10 (Pedro Tôrres)
• fix: handle OCI digest algorithm prefix in chart downloader (#​31601) e3e2d01 (Evans Mungai)
• fix(install): check nil for restClientGetter and fix tests c15e711 (Manuel Alonso)
• chore(refactor): better testing and functionality for installing crd df82e68 (Manuel Alonso)
• fix(test): fix tests and check nil for restclient 4b896ca (Manuel Alonso)
• fix(test): merge fix correctly 3fc7939 (Manuel Alonso Gonzalez)
• fix(install): add more tests and check nil file data 6017d2b (Manuel Alonso)
• fix(test): no check empty resources f451967 (Manuel Alonso)
• fix(install): check lenght and file nil, add tests fdadff5 (Manuel Alonso)
• fix(action): crd resources can be empty 10d6067 (Manuel Alonso)
• fix: casing issue fixed 0fec40f (Mujib Ahasan)
• fix: error handled correctly 2637498 (Mujib Ahasan)
• fix: doc string added 961d7d7 (Mujib Ahasan)
• update: test coverage added for helper function validateNameAndGenerateName 29e4506 (Mujib Ahasan)
• update: helper function added for the business logic d55b0b9 (Mujib Ahasan)
• generateName is also considered in logic c1c090e (Mujib Ahasan)
• update: business logic respected for skipping object missing name 5e09313 (Mujib Ahasan)
• fixed: --dry-run=server now respect generateName f289d16 (Mujib Ahasan)
• fix(downloader): safely handle concurrent file writes on Windows [bfac739](https://redirect.github.com/helm/helm/commit/bfac73

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.0 -> 1.26.0
k8s.io/api	v0.35.1 -> v0.36.0
k8s.io/apiextensions-apiserver	v0.35.1 -> v0.36.0
k8s.io/apimachinery	v0.35.1 -> v0.36.0
k8s.io/client-go	v0.35.1 -> v0.36.0
sigs.k8s.io/controller-runtime	v0.23.3 -> v0.24.0
k8s.io/apiserver	v0.35.1 -> v0.36.0
k8s.io/cli-runtime	v0.35.1 -> v0.36.0
k8s.io/component-base	v0.35.1 -> v0.36.0
k8s.io/kubectl	v0.35.1 -> v0.36.0

[sourcery-ai]

Reviewer's Guide

Updates the project to Go 1.26 and aligns Kubernetes, Helm, and related ecosystem dependencies with versions compatible with Helm v4, pulling in the newer Docker/distribution, OpenTelemetry, and JSON schema tooling stacks while cleaning up some older indirect dependencies.

File-Level Changes

Change	Details	Files
Bump Go toolchain and Kubernetes controller stack to versions compatible with Helm v4.	Update Go version requirement from 1.25.0 to 1.26.0. Upgrade core Kubernetes modules (api, apiextensions-apiserver, apimachinery, client-go) from v0.35.1 to v0.36.0. Upgrade sigs.k8s.io/controller-runtime from v0.23.3 to v0.24.0. Align k8s.io/apiserver, cli-runtime, component-base, kubectl indirect dependencies to v0.36.0.	go.mod go.sum
Adjust Helm dependency and registry/client ecosystem for Helm v4 compatibility.	Change indirect helm.sh/helm/v3 requirement from v3.21.0 to v3.16.4 as pulled in by upstream Helm operator plugins targeting Helm v4 APIs. Replace/augment registry and Docker-related deps with the modern stack: add distribution/distribution v3, distribution/reference, docker/cli, docker/distribution, docker/docker, docker/go-connections, docker/go-metrics, moby/locker, and bump docker-credential-helpers to v0.9.5. Switch from oras.land/oras-go/v2 v2.6.0 to oras.land/oras-go v1.2.5 to match Helm v4’s OCI tooling expectations.	go.mod go.sum
Refresh observability, HTTP, and logging support used by upstream libraries.	Add OpenTelemetry auto SDK and HTTP instrumentation (go.opentelemetry.io/auto/sdk, contrib/instrumentation/net/http/otelhttp, otel core/metric/trace) to satisfy new transitive requirements. Add github.com/felixge/httpsnoop, github.com/foxcpp/go-mockdns, github.com/go-logr/stdr, and github.com/gorilla/mux as new indirects required by upgraded dependencies.	go.mod go.sum
Update JSON schema and related tooling dependencies.	Replace github.com/santhosh-tekuri/jsonschema/v6 with github.com/xeipuuv/gojsonschema and its companion gojsonpointer/gojsonreference packages, following upstream changes in Helm/Kubernetes tooling. Prune older jsonschema and httpcache/google-cmp indirects that are no longer required by the updated stack.	go.mod go.sum

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The PR title and description suggest upgrading to helm.sh/helm/v4, but go.mod still references helm.sh/helm/v3 and even downgrades it from v3.21.0 to v3.16.4; double‑check whether you actually intend to move to the v4 module path and version, and align the dependency and imports accordingly.
• You are bumping the Kubernetes client stack to v0.36.0 while changing Helm and ORAS-related dependencies (e.g., helm.sh/helm/v3 to v3.16.4, oras.land/oras-go/v2 to oras.land/oras-go v1.2.5); verify that these specific versions are known-compatible with each other and with controller-runtime v0.24.0 to avoid subtle runtime issues.
• The addition of several Docker and distribution-related dependencies (docker/docker, docker/cli, distribution/distribution, gojsonschema stack, OpenTelemetry, etc.) appears to be driven by the new library versions; it’s worth confirming you don’t have any now-redundant or conflicting indirect dependencies (like the removed santhosh-tekuri/jsonschema/v6) and that your code paths don’t rely on the old implementations.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The PR title and description suggest upgrading to `helm.sh/helm/v4`, but `go.mod` still references `helm.sh/helm/v3` and even downgrades it from `v3.21.0` to `v3.16.4`; double‑check whether you actually intend to move to the v4 module path and version, and align the dependency and imports accordingly.
- You are bumping the Kubernetes client stack to v0.36.0 while changing Helm and ORAS-related dependencies (e.g., `helm.sh/helm/v3` to `v3.16.4`, `oras.land/oras-go/v2` to `oras.land/oras-go v1.2.5`); verify that these specific versions are known-compatible with each other and with `controller-runtime v0.24.0` to avoid subtle runtime issues.
- The addition of several Docker and distribution-related dependencies (`docker/docker`, `docker/cli`, `distribution/distribution`, `gojsonschema` stack, OpenTelemetry, etc.) appears to be driven by the new library versions; it’s worth confirming you don’t have any now-redundant or conflicting indirect dependencies (like the removed `santhosh-tekuri/jsonschema/v6`) and that your code paths don’t rely on the old implementations.

## Individual Comments

### Comment 1
<location path="go.mod" line_range="150" />
<code_context>
-	k8s.io/apiserver v0.35.1 // indirect
-	k8s.io/cli-runtime v0.35.1 // indirect
-	k8s.io/component-base v0.35.1 // indirect
+	helm.sh/helm/v3 v3.16.4 // indirect
+	k8s.io/apiserver v0.36.0 // indirect
+	k8s.io/cli-runtime v0.36.0 // indirect
</code_context>
<issue_to_address>
**issue (bug_risk):** Downgrading Helm from v3.21.0 to v3.16.4 may introduce subtle incompatibilities with newer Kubernetes libraries.

You’re upgrading k8s-related deps (k8s.io/*, controller-runtime) to 0.36.0/0.24.0 while downgrading Helm to v3.16.4. This mix may introduce runtime behavior differences (client, discovery, resource handling). Please confirm v3.16.4 is explicitly required (e.g., by the operator framework) and that its supported Kubernetes versions are compatible with the newer k8s client stack.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}