diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 2af5c67cc..1c3ea0bf4 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -48,7 +48,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # pinv4.35.5
+      uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # pinv4.36.0
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -59,7 +59,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # pinv4.35.5
+      uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # pinv4.36.0
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -73,4 +73,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # pinv4.35.5
+      uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # pinv4.36.0
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 8b64a3be2..734bc682a 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -22,6 +22,6 @@ jobs:
           go-version: '${{ env.GOLANG_VERSION }}'
           check-latest: true
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 #pin@9.2.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #pin@9.2.1
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 77f220426..c4a0cb196 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -64,6 +64,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 9b0c29952..bbe339e79 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-    - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+    - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.'
diff --git a/README.md b/README.md
index 37bc8abaa..d581ceac3 100644
--- a/README.md
+++ b/README.md
@@ -32,8 +32,8 @@ Think of it like apt/yum/homebrew for Kubernetes.
 
 ## Helm Development and Stable Versions
 
-Helm v4 is currently under development on the `main` branch. This is unstable and the APIs within the Go SDK and at the command line are changing.
-Helm v3 (current stable) is maintained on the `dev-v3` branch. APIs there follow semantic versioning.
+Helm v4 is the current stable release, developed on the `main` branch.
+Helm v3 is in support mode on the `dev-v3` branch: bug fixes until July 8th 2026, security fixes until November 11th 2026.
 
 ## Install
 
@@ -64,7 +64,7 @@ Get started with the [Quick Start guide](https://helm.sh/docs/intro/quickstart/)
 
 The [Helm roadmap uses GitHub milestones](https://github.com/helm/helm/milestones) to track the progress of the project.
 
-The development of Helm v4 is currently happening on the `main` branch while the development of Helm v3, the stable branch, is happening on the `dev-v3` branch. Changes should be made to the `main` branch prior to being added to the `dev-v3` branch so that all changes are carried along to Helm v4.
+Helm v4 development happens on the `main` branch. Helm v3 is in support mode on the `dev-v3` branch and receives only bug and security fixes.
 
 ## Community, discussion, contribution, and support
 
diff --git a/internal/chart/v3/lint/rules/deprecations.go b/internal/chart/v3/lint/rules/deprecations.go
index a607a5fb4..9c73268af 100644
--- a/internal/chart/v3/lint/rules/deprecations.go
+++ b/internal/chart/v3/lint/rules/deprecations.go
@@ -28,7 +28,7 @@ import (
 	kscheme "k8s.io/client-go/kubernetes/scheme"
 )
 
-// deprecatedAPIError indicates than an API is deprecated in Kubernetes
+// deprecatedAPIError indicates that an API is deprecated in Kubernetes
 type deprecatedAPIError struct {
 	Deprecated string
 	Message    string
diff --git a/internal/plugin/plugin.go b/internal/plugin/plugin.go
index 132b1739e..789e583ae 100644
--- a/internal/plugin/plugin.go
+++ b/internal/plugin/plugin.go
@@ -77,5 +77,5 @@ type Output struct {
 
 // validPluginName is a regular expression that validates plugin names.
 //
-// Plugin names can only contain the ASCII characters a-z, A-Z, 0-9, ​_​ and ​-.
+// Plugin names can only contain the ASCII characters a-z, A-Z, 0-9, _ and -.
 var validPluginName = regexp.MustCompile("^[A-Za-z0-9_-]+$")
diff --git a/pkg/chart/v2/lint/rules/deprecations.go b/pkg/chart/v2/lint/rules/deprecations.go
index 7d5245869..76626659b 100644
--- a/pkg/chart/v2/lint/rules/deprecations.go
+++ b/pkg/chart/v2/lint/rules/deprecations.go
@@ -28,7 +28,7 @@ import (
 	kscheme "k8s.io/client-go/kubernetes/scheme"
 )
 
-// deprecatedAPIError indicates than an API is deprecated in Kubernetes
+// deprecatedAPIError indicates that an API is deprecated in Kubernetes
 type deprecatedAPIError struct {
 	Deprecated string
 	Message    string
diff --git a/pkg/downloader/cache.go b/pkg/downloader/cache.go
index 1e23fbfcd..92d477e49 100644
--- a/pkg/downloader/cache.go
+++ b/pkg/downloader/cache.go
@@ -59,15 +59,17 @@ func (c *DiskCache) Get(key [sha256.Size]byte, cacheType string) (string, error)
 	if err != nil {
 		return "", err
 	}
-	// Empty files treated as not exist because there is no content.
-	if fi.Size() == 0 {
-		return p, os.ErrNotExist
-	}
 	// directories should never happen unless something outside helm is operating
 	// on this content.
 	if fi.IsDir() {
 		return p, errors.New("is a directory")
 	}
+	// Empty files are treated as non-existent because there is no content.
+	// IsDir must be checked first: some filesystems (e.g. overlayfs) report
+	// directory size as 0.
+	if fi.Size() == 0 {
+		return p, os.ErrNotExist
+	}
 	return p, nil
 }