From 9e5d2a3ac0d0f39057ff67e1cabece36f9eb87ed Mon Sep 17 00:00:00 2001
From: Benoit Tigeot <benoit.tigeot@lifen.fr>
Date: Wed, 21 Jan 2026 09:47:28 +0100
Subject: [PATCH 1/2] refactor: remove per-file decompression size limit

Remove MaxDecompressedFileSize as it's no longer necessary after
migrating to a maintained JSON schema library (santhosh-tekuri/jsonschema/v6).
The original limit was added to protect against vulnerabilities in an
unmaintained library.

The total decompressed chart size limit (MaxDecompressedChartSize) remains
to protect against other attack vectors.

Partially resolves #30738

Related:
  - https://github.com/helm/helm/pull/30743

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>
---
 internal/chart/v3/loader/directory.go | 4 ----
 pkg/chart/loader/archive/archive.go   | 8 --------
 pkg/chart/v2/loader/directory.go      | 4 ----
 3 files changed, 16 deletions(-)

diff --git a/internal/chart/v3/loader/directory.go b/internal/chart/v3/loader/directory.go
index dfe3af3b2..5937efda9 100644
--- a/internal/chart/v3/loader/directory.go
+++ b/internal/chart/v3/loader/directory.go
@@ -100,10 +100,6 @@ func LoadDir(dir string) (*chart.Chart, error) {
 			return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name)
 		}
 
-		if fi.Size() > archive.MaxDecompressedFileSize {
-			return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), archive.MaxDecompressedFileSize)
-		}
-
 		data, err := os.ReadFile(name)
 		if err != nil {
 			return fmt.Errorf("error reading %s: %w", n, err)
diff --git a/pkg/chart/loader/archive/archive.go b/pkg/chart/loader/archive/archive.go
index c6875db3f..916037f96 100644
--- a/pkg/chart/loader/archive/archive.go
+++ b/pkg/chart/loader/archive/archive.go
@@ -37,10 +37,6 @@ import (
 // The default value is 100 MiB.
 var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB
 
-// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load.
-// The size of the file is the decompressed version of it when it is stored in an archive.
-var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB
-
 var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`)
 
 var utf8bom = []byte{0xEF, 0xBB, 0xBF}
@@ -128,10 +124,6 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
 			return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize)
 		}
 
-		if hd.Size > MaxDecompressedFileSize {
-			return nil, fmt.Errorf("decompressed chart file %q is larger than the maximum file size %d", hd.Name, MaxDecompressedFileSize)
-		}
-
 		limitedReader := io.LimitReader(tr, remainingSize)
 
 		bytesWritten, err := io.Copy(b, limitedReader)
diff --git a/pkg/chart/v2/loader/directory.go b/pkg/chart/v2/loader/directory.go
index 82578d924..e213a0da8 100644
--- a/pkg/chart/v2/loader/directory.go
+++ b/pkg/chart/v2/loader/directory.go
@@ -100,10 +100,6 @@ func LoadDir(dir string) (*chart.Chart, error) {
 			return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name)
 		}
 
-		if fi.Size() > archive.MaxDecompressedFileSize {
-			return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), archive.MaxDecompressedFileSize)
-		}
-
 		data, err := os.ReadFile(name)
 		if err != nil {
 			return fmt.Errorf("error reading %s: %w", n, err)

From bd6fcf75e65fe2f5657958dce4861b046cb29f4d Mon Sep 17 00:00:00 2001
From: Benoit Tigeot <benoit.tigeot@lifen.fr>
Date: Wed, 28 Jan 2026 22:18:08 +0100
Subject: [PATCH 2/2] fix: deprecate MaxDecompressedFileSize instead of
 removing

As Matt suggested we should keep the variable until v5 as it can be used
because it is public.

Related:
- https://github.com/helm/helm/pull/31748#discussion_r2738518696

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>
---
 pkg/chart/loader/archive/archive.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/chart/loader/archive/archive.go b/pkg/chart/loader/archive/archive.go
index 916037f96..659dd6511 100644
--- a/pkg/chart/loader/archive/archive.go
+++ b/pkg/chart/loader/archive/archive.go
@@ -37,6 +37,12 @@ import (
 // The default value is 100 MiB.
 var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB
 
+// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load.
+// The size of the file is the decompressed version of it when it is stored in an archive.
+//
+// Deprecated: This variable is no longer used internally and will be removed in Helm v5.
+var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB
+
 var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`)
 
 var utf8bom = []byte{0xEF, 0xBB, 0xBF}