oras-go v2.6.1 hardens the auth client to drop the Authorization header
when a request's origin changes mid-flight (GHSA-vh4v-2xq2-g5cg). Helm's
fallbackTransport reaches plain-HTTP registries by downgrading the
connection from https to http inside a single round trip, which oras now
treats as a credential-leaking origin change and refuses to authenticate.
On login, detect when the transport has fallen back to plain HTTP and, in
that case, set PlainHTTP explicitly and re-ping so requests are built as
http from the start. The scheme no longer changes mid-request, credentials
flow as before, and the new cross-origin protection is preserved for real
https registries (forcedHTTP stays false, so the retry never triggers).
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
(cherry picked from commit 2fb05f8a35)
golangci-lint v2.5.0 is built with go1.25 and refuses to lint a module targeting go 1.26.0. Bump to v2.11.3 (matching main) and apply the new staticcheck QF1012 fixes it surfaces in jsonschema.go.
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
(cherry picked from commit 0ed92f0696)
Only delete nil user values when overriding a non-nil chart default.
When chart has empty map or no default for a key, preserve user's nil.
| Scenario | Result |
|----------|--------|
| User sets `baz: ~`, chart has `baz: "value"` | Key deleted |
| User sets `baz: ~`, chart has empty map `{}` | Nil preserved |
| User sets `baz: ~`, chart has `baz: ~` | Nil preserved |
Fixes#31643
Signed-off-by: Evans Mungai <mbuevans@gmail.com>
This ensures that when `helm uninstall` is run with `--keep-history`
any release in a `deployed` state other than the last release (e.g.
due to a failed upgrade) is being marked as `superseded`.
As a by-effect, running `helm upgrade` on a release which has been
uninstalled after an upgrade failure now no longer works. But instead
fails with a `"<name>" has no deployed releases` error. Which is the
(likely) intended behavior, and prevents other side-effects like
rolling back to a release version which happened before the uninstall
if `--atomic` (or `--rollback-on-failure`) was provided.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
(cherry picked from commit 2f1ecc7100)
- v3.18.5 switched jsonschema and began resolving external $ref
at compile-time, exposing missing urn handling
(“no URLLoader registered for urn:…”).
- Add urn scheme loader and pluggable URNResolver. If unresolved, log
a warning and return a permissive true schema (back-compat).
- Avoid having a duplicated warn logs when we Load the schema twice.
Note: external URNs need AddResource/Resolver (the CLI uses --map for
this).
Close: #31170
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>
The existing check worked for `helm pull downloaded-repo/chart-name`,
but often does not work when using `--repo-url`, depending on the urls
used by the charts.
Signed-off-by: Luna Stadler <luc@spreadshirt.net>
sergiochan
Terry Howe
George Jenkins
Pedro Tôrres
Evans Mungai
Scott Rigby
Hidde Beydals
Benoit Tigeot
Luna Stadler
Matt Farina
Matheus Pimenta
Eric Stroczynski
Isaiah Lewis
Robert Sirchia
Ben Foster
Borys Hulii
Reinhard Nägele