security(deps): bump helm and opentelemetry to fix HIGH vulnerabilities#1587
Merged
cicoyle merged 5 commits intodapr:masterfrom Feb 10, 2026
Merged
Conversation
Bump helm.sh/helm/v3 from v3.17.4 to v3.18.5 to fix 5 HIGH severity vulnerabilities: - SNYK-GOLANG-HELMSHHELMV3PKGREPO-11799541 - SNYK-GOLANG-HELMSHHELMV3PKGLINTRULES-11799538 - SNYK-GOLANG-HELMSHHELMV3PKGDOWNLOADER-10734107 - SNYK-GOLANG-HELMSHHELMV3PKGCHARTUTIL-11799535 - SNYK-GOLANG-HELMSHHELMV3PKGCHARTUTIL-11799536 Bump go.opentelemetry.io/otel/sdk from v1.39.0 to v1.40.0 to fix: - SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758 These updates address remaining HIGH severity vulnerabilities not covered by PR dapr#1586, reducing total HIGH vulnerabilities from 6 to 0. Signed-off-by: fyzanshaik <fyzan.shaik@gmail.com>
3 tasks
Contributor
Author
|
looking into this |
Signed-off-by: fyzanshaik <fyzan.shaik@gmail.com>
fyzanshaik
force-pushed
the
security/fix-helm-otel-vulnerabilities
branch
from
9daca3b to
039b5ac
Compare
Contributor
Author
|
@JoshVanL please approve CI |
JoshVanL
previously approved these changes
Feb 10, 2026
Signed-off-by: fyzanshaik <fyzan.shaik@gmail.com>
Contributor
Author
|
@JoshVanL One note: the Linux self-hosted E2E failure was a flaky port collision (GRPCPort 3510 not available), not caused by the Helm/Otel bumps. I pushed f77deb1 to use a dynamic gRPC port in the scheduler test path (test-scheduler.yaml + tests/apps/scheduler/app.go). Could you re-run checks? Just this one test failing.. |
This reverts commit f77deb1. Signed-off-by: fyzanshaik <fyzan.shaik@gmail.com>
Contributor
Author
|
I’m not sure why this specific test is still failing, but the rest of the suite is passing consistently on this PR. I’ve reverted the extra test-only mitigation so this PR stays focused on the dependency security updates, and I’d appreeciate any help that can fix this? I am fine with anyone taking over too @JoshVanL 🙏 |
Contributor
|
Thanks @fyzanshaik - the tests seem quite unhappy with the scheduler test changes |
Signed-off-by: joshvanl <me@joshvanl.dev>
cicoyle
approved these changes
Feb 10, 2026
JoshVanL
pushed a commit
to JoshVanL/dapr-cli
that referenced
this pull request
Feb 10, 2026
…ulnerabilities security(deps): bump helm and opentelemetry to fix HIGH vulnerabilities
JoshVanL
pushed a commit
to JoshVanL/dapr-cli
that referenced
this pull request
Feb 10, 2026
…ulnerabilities security(deps): bump helm and opentelemetry to fix HIGH vulnerabilities Signed-off-by: joshvanl <me@joshvanl.dev>
JoshVanL
added a commit
that referenced
this pull request
Feb 10, 2026
…rabilities (#1588) security(deps): bump helm and opentelemetry to fix HIGH vulnerabilities Signed-off-by: joshvanl <me@joshvanl.dev> Co-authored-by: Cassie Coyle <cassie@diagrid.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bump helm.sh/helm/v3 from v3.17.4 to v3.18.5 to fix 5 HIGH severity vulnerabilities:
Bump go.opentelemetry.io/otel/sdk from v1.39.0 to v1.40.0 to fix:
In addition to the dependency updates, this PR hardens two flaky E2E test paths observed in CI:
tests/e2e/standalone/scheduler_test.go(TestSchedulerDeleteAll): replaced brittle fixed-count assertions with eventual, filter-based behavior checks.tests/e2e/common/common.go(StatusTestOnInstallUpgrade): madedapr status -kparsing resilient to multi-word status values and increased retry window for upgrade convergence.These updates address remaining HIGH severity vulnerabilities not covered by PR #1586, reducing total HIGH vulnerabilities from 6 to 0, while improving E2E stability for this PR path.
Validation performed:
go test -c ./tests/e2e/commongo test -c -tags e2e ./tests/e2e/standalonePlease reference the issue this PR will close: #[issue number]
Checklist
Please make sure you've completed the relevant tasks for this PR, out of the following list: