🌱 Update Builder Image group

[cluster-stack-bot]

This PR contains the following updates:

Package	Type	Update	Change
docker.io/aquasec/trivy (source)	stage	minor	0.58.2 -> 0.59.1
docker.io/library/alpine	stage	patch	3.21.2 -> 3.21.3
golangci/golangci-lint		minor	v1.63.4 -> v1.64.6
helm/helm		patch	v3.17.0 -> v3.17.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

aquasecurity/trivy (docker.io/aquasec/trivy)

v0.59.1

Compare Source

Changelog

• 9aabfd2 release: v0.59.1 [release/v0.59] (#​8334)
• 412c690 fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#​8349)
• 98f9ba2 chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#​8343)
• 1741fdd fix(python): add poetry v2 support [backport: release/v0.59] (#​8335)
• 3fd8e27 fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#​8333)

v0.59.0

Compare Source

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#​8070) (da17dc7)
• add a examples field to check metadata (#​8068) (6d84e0c)
• add support for registry mirrors (#​8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#​8278) (b5062f3)
• image: prevent scanning oversized container images (#​8178) (509e030)
• image: return error early if total size of layers exceeds limit (#​8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#​8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#​8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#​8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#​8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#​7989) (7389961)
• python: add support for poetry dev dependencies (#​8152) (774e04d)
• python: add support for uv (#​8080) (c4a4a5f)
• python: add support for uv dev and optional dependencies (#​8134) (49c54b4)

Bug Fixes

• CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#​8088) (d7ac286)
• CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#​8207) (670fbf2)
• de-duplicate same dpkg packages with different filePaths from different layers (#​8298) (846498d)
• enable err-error and errorf rules from perfsprint linter (#​7859) (156a2aa)
• flag: skip hidden flags for --generate-default-config command (#​8046) (5e68bdc)
• fs: fix cache key generation to use UUID (#​8275) (eafd810)
• handle BLOW_UNKNOWN error to download DBs (#​8060) (51f2123)
• improve conversion of image config to Dockerfile (#​8308) (2e8e38a)
• java: correctly overwrite version from depManagement if dependency uses project.* props (#​8050) (9d9f80d)
• license: always trim leading and trailing spaces for licenses (#​8095) (f5e4291)
• misconf: allow null values only for tf variables (#​8112) (23dc3a6)
• misconf: correctly handle all YAML tags in K8S templates (#​8259) (f12054e)
• misconf: disable git terminal prompt on tf module load (#​8026) (bbc5a85)
• misconf: handle heredocs in dockerfile instructions (#​8284) (0a3887c)
• misconf: use log instead of fmt for logging (#​8033) (07b2d7f)
• oracle: add architectures support for advisories (#​4809) (90f1d8d)
• python: skip dev group's deps for poetry (#​8106) (a034d26)
• redhat: check usr/share/buildinfo/ dir to detect content sets (#​8222) (f352f6b)
• redhat: correct rewriting of recommendations for the same vulnerability (#​8063) (4202c4b)
• respect GITHUB_TOKEN to download artifacts from GHCR (#​7580) (21b68e1)
• sbom: attach nested packages to Application (#​8144) (735335f)
• sbom: fix wrong overwriting of applications obtained from different sbom files but having same app type (#​8052) (fd07074)
• sbom: scan results of SBOMs generated from container images are missing layers (#​7635) (f9fceb5)
• sbom: use root package for unknown dependencies (if exists) (#​8104) (7558df7)
• spdx: use the hasExtractedLicensingInfos field for licenses that are not listed in the SPDX (#​8077) (aec8885)
• suse: SUSE - update OSType constants and references for compatility (#​8236) (ae28398)
• Updated twitter icon (#​7772) (2c41ac8)
• wasm module test (#​8099) (2200f38)

Performance Improvements

• avoid heap allocation in applier findPackage (#​7883) (9bd6ed7)

golangci/golangci-lint (golangci/golangci-lint)

v1.64.6

Compare Source

1. Linters bug fixes
   • asciicheck: from 0.4.0 to 0.4.1
   • contextcheck: from 1.1.5 to 1.1.6
   • errcheck: from 1.8.0 to 1.9.0
   • exptostd: from 0.4.1 to 0.4.2
   • ginkgolinter: from 0.19.0 to 0.19.1
   • go-exhaustruct: from 3.3.0 to 3.3.1
   • gocheckcompilerdirectives: from 1.2.1 to 1.3.0
   • godot: from 1.4.20 to 1.5.0
   • perfsprint: from 0.8.1 to 0.8.2
   • revive: from 1.6.1 to 1.7.0
   • tagalign: from 1.4.1 to 1.4.2

v1.64.5

Compare Source

1. Bug fixes
   • Add missing flag new-from-merge-base-flag
2. Linters bug fixes
   • asciicheck: from 0.3.0 to 0.4.0
   • forcetypeassert: from 0.1.0 to 0.2.0
   • gosec: from 2.22.0 to 2.22.1

v1.64.4

Compare Source

1. Linters bug fixes
   • gci: fix standard packages list for go1.24

v1.64.3

Compare Source

1. Linters bug fixes
   • ginkgolinter: from 0.18.4 to 0.19.0
   • go-critic: from 0.11.5 to 0.12.0
   • revive: from 1.6.0 to 1.6.1
   • gci: fix standard packages list for go1.24
2. Misc.
   • Build Docker images with go1.24

v1.64.2

Compare Source

This is the last minor release of golangci-lint v1.
The next release will be golangci-lint v2.

1. Enhancements
   • 🎉 go1.24 support
   • New issues.new-from-merge-base option
   • New run.relative-path-mode option
2. Linters new features
   • copyloopvar: from 1.1.0 to 1.2.1 (support suggested fixes)
   • exptostd: from 0.3.1 to 0.4.1 (handles golang.org/x/exp/constraints.Ordered)
   • fatcontext: from 0.5.3 to 0.7.1 (new option: check-struct-pointers)
   • perfsprint: from 0.7.1 to 0.8.1 (new options: integer-format, error-format, string-format, bool-format, and hex-format)
   • revive: from 1.5.1 to 1.6.0 (new rules: redundant-build-tag, use-errors-new. New option early-return.early-return)
3. Linters bug fixes
   • go-errorlint: from 1.7.0 to 1.7.1
   • gochecknoglobals: from 0.2.1 to 0.2.2
   • godox: from 006bad1 to 1.1.0
   • gosec: from 2.21.4 to 2.22.0
   • iface: from 1.3.0 to 1.3.1
   • nilnesserr: from 0.1.1 to 0.1.2
   • protogetter: from 0.3.8 to 0.3.9
   • sloglint: from 0.7.2 to 0.9.0
   • spancheck: fix default StartSpanMatchersSlice values
   • staticcheck: from 0.5.1 to 0.6.0
4. Deprecations
   • ⚠️ tenv is deprecated and replaced by usetesting.os-setenv: true.
   • ⚠️ exportloopref deprecation step 2
5. Misc.
   • Sanitize severities by output format
   • Avoid panic with plugin without description
6. Documentation
   • Clarify depguard configuration

v1.64.1

Compare Source

Cancelled due to CI failure.

v1.64.0

Compare Source

Cancelled due to CI failure.

helm/helm (helm/helm)

v3.17.1: Helm v3.17.1

Compare Source

Helm v3.17.1 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.17.1. The common platform binaries are here:

• MacOS amd64 (checksum / aba59ba9511971a71943b5c76f15d52ace1681197bb3f71ed1f0b15caceacb2c)
• MacOS arm64 (checksum / b823a213d8d7937222becc63d9c7bb3d15a090e7ecd1f70f3a583ed39657e21b)
• Linux amd64 (checksum / 3b66f3cd28409f29832b1b35b43d9922959a32d795003149707fea84cbcd4469)
• Linux arm (checksum / 1dc5ed54350f4f7ae87441e878be4f4fd9b727a86b11b1d20b1001358c83bed3)
• Linux arm64 (checksum / c86c9b23602d4abbfae39d9634e25ab1d0ea6c4c16c5b154113efe316a402547)
• Linux i386 (checksum / b972562a1171673db2892f000248b2540ddcd6f76850ec152852a8e9ce7972cb)
• Linux ppc64le (checksum / 4223394f3fca82a7f8e8d083caf6faf0ee0639d8f235071334579237078a2c2e)
• Linux s390x (checksum / fe47e5ee8abd6baef01bb1c4fc995343121bf5fc7dead1f67e97484a441ba9e8)
• Linux riscv64 (checksum / cf174b1ff83032255f798278152c637d01dd1d1533fd77915ab751d8cf4191a7)
• Windows amd64 (checksum / 08281ee6d4d272835ff10c510b8b39736d112d9cb89dfbc853fe83913fbe48d0)
• Windows arm64 (checksum / 44c9c8246f643ea45bb45013a182fc25da2a8206a6f322a0c6fa47a1f4bcf1e4)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.17.2 is the next patch release and will be on March 12, 2025
• 3.18.0 is the next minor release and will be on May 14, 2025

Changelog

• add test for nullifying nested global value 980d8ac (Ryan Hockstad)
• Add test case for removing an entire object c23e3b6 (Ryan Hockstad)
• Tests for bugfix: Override subcharts with null values #​12879 3110d5f (Scott Rigby)
• merge null child chart objects 9520c71 (Ryan Hockstad)
• build(deps): bump the k8s-io group with 7 updates ab7dedd (dependabot[bot])
• fix: check group for resource info match a2d3602 (Jiasheng Zhu)

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box