build(deps): Bump the all-go-mod-patch-and-minor group across 1 directory with 4 updates

[dependabot]

Bumps the all-go-mod-patch-and-minor group with 4 updates in the / directory: github.com/aws/aws-sdk-go-v2/service/ecr, helm.sh/helm/v4, k8s.io/apimachinery and sigs.k8s.io/controller-runtime.

Updates github.com/aws/aws-sdk-go-v2/service/ecr from 1.56.2 to 1.57.0

Commits

• 7c25c21 Release 2024-06-26
• b374423 Regenerated Clients
• 923f54e Update API model
• 5f3bdfc track changes for string_array endpoint parameters (#2699)
• 2b4498c Release 2024-06-25
• 332d372 Regenerated Clients
• 9397b8d Update API model
• 674e1e4 Release 2024-06-24
• 406eeb4 Regenerated Clients
• 17bd894 Update endpoints model
• Additional commits viewable in compare view

Updates helm.sh/helm/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from helm.sh/helm/v4's releases.

Helm v4.1.4 is a security fix patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

• GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment
• GHSA-q5jf-9vfq-h4h7 Plugin verification fails open when .prov is missing, allowing unsigned plugin install
• GHSA-vmx8-mqv2-9gmg Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

A big thank you to the reporters of these issues (@​maru1009, @​1seal).

Installation and Upgrading

Download Helm v4.1.4. The common platform binaries are here:

• MacOS amd64 (checksum / abf09c8503ad1d8ef76d3737a058c3456a998aae5f5966fce4bb3031aeb1654e)
• MacOS arm64 (checksum / 7c2eca678e8001fa863cdf8cbf6ac1b3799f9404a89eb55c08260ef5732e658d)
• Linux amd64 (checksum / 70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09)
• Linux arm (checksum / c4a7d37032379cc7e82c9c76487d1041b193c9a0fbb4b8f3790230899b830a4f)
• Linux arm64 (checksum / 13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1)
• Linux i386 (checksum / 3e9bcefb85293854367bea931d669bb742974bbd978b3960df921ed129ff40f9)
• Linux ppc64le (checksum / 35a48f5db5c655b4471b37be75e76bfb2b23fc8a95d0fa2f0f344f0694336358)
• Linux s390x (checksum / c5653d0b3687f008dc48f80219906b574af3b623ddc114f92383327299ad935e)
• Linux riscv64 (checksum / 9d747ed5761a6a5c15aa7ad108b65aee917d8e33448690e83a6451b6a48748e6)
• Windows amd64 (checksum / bd60f567f667631a2c9b698dfabe5e3cd52eaaf4264163c0a9cae566db8560e8)
• Windows arm64 (checksum / d0a651026da4a26b28bdfc3d455ce3dfacbc267182dc2225c2172b1dcc549643)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
• 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

• fix: Plugin missing provenance bypass 05fa37973dc9e42b76e1d2883494c87174b6074f (George Jenkins)
• fix: Chart dot-name path bug 4e7994d4467182f535b6797c94b5b0e994a91436 (George Jenkins)
• ignore error plugin loads (cli, getter) 25819432bf87ac0b54f0d3fa54982add2cac609e (George Jenkins)
• fix: Plugin version path traversal 36c8539e99bc42d7aef9b87d136254662d04f027 (George Jenkins)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow c61e0860ec797330a4c26a78dde7020cdc6743b1 (Terry Howe)

Commits

• 05fa379 fix: Plugin missing provenance bypass
• 4e7994d fix: Chart dot-name path bug
• 2581943 ignore error plugin loads (cli, getter)
• 36c8539 fix: Plugin version path traversal
• c61e086 fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow
• See full diff in compare view

Updates k8s.io/apimachinery from 0.35.1 to 0.35.3

Commits

• See full diff in compare view

Updates sigs.k8s.io/controller-runtime from 0.23.1 to 0.23.3

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.23.3

What's Changed

• 🐛 Ensure DefaulterRemoveUnknownOrOmitableFields is still working even if objects are equal by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3469

Full Changelog: kubernetes-sigs/controller-runtime@v0.23.2...v0.23.3

v0.23.2

What's Changed

• 🐛 Fix fake client's SSA status patch resource version check by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3446
• ✨ Reduce memory usage of default webhooks by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3467

Full Changelog: kubernetes-sigs/controller-runtime@v0.23.1...v0.23.2

Commits

• f9589b9 Merge pull request #3469 from k8s-infra-cherrypick-robot/cherry-pick-3468-to-...
• 25615ad Ensure DefaulterRemoveUnknownOrOmitableFields is still working even if object...
• 8122a62 Merge pull request #3467 from k8s-infra-cherrypick-robot/cherry-pick-3463-to-...
• 35093c6 Reduce memory usage of default webhooks
• 4dbfa5c [release-0.23] 🐛 Fix fake client's SSA status patch resource version check (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Unit test results

129 tests  ±0   129 ✅ ±0   0s ⏱️ ±0s
 27 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 987f5aa. ± Comparison against base commit 71ccf19.

[github-actions]

e2e test results

50 tests  ±0   50 ✅ ±0   3m 45s ⏱️ +34s
 2 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 987f5aa. ± Comparison against base commit 71ccf19.