🌱 Use helm.sh/helm/v3 v3.19.4

[tamalsaha]

Summary

Use helm 3.19 which also used k/k 1.34 client libs

Related issue(s)

Fixes #

Summary by CodeRabbit

• Chores
  • Updated multiple dependencies to latest compatible versions, including core runtime libraries and security-related packages, improving overall stability and platform compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates multiple module dependencies in go.mod, including spf13/cobra, spf13/pflag, helm.sh/helm/v3, Kubernetes API modules, controller-runtime, and indirect dependencies like golang.org/x modules. No changes to public exported entities.

Changes

Cohort / File(s)

Summary

Dependency Version Updates go.mod

Direct dependencies: spf13/cobra v1.9.1→v1.10.1, spf13/pflag v1.0.7→v1.0.10, helm.sh/helm/v3 v3.18.6→v3.19.4, k8s.io/\* (api, apiextensions-apiserver, apimachinery, apiserver, client-go, component-base) v0.34.1→v0.34.2, sigs.k8s.io/controller-runtime v0.22.3→v0.22.4. Indirect dependencies: Masterminds/semver/v3 v3.3.0→v3.4.0, filepath-securejoin v0.4.1→v0.6.1, golang.org/x/\* (crypto, net, sync, sys, term, text) minor/patch bumps, k8s.io/kms v0.34.1→v0.34.2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• addon-framework#323: Also bumps Helm (helm.sh/helm/v3) and Kubernetes-related module versions in go.mod
• addon-framework#335: Related go.mod dependency version updates for Helm and Kubernetes modules

Suggested labels

lgtm, approved

Suggested reviewers

• zhiweiyin318
• elgnay

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: upgrading helm.sh/helm/v3 to v3.19.4. It uses the emoji indicator from the template (🌱) for misc/other changes and specifically references the dependency version bump.
Description check	✅ Passed	The summary section provides helpful context explaining that helm 3.19 uses k/k 1.34 client libs, addressing the dependency compatibility rationale. However, the 'Related issue(s)' section is incomplete with only 'Fixes #' and no actual issue number.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b5846d7 and 097bbb7.

⛔ Files ignored due to path filters (89)

• go.sum is excluded by !**/*.sum
• vendor/github.com/Masterminds/semver/v3/CHANGELOG.md is excluded by !vendor/**
• vendor/github.com/Masterminds/semver/v3/README.md is excluded by !vendor/**
• vendor/github.com/Masterminds/semver/v3/constraints.go is excluded by !vendor/**
• vendor/github.com/Masterminds/semver/v3/version.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/.golangci.yml is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/COPYING.md is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0 is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/README.md is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/VERSION is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/codecov.yml is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/doc.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/join.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/open_linux.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/openat_linux.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go is excluded by !vendor/**
• vendor/github.com/cyphar/filepath-securejoin/vfs.go is excluded by !vendor/**
• vendor/github.com/spf13/cobra/.golangci.yml is excluded by !vendor/**
• vendor/github.com/spf13/cobra/README.md is excluded by !vendor/**
• vendor/github.com/spf13/cobra/SECURITY.md is excluded by !vendor/**
• vendor/github.com/spf13/cobra/command.go is excluded by !vendor/**
• vendor/github.com/spf13/cobra/completions.go is excluded by !vendor/**
• vendor/github.com/spf13/pflag/flag.go is excluded by !vendor/**
• vendor/github.com/spf13/pflag/golangflag.go is excluded by !vendor/**
• vendor/github.com/spf13/pflag/string_to_string.go is excluded by !vendor/**
• vendor/github.com/spf13/pflag/time.go is excluded by !vendor/**
• vendor/golang.org/x/crypto/chacha20/chacha_arm64.s is excluded by !vendor/**
• vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go is excluded by !vendor/**
• vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go is excluded by !vendor/**
• vendor/golang.org/x/net/context/context.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/writesched.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !vendor/**
• vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !vendor/**
• vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !vendor/**
• vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !vendor/**
• vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !vendor/**
• vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !vendor/**
• vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !vendor/**
• vendor/helm.sh/helm/v3/internal/version/version.go is excluded by !vendor/**
• vendor/helm.sh/helm/v3/pkg/chartutil/capabilities.go is excluded by !vendor/**
• vendor/helm.sh/helm/v3/pkg/chartutil/create.go is excluded by !vendor/**
• vendor/helm.sh/helm/v3/pkg/chartutil/jsonschema.go is excluded by !vendor/**
• vendor/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go is excluded by !vendor/**
• vendor/k8s.io/client-go/util/cert/cert.go is excluded by !vendor/**
• vendor/modules.txt is excluded by !vendor/**
• vendor/sigs.k8s.io/controller-runtime/pkg/client/namespaced_client.go is excluded by !vendor/**
• vendor/sigs.k8s.io/controller-runtime/pkg/envtest/server.go is excluded by !vendor/**

📒 Files selected for processing (1)

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: e2e-hosted
• GitHub Check: unit
• GitHub Check: integration
• GitHub Check: build
• GitHub Check: e2e-cloudevents
• GitHub Check: e2e
• GitHub Check: verify

🔇 Additional comments (3)

go.mod (3)

12-27: Verify Kubernetes module consistency across the ecosystem.

The Kubernetes version has been bumped uniformly across all core modules (v0.34.1 → v0.34.2). Confirm that:

• v0.34.2 is a stable release from the Kubernetes project (not a pre-release)
• All transitive dependencies of the Kubernetes modules are compatible with v0.34.2
• The addon-framework's code does not rely on APIs or behaviors that may have changed between v0.34.1 and v0.34.2

Since v0.34.x appears to be very recent (outside the knowledge cutoff), pay special attention to any deprecations or breaking changes in this version line.

---

12-13: Verify version compatibility and release status for primary dependency updates.

Multiple direct dependencies have been updated:

• spf13/cobra: v1.9.1 → v1.10.1
• spf13/pflag: v1.0.7 → v1.0.10
• helm.sh/helm/v3: v3.18.6 → v3.19.4 (primary PR objective)
• Kubernetes modules (k8s.io/api, k8s.io/apiextensions-apiserver, k8s.io/apimachinery, k8s.io/apiserver, k8s.io/client-go, k8s.io/component-base): v0.34.1 → v0.34.2
• sigs.k8s.io/controller-runtime: v0.22.3 → v0.22.4

All versions exist in their respective repositories and are stable releases. Version bumps are conservative (patch and minor versions), which minimizes breaking change risk.

---

41-41: Updated indirect dependencies contain no known security vulnerabilities.

Verification of the updated versions confirms:

• golang.org/x/crypto v0.46.0, golang.org/x/net v0.47.0, golang.org/x/sys v0.39.0, golang.org/x/sync v0.19.0, golang.org/x/term v0.38.0, and golang.org/x/text v0.32.0 are at safe release levels (earlier CVEs have been patched in earlier versions).
• filepath-securejoin v0.6.1, Masterminds/semver/v3 v3.4.0, and k8s.io/kms v0.34.2 have no published security advisories.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qiujian16]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qiujian16, tamalsaha

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [qiujian16]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment