chore(deps): bump the go_modules group across 1 directory with 3 updates

[dependabot]

Bumps the go_modules group with 3 updates in the / directory: helm.sh/helm/v3, github.com/containerd/containerd and google.golang.org/grpc.

Updates helm.sh/helm/v3 from 3.19.4 to 3.20.2

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.20.2

v3.20.2

Helm v3.20.2 is a security patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

• GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

Installation and Upgrading

Download Helm v3.20.2. The common platform binaries are here:

• MacOS amd64 (checksum / 7de04301f28b902a74f6286ed941cadc86ee5e6a9086a18f2ccf1f548e99d618)
• MacOS arm64 (checksum / 139c794c22f16b579d08ddd3008c8038b9bb2814f35b5bcca91f50a1f458978d)
• Linux amd64 (checksum / 258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea)
• Linux arm (checksum / a8a614c740399ff1ef32bcea6be6e4523f17e3376f9cf55c192cc48c8f2d1f19)
• Linux arm64 (checksum / 5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691)
• Linux i386 (checksum / 88e4c1834307cdbc9f3b80920e1a383e4ba50bb488fb0be1b1fbd4918bb6ae73)
• Linux ppc64le (checksum / 98bb26a2f3c0b0c1a50db3181dff192554e0c204a07427d98d6b01e259f23cbe)
• Linux s390x (checksum / 584dd77ef8096d6ef939a1822f72840e749fc8311b2b13ae94df5f786862a56b)
• Linux riscv64 (checksum / 957391d0710d72678acd09959b5dc77888cd007a78a4b99944d3b2fc7e1895ca)
• Windows amd64 (checksum / 24e8e5b71bab4ee17e6f989931ecf4fb144f9916cbe9990c0b6b2ec7b925c454)
• Windows arm64 (checksum / 7c940a73a6882f50b69aec3282549da4a49917669db18fc503db930fb74b9789)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
• 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

• fix: Chart dot-name path bug 8fb76d6ab555577e98e23b7500009537a471feee (George Jenkins)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 3a8927e275c50cecde273872dad2a5576bd46375 (Terry Howe)

Helm v3.20.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:

... (truncated)

Commits

• 8fb76d6 fix: Chart dot-name path bug
• 3a8927e fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow
• a2369ca chore(deps): bump the k8s-io group with 7 updates
• 90e1056 add image index test
• 911f2e9 fix pulling charts from OCI indices
• 76dad33 Remove refactorring changes from coalesce_test.go
• 45c12f7 Fix import
• 26c6f19 Update pkg/chart/common/util/coalesce_test.go
• 09f5129 Fix lint warning
• 417deb2 Preserve nil values in chart already
• Additional commits viewable in compare view

Updates github.com/containerd/containerd from 1.7.30 to 1.7.32

Release notes

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.32

Welcome to the v1.7.32 release of containerd!

The thirty-second patch release for containerd 1.7 contains various fixes and updates including a security patch.

• containerd

  • CVE-2026-46680

• Allow hosts.toml to contain only root-level fields without an explicit [host] section (#10028)

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13450)

• Apply hardening to block AF_ALG in default socket policy (#13406)

• Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#13299)

• Set AppArmor abi conditionally to support versions < 3.0 (#13273)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

• Maksym Pavlenko
• Chris Henzie
• Derek McGowan
• Paweł Gronowski
• Samuel Karp
• Wei Fu
• Brad Davidson
• Brian Goff
• LEI WANG
• Phil Estes

• bc87d865c Prepare release notes for v1.7.32
• oci: return explicit error for out-of-range USER values (#13450)
  • 503f47946 oci: return explicit error for out-of-range USER values
• seccomp: Block AF_ALG in default socket policy (#13406)
  • e55b747d3 seccomp: Block AF_ALG in default socket policy
  • 4627a65f8 seccomp: Document socket rule scope and socketcall limitation
• Fix issue with empty host tree in hosts.toml (#10028)
  • 24007441d Fix error parsing hosts.toml without any host tree
• Support both styles of volatile mount option (#13299)
  • 940733149 Support both styles of volatile mount option
• apparmor: Set abi conditionally (#13273)
  • 2b732c892 apparmor: Set abi conditionally
• Add GitHub Action for k8s node e2e tests (#13258)
  • 0db1e143a Add GitHub Action for k8s node e2e tests
• Update release process after 1.7 (#13236)
  • 3223a75c2 Update for latest updates to release tool

... (truncated)

Commits

• 180a7b7 Merge pull request #13452 from samuelkarp/prepare-1.7.32
• bc87d86 Prepare release notes for v1.7.32
• 6a05ddd Merge pull request #13450 from samuelkarp/oci-withuser-errrange-1.7
• 9c3d01b Merge pull request #13406 from k8s-infra-cherrypick-robot/cherry-pick-13327-t...
• e55b747 seccomp: Block AF_ALG in default socket policy
• 4627a65 seccomp: Document socket rule scope and socketcall limitation
• 33d9e24 Merge pull request #10028 from brandond/fix-hosts-toml
• 503f479 oci: return explicit error for out-of-range USER values
• 4393e22 Merge pull request #13299 from chrishenzie/release/1.7-volatile
• 9407331 Support both styles of volatile mount option
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.78.0 to 1.79.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (grpc/grpc-go#8902)

Release 1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)
  • Special Thanks: @​marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • Special Thanks: @​joybestourous
• server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
• mem: Optimize pooling and creation of buffer objects. (#8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

Commits

• dda86db Change version to 1.79.3 (#8983)
• 72186f1 grpc: enforce strict path checking for incoming requests on the server (#8981)
• 97ca352 Changing version to 1.79.3-dev (#8954)
• 8902ab6 Change the version to release 1.79.2 (#8947)
• a928670 Cherry-pick #8874 to v1.79.x (#8904)
• 06df363 Change version to 1.79.2-dev (#8903)
• 782f2de Change version to 1.79.1 (#8902)
• 850eccb Change version to 1.79.1-dev (#8851)
• 765ff05 Change version to 1.79.0 (#8850)
• 68804be Cherry pick #8864 to v1.79.x (#8896)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.