@zen-agentchecks…zen/sec-helm-cve-2026-35206-bob4ja → main1 files · +1 −1updated 1mo agoDefensive bump of the local Helm CLI plugin's pinned version from v3.17.1 to v3.20.2 to address CVE-2026-35206 (Helm chart extraction directory collapse via dot-segment chart name in Chart.yaml).
The vulnerable code path is helm pull --untar, which is exercised by test-runner/entrypoint.sh:218 against trusted ComposioHQ chart references. Practical impact is LOW (we control the charts and OCI registry), but defense-in-depth bump aligns with our standard upgrade posture.
| Affected versions | <= 3.20.1 |
| Fixed versions | 3.20.2 |
| Severity | Moderate |
| Advisory | GHSA-hr2v-4r36-88hr |
Note: CVE-2026-35204 / CVE-2026-35205 in the same April 2026 batch only affect Helm 4.0.0–4.1.3 and do NOT impact this repo.
pnpm typecheck -> PASS (no errors)src/cli/plugins/helm.ts is a single-line constant changehttps://get.helm.sh/helm-v3.20.2-linux-amd64.tar.gz resolves and matches the official releaseOrigin: cron-48e51eab745f / zen-cron-2d038a3c3e9d Triggered by: dhawal@composio.dev | Source: cron Session: https://zen-api-production-4c98.up.railway.app/dashboard/#/chat/zen-cron-2d038a3c3e9d