Found security vulnerability in chartmuseum v0.15.0

[Kiran-38]

Hi,
The chartMuseum binary contains the helm.sh/helm/v3 v3.9.3 library with is flagged as a security risk and need to update to the latest version 3.9.4 or later and above available for resolving the issue.

The mentioned library is coming as a derived dependency, as is verified by searching for it in the go.mod file. It is because of this vulnerable library that all the images having even the latest chartMuseum binary baked into them are failing the security scans.

I believe there is a branch created for https://github.com/helm/chartmuseum/blob/dependabot/go_modules/helm.sh/helm/v3-3.10.0/go.mod it already, if possible can you please give when can we expect the fix. Thanks

[scbizu]

Could you put this kind of security issue to our pining issue : #568 , the dependabot PR I will review and merge it ASAP . Thank you again ~

[cbuto]

It looks like this should be resolved now and the next release of ChartMuseum will include the updated dependency. Can we close this @scbizu @Kiran-38?

[Kiran-38]

Yes, I believe we can close. May I know when can we expect the next release version of chartmuseum changes.

[Kiran-38]

Hi @cbuto any latest version going to be available as the tar bundle in the release (v0.15.0) is in july. Can you please give me some tentative time when it can be released. It will be appreciated if there is any release in this month end or so. Waiting for the update. Thanks