🔒 Kargo v1.10.5 is a security-focused patch release that dramatically reduces the CVE footprint of the published image, alongside a path-traversal hardening fix and an RBAC correction.
🔐 CVE Remediation
The published kargo image carried a large number of Critical/High CVEs, the bulk of which stemmed from a stale, Wolfi-sourced Helm binary that is no longer being patched, and from the Go toolchain used to build it. This release addresses them:
- Helm binary sourced from official releases (#6378): The bundled
helmbinary (used by thekustomize-buildstep's Helm plugin) is now downloaded directly fromget.helm.sh(checksum-verified) and pinned to v3.21.0, rather than the unmaintained Wolfihelm~3package. - Go builder bumped to 1.26.3 (#6380): The image is now built with
golang:1.26.3-trixie, picking up Go standard-library CVE fixes. - Go module dependency upgrades (#6328): A sweep of
go.moddependency bumps to clear additional advisories.
Together these reduce the image from 15 Critical / 68 High CVEs (as shipped in v1.10.4) to 0 Critical / 2 High — the residual Highs being a vendored containerd advisory with no fixed release available yet.
🐛 Fixes
- Reject path traversal in rendered resource filenames (#6346): Rendered resource filenames are now validated to prevent path-traversal escapes.
- Missing PromotionTask permissions in project admin role (#6335): The project admin
ClusterRolewas missing permissions forPromotionTaskresources; they have now been added.
Full Changelog: v1.10.4...v1.10.5