Report charts with the following bad dependency specifications as bad charts:
dependencies:
- name: foo
alias: baz # ← baz used twice
version: 1.0.0
- name: bar
alias: baz # ← baz used twice
version: 1.0.0
dependencies:
- name: foo
alias: bar # ← shadows chart below
version: 1.0.0
- name: bar
version: 1.0.0
dependencies:
- name: foo
version: 1.0.0
- name: foo # ← chart with same name as above (although version or repo will be different, this will not work currently)
version: 1.2.3
Closes#9169
Signed-off-by: Daniel Strobusch <1847260+dastrobu@users.noreply.github.com>
At this time both Go 1.19 and 1.20 are supported. The version
specified in the go.mod file is the minimum version we expect Helm
to be compiled against. This is the oldest supported version to
support environments where others compile Helm. The Helm project
is using Go 1.20 to build Helm itself.
Updating to Go 1.19 also includes dealing with io/ioutil
deprecation and some additional linting issues around staticcheck.
All the staticcheck issues were in test files so linting was
skipped for those.
Signed-off-by: Matt Farina <matt.farina@suse.com>
The directory created by `T.TempDir` is automatically removed when the
test and all its subtests complete.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
ref: https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx
* Skip invalid chart versions when reading the repository index file or
when programmatically adding a chart version.
* Adds semver validation and strips non-printable characters and
normalizes spaces for string fields in Metadata.Validate()
* Fixes a unit test that was pulling a remote repo. Now uses a local
repo.
* Fixes ignored error in repo update command
Signed-off-by: Adam Reese <adam@reese.io>
LoadFiles needs to load the Chart.yaml file first. When later files
are loaded there are checks for metadata. If that is not loaded
the checks could be handled incorrectly.
Signed-off-by: Matt Farina <matt@mattfarina.com>
* Fixing issue with PAX headers in plugin archive
PAX Headers can be added by some systems that create archives. Helm
should ignore them when extracting.
There are two PAX headers. One is global and the other is not. Both
are ignored. The test adds only the PAX global header because the
Go tar package is unable to write the header that is not global.
Closes#8084
Signed-off-by: Matt Farina <matt@mattfarina.com>
* Removing the PAX header test as it is not working
The PAX header test was making a WriteHeader call and ignoring the
error. When writing the type TypeXHeader it was causing an error
that was being silently ignored. The Go tar package cannot write
this type and produces an error when one tries to. The error reads
"cannot manually encode TypeXHeader, TypeGNULongName, or TypeGNULongLink
headers"
Signed-off-by: Matt Farina <matt@mattfarina.com>
* Adding check of returned error in test
Adding a check for the returned error to make sure a non-nil value
is not returned.
Signed-off-by: Matt Farina <matt@mattfarina.com>
Removes the BOM prefix if present, in read files before
processing the data.
Affects the following pkg:
- pkg/chart/loader: directory and archive loader
- internal/ignore: when loading .helmignore file
Signed-off-by: Thomas FREYSS <thomas.freyss@gmail.com>
* Include requirements.* as Files in APIVersionV1
Fixes#6974.
This ensures that when reading a Chart marked with APIVersion v1, we
maintain the behaviour of Helm v2 and include the requirements.yaml and
requirements.lock in the Files collection, and hence produce charts that
work correctly with Helm v2.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Write out requirements.lock for APIVersion1 Charts
This keeps the on-disk format consistent after `helm dependency update`
of an APIVersion1 Chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Exclude 'dependencies' from APVersion1 Chart.yaml
This fixes `helm lint` against an APIVersion1 chart packaged with Helm
v3.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Generate APIVersion v2 charts for dependency tests
As the generated chart contains no requirements.yaml in its files list,
but has dependencies in its metadata, it is not a valid APIVersion v1
chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Generate APIVersion v2 charts for manager tests
Specifically for the charts that have dependencies, the generated chart
contains no requirements.yaml in its files but has dependencies in its
metadata. Hence it is not a valid APIVersion v1 chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
Adding unit tests for an issue that has come up multiple times
where the archive processing code doesn't take into account the
`tar.TypeXHeader` / `tar.TypeXGlobalHeader` entries that GitHub
adds when creating a release archive for a chart, for example
`https://github.com/org/repo/master.tar.gz`.
Signed-off-by: Geoff Baskwill <me@geoffbaskwill.ca>
