Update module github.com/argoproj/argo-cd/v2 to v2.14.20 [SECURITY] #166
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
bot
changed the title
renovate
bot
deleted the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
39fcd97 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
e053e89 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
baee4d7 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
d217627 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
7766848 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
4dc406b to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
ff763b8 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
d8dc0af to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
20e8f2c to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
093e089 to
b1c5fc9
Compare
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
b1c5fc9 to
8cd09d6
Compare
renovate
bot
changed the title
Contributor
Author
|
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
8cd09d6 to
9845af6
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.12.0→v2.14.20GitHub Vulnerability Alerts
CVE-2025-23216
Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
Patches
A patch for this vulnerability is available in the following Argo CD versions:
Workarounds
There is no workaround other than upgrading.
References
Fixed with commit argoproj/argo-cd@6f5537b & argoproj/gitops-engine@7e21b91
CVE-2025-47933
Impact
This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository.
In
ui/src/app/shared/components/urls.ts, the following code exists to parse the repository URL.https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/urls.ts#L14-L26
Since this code doesn't validate the protocol of repository URLs, it's possible to inject
javascript:URLs here.https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/repo.tsx#L5-L7
As the return value of this function is used in the
hrefattribute of theatag, it's possible to achieve cross-site scripting by usingjavascript:URLs.Browsers may return the proper hostname for
javascript:URLs, allowing exploitation of this vulnerability.Patches
A patch for this vulnerability has been released in the following Argo CD versions:
The patch incorporates a way to validate the URL being passed in. Returning
nullif the validation fails.Workarounds
There are no workarounds other than depending on the browser to filter the URL.
Credits
Disclosed by @Ry0taK RyotaK.
For more information
Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd
CVE-2025-55191
Summary
A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL.
Details
The vulnerability is located in numerous repository related handlers in the
util/db/repository_secrets.gofile. For example, in thesecretToRepoCredfunction. The issue manifests as a concurrent map access panic:The race condition occurs due to:
A valid API token with
repositoriesresource permissions (create,update, ordeleteactions) is required to trigger the race condition.Impact
This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. Default ArgoCD configuration is vulnerable.
The affected code was originally introduced in PR #6103 and released in v2.1.0.
This data race was addressed by deep-copying the
Secretobjects before reading/writing.Credits
This vulnerability was found, reported and fixed by:
@thevilledev
The Argo team would like to thank him for his responsible disclosure and constructive communications during the resolve of this issue.
CVE-2025-59531
Summary
Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.
With the default configuration, no
webhook.bitbucketserver.secretset, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Bitbucket-Server push event whose JSON fieldrepository.links.cloneis anything other than an array.A single unauthenticated curl request can push the control-plane into CrashLoopBackOff; repeating the request on each replica causes a complete outage of the API.
Details
If links.clone is a string, number, object, or null, the first type assertion panics:
interface conversion: interface {} is string, not []interface {}
The worker goroutine created by startWorkerPool lacks a recover, so the panic terminates the whole binary.
PoC
Save as payload-panic.json - note the non-array links.clone.
{ "eventKey": "repo:refs_changed", "repository": { "name": "guestbook", "fullName": "APP/guestbook", "links": { "clone": "boom" } }, "changes": [ { "ref": { "id": "refs/heads/master" } } ] }curl -k -X POST https://argocd.example.com/api/webhook \ -H 'X-Event-Key: repo:refs_changed' \ -H 'Content-Type: application/json' \ --data-binary @​payload-panic.jsonObserved crash (argocd-server restart):
Mitigation
If you use Bitbucket Server and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Bitbucket Server, you can set the webhook secret to a long, random value to effectively disable webhook handling for Bitbucket Server payloads.
apiVersion: v1 kind: Secret metadata: name: argocd-secret type: Opaque data: + webhook.bitbucketserver.secret: <your base64-encoded secret here>For more information
Credits
Discovered by Jakub Ciolek at AlphaSense.
CVE-2025-59537
Summary
Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.
With the default configuration, no
webhook.gogs.secretset, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON fieldcommits[].repois not set or is null.Details
Users can access
/api/webhookwithout authentication, and when accessing this endpoint, theHandlerfunction parses webhook type messages according to theheader (e.g. X-Gogs-Event)andbodyparameters provided by the user. TheParsefunction simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.The
affectedRevisionInfofunction parses data according to webhook event types(e.g.gogsclient.PushPayload). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.PoC
payload-gogs.json
{ "ref": "refs/heads/master", "before": "0000000000000000000000000000000000000000", "after": "0a05129851238652bf806a400af89fa974ade739", "commits": [{}] }An attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to
/api/webhook.Mitigation
If you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.
apiVersion: v1 kind: Secret metadata: name: argocd-secret type: Opaque data: + webhook.gogs.secret: <your base64-encoded secret here>For more information
Credit
Sangjun Song (s0ngsari) at Theori (theori.io)
CVE-2025-59538
Summary
In the default configuration,
webhook.azuredevops.usernameandwebhook.azuredevops.passwordnot set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.The slice index [0] is accessed without a length check, causing an index-out-of-range panic.
A single unauthenticated HTTP POST is enough to kill the process.
Details
If the attacker supplies "refUpdates": [], the slice has length 0.
The webhook code has no recover(), so the panic terminates the entire binary.
PoC
payload-azure-empty.json:
{ "eventType": "git.push", "resource": { "refUpdates": [], "repository": { "remoteUrl": "https://example.com/dummy", "defaultBranch": "refs/heads/master" } } }curl call:
curl -k -X POST https://argocd.example.com/api/webhook \ -H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \ -H 'Content-Type: application/json' \ --data-binary @​payload-azure-empty.jsonObserved crash:
Mitigation
If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.
For more information
Credits
Discovered by Jakub Ciolek at AlphaSense.
Release Notes
argoproj/argo-cd (github.com/argoproj/argo-cd/v2)
v2.14.20Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
4ab9cd4: fix: allow for backwards compatibility of durations defined in days (cherry-pick #24769 for 2.14) (#24772) (@argo-cd-cherry-pick-bot[bot])Other work
7b219ee: Merge commit from fork (@crenshaw-dev)e889f0a: Merge commit from fork (@crenshaw-dev)741f00e: Merge commit from fork (@crenshaw-dev)1f98e3f: Merge commit from fork (@thevilledev)Full Changelog: argoproj/argo-cd@v2.14.19...v2.14.20
v2.14.19Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
4a133ce: fix: limit number of resources in appset status (#24690) (#24694) (@alexmt)Other work
376525e: ci(release): only set latest release in github when latest (#24525) (#24688) (@agaudreault)Full Changelog: argoproj/argo-cd@v2.14.18...v2.14.19
v2.14.18Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
caa4dc1: fix(util): Fix default key exchange algorthims used for SSH connection to be FIPS compliant (#24499) (@anandf)4f6686f: fix: correct post-delete finalizer removal when cluster not found (cherry-pick #24415 for 2.14) (#24591) (@argo-cd-cherry-pick-bot[bot])4359b3c: fix: use informer in webhook handler to reduce memory usage (#24622) (#24628) (@alexmt)Documentation
3d76aa5: docs: Update URL for HA manifests to stable. (#24456) (@Kelketek)Other work
981e7f7: fix(2.14): change the appset namespace to server namespace when generating appset (#24481) (@nitishfy)Full Changelog: argoproj/argo-cd@v2.14.17...v2.14.18
v2.14.17Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Full Changelog: argoproj/argo-cd@v2.14.16...v2.14.17
v2.14.16Compare Source
Quick Start
Use v2.14.17
There was an issue with immutable releases for v2.14.16 which caused some release steps to fail (uploading provenance and SBOMs). There should be nothing wrong with v2.14.16, but v2.14.17 is equivalent with a fully-successful release.
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
5d0a4f0: fix(appset): When Appset is deleted, the controller should reconcile applicationset #23723 (cherry-pick ##23823) (#23832) (@rumstead)d95b710: fix(controller): get commit server url from env (cherry-pick #23536) (#23543) (@gcp-cherry-pick-bot[bot])72e2387: fix(security): repository.GetDetailedProject exposes repo secrets (#24389) (@crenshaw-dev)8a3b2fd: fix(server): infer resource status health for apps-in-any-ns (#22944) (#23707) (@crenshaw-dev)ddb6073: fix: improves the ui message when an operation is terminated due to controller sync timeout (cherry-pick #23657) (#23673) (@gcp-cherry-pick-bot[bot])Other work
510b775: chore(cherry-pick-2.14): replace bitnami images (#24289) (@nitishfy)d77ecdf: chore: adds all components in goreman run script (cherry-pick #23777) (#23790) (@gcp-cherry-pick-bot[bot])f9bb3b6: chore: update Go to 1.24.6 (release-2.14) (#24091) (@thevilledev)f8eba3e: fix(cherry-pick-2.14): custom resource health for flux helm repository of type oci (#24339) (@adberger)Full Changelog: argoproj/argo-cd@v2.14.15...v2.14.16
v2.14.15Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
ec51989: fix(applicationset): requeue applicationste when application status changes (#23413) (@rumstead)da2ef7d: fix(sync): auto-sync loop when FailOnSharedResource (#23357) (@agaudreault)Full Changelog: argoproj/argo-cd@v2.14.14...v2.14.15
v2.14.14Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
a2361bf: fix: add cooldown to prevent resetting autoheal exp backoff preemptively (cherry-pick #23057) (#23188) (@gdsoumya)14fa0e0: fix: parse project with applicationset resource (cherry-pick #23252) (#23268) (@gcp-cherry-pick-bot[bot])2aceb1d: fix: update broken yarn.lock (#23212) (@svghadi)Other work
3c68b26: chore: upgrade Go from 1.23.4 to 1.24.4 (release-2.14) (#23294) (@thevilledev)e24ee58: chore: upgrade golangci-lint to v2 (release-2.14) (#23305) (@thevilledev)5f89062: chore: upgrade mockery to v2.53.4 (release-2.14) (#23316) (@thevilledev)Full Changelog: argoproj/argo-cd@v2.14.13...v2.14.14
v2.14.13Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
This release fixes a critical security issue: GHSA-2hj5-g64g-fp6p
Other work
24d5722: Merge commit from fork (@crenshaw-dev)d213c30: chore: bump gitops-engine ssd fix (#23072) (@pjiang-dev)Full Changelog: argoproj/argo-cd@v2.14.12...v2.14.13
v2.14.12Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
f7ad2ad: fix(ApplicationSet): Check strategy type to verify it's a progressive sync (cherry-pick #22563) (#22833) (@gcp-cherry-pick-bot[bot])ced6a78: fix(health): handle nil lastTransitionTime (#22897) (cherry-pick #22900) (#22909) (@gcp-cherry-pick-bot[bot])25235fb: fix(test): broken e2e test (cherry-pick #22975) (#23052) (@gcp-cherry-pick-bot[bot])78e61ba: fix: Only port-forward to ready pods (#10610) (cherry-pick #22794) (#22826) (@mikebryant)fe93963: fix: do not normalize resource tracking on live crds (#22722) - cherrypick 2.14 (#22746) (@blakepettersson)5bc6f47: fix: infinite reconciliation loop when app is in error (#23047) (@agaudreault)b163de0: fix: remove project from cache key for project scoped credentials (#22816) (@pjiang-dev)Dependency updates
efe5d29: chore(deps): resolve CVE GO-2025-3540, GO-2025-3503, GO-2025-3487 within 2.14.10 (#22709) (@nathanlaceyraft)Other work
3a9ab77: fix(commit-server): apply image override (cherry-pick #22916) (#22918) (@gcp-cherry-pick-bot[bot])Full Changelog: argoproj/argo-cd@v2.14.11...v2.14.12
v2.14.11Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Features
91f5445: feat(hydrator): handle sourceHydrator fields from webhook (#19397) (cherry-pick #22485) (#22754) (@gcp-cherry-pick-bot[bot])Bug fixes
0451723: fix(appset): generated app errors should use the default requeue (#21887) (cherry-pick #21936) (#22672) (@gcp-cherry-pick-bot[bot])f6f7d29: fix(ui): avoid spurious error on hydration (#22506) (cherry-pick #22711) (#22714) (@gcp-cherry-pick-bot[bot])Full Changelog: argoproj/argo-cd@v2.14.10...v2.14.11
v2.14.10Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
b31d700: fix(cli): wrong variable to store --no-proxy value (cherry-pick #21226) (#22590) (@gcp-cherry-pick-bot[bot])6b15a04: fix: [cherry-pick] selfhealattemptscount needs to be reset at times (#22095, #20978) (#22583) (@Aaron-9900)be81419: fix: login return_url doesn't work with custom server paths (cherry-pick #21588) (#22594) (@gcp-cherry-pick-bot[bot])3b308d6: fix: respect delete confirmation for argocd app deletion (cherry-pick #22657) (#22664) (@gcp-cherry-pick-bot[bot])Dependency updates
4826fb0: chore(deps): Update github.com/expr-lang/expr to v1.17.0 fixing CVE-2025-29786 (#22651) (@heshamelsherif97)Full Changelog: argoproj/argo-cd@v2.14.9...v2.14.10
v2.14.9Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
31a5545: fix: Check for semver constraint matching in application webhook handler (cherry-pick #21648) (#22508) (@gcp-cherry-pick-bot[bot])Other work
c868711: chore(dep): bump gitops-engine 2.14 (#22520) (@pjiang-dev)Full Changelog: argoproj/argo-cd@v2.14.8...v2.14.9
v2.14.8Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
9a9e62d: fix(server): fully populate app destination before project checks (#22408) (#22426) (@crenshaw-dev)7acdaa9: fix: CVE-2025-26791 upgrading redoc dep to 2.4.0 to avoid DOMPurify b… (#21997) (@nmirasch)872319e: fix: handle annotated git tags correctly in repo server cache (#21771) (#22424) (@aali309)Dependency updates
9f832cd: chore(deps): bump github.com/golang-jwt/jwt to 4.5.2/5.2.2 (#22465) (@crenshaw-dev)Other work
ec45e33: fix(ui, rbac): project-roles (#21829) (2.14 backport) (#22461) (@blakepettersson)Full Changelog: argoproj/argo-cd@v2.14.7...v2.14.8
v2.14.7Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Dependency updates
3940782: chore(deps): bump gitops engine (#22405) (@crenshaw-dev)Full Changelog: argoproj/argo-cd@v2.14.6...v2.14.7
v2.14.6Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Features
38c0376: feat(server): make deep copies of objects returned by informers (#22173) (#22179) (#22340) (@rumstead)Dependency updates
defd4be: chore(deps): Update go-git from 5.12.0 to 5.13.2 to include several CVE fixes (#22313) (@anandf)Full Changelog: argoproj/argo-cd@v2.14.5...v2.14.6
v2.14.5Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI bina
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.