[Wolfi Package Update]: `argo-cd-3.3-repo-server`

[nfsouzaj]

Package name

argo-cd-3.3-repo-server

Current version in Wolfi

Depends on helm~3, which resolves to helm-3 3.19.2-r2 (EOL)

Requested version

Use rancher-helm-3 (Helm 3.20.x) or a rebuilt helm-3 based on Helm 3.20.x

Upstream project URL

https://github.com/argoproj/argo-cd

Problem

argo-cd-3.3-repo-server depends on helm~3, which resolves to the removed and frozen helm-3 package (3.19.2-r2).

This version carries unfixed Go runtime CVEs:

• CVE-2025-68121 (CRITICAL) – crypto/tls session resumption
• CVE-2025-61732 (HIGH) – cmd/cgo code smuggling

Helm 3.20.0+ (available via rancher-helm-3) contains the fixes.

Steps to reproduce

NA

Root cause (if known)

• helm-3.yaml was removed in PR Remove non-latest version streams #75622 (December 2025)
• argo-cd-3.3.yaml still declares helm~3 at line ~83

Proposed solution

• Update dependency to rancher-helm-3, OR
• Reintroduce helm-3 based on upstream Helm 3.20.x

Testing performed

NA

Acceptance criteria

• The dependency resolves to a Helm version that includes CVE fixes
• The update aligns with Wolfi’s packaging and security model
• The updated package is maintainable over time
• No known outstanding security or supply-chain concerns

[jackwhelpton]

Is there a corresponding wolfi package for the CLI, or would that need a separate request?

[nfsouzaj]

@jackwhelpton Right now it’s running on helm3 which is build by wolfi. That would be okay, but the package has been deprecated (apparently a little too early) and is no longer getting updates. We can either move to Rancher’s Helm or resume rebuilding and maintaining Helm 3 until argo fully moves to helm4?