fix(deps): update all ungrouped dependencies

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change
cloud.google.com/go/storage	require	patch	v1.62.0 -> v1.62.1
docker	final	minor	29.3.1-cli -> 29.4.0-cli
github.com/aws/aws-sdk-go-v2/service/s3	require	minor	v1.98.0 -> v1.99.0
github.com/google/go-containerregistry	require	patch	v0.21.4 -> v0.21.5
golang.org/x/crypto	require	minor	v0.49.0 -> v0.50.0
golang.org/x/net	require	minor	v0.52.0 -> v0.53.0
google.golang.org/api	require	minor	v0.274.0 -> v0.275.0
helm.sh/helm/v4	require	patch	v4.1.3 -> v4.1.4
registry.access.redhat.com/ubi9/ubi-minimal	final	patch	9.7-1773939694 -> 9.7-1776104705

---

Release Notes

google/go-containerregistry (github.com/google/go-containerregistry)

v0.21.5

Compare Source

What's Changed

• Bump docker/cli v29.4.0, moby/api v1.54.1, moby/client v0.4.0 by @​thaJeztah in https://github.com/google/go-containerregistry/pull/2254
• update to Go 1.26.2 by @​thaJeztah in https://github.com/google/go-containerregistry/pull/2255
• Bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 in the actions group across 1 directory by @​dependabot[bot] inhttps://github.com/google/go-containerregistry/pull/22577
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 in the go-deps group across 1 directory by @​dependabot[bot] inhttps://github.com/google/go-containerregistry/pull/22600

Full Changelog: google/go-containerregistry@v0.21.4...v0.21.5

googleapis/google-api-go-client (google.golang.org/api)

v0.275.0

Compare Source

Features

• all: Auto-regenerate discovery clients (#​3557) (2b2ef99)
• all: Auto-regenerate discovery clients (#​3560) (9437d4d)

helm/helm (helm.sh/helm/v4)

v4.1.4: Helm v4.1.4

Compare Source

Helm v4.1.4 is a security fix patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

• GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment
• GHSA-q5jf-9vfq-h4h7 Plugin verification fails open when .prov is missing, allowing unsigned plugin install
• GHSA-vmx8-mqv2-9gmg Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

A big thank you to the reporters of these issues (@​maru1009, @​1seal).

Installation and Upgrading

Download Helm v4.1.4. The common platform binaries are here:

• MacOS amd64 (checksum / abf09c8503ad1d8ef76d3737a058c3456a998aae5f5966fce4bb3031aeb1654e)
• MacOS arm64 (checksum / 7c2eca678e8001fa863cdf8cbf6ac1b3799f9404a89eb55c08260ef5732e658d)
• Linux amd64 (checksum / 70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09)
• Linux arm (checksum / c4a7d37032379cc7e82c9c76487d1041b193c9a0fbb4b8f3790230899b830a4f)
• Linux arm64 (checksum / 13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1)
• Linux i386 (checksum / 3e9bcefb85293854367bea931d669bb742974bbd978b3960df921ed129ff40f9)
• Linux ppc64le (checksum / 35a48f5db5c655b4471b37be75e76bfb2b23fc8a95d0fa2f0f344f0694336358)
• Linux s390x (checksum / c5653d0b3687f008dc48f80219906b574af3b623ddc114f92383327299ad935e)
• Linux riscv64 (checksum / 9d747ed5761a6a5c15aa7ad108b65aee917d8e33448690e83a6451b6a48748e6)
• Windows amd64 (checksum / bd60f567f667631a2c9b698dfabe5e3cd52eaaf4264163c0a9cae566db8560e8)
• Windows arm64 (checksum / d0a651026da4a26b28bdfc3d455ce3dfacbc267182dc2225c2172b1dcc549643)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
• 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

• fix: Plugin missing provenance bypass 05fa379 (George Jenkins)
• fix: Chart dot-name path bug 4e7994d (George Jenkins)
• ignore error plugin loads (cli, getter) 2581943 (George Jenkins)
• fix: Plugin version path traversal 36c8539 (George Jenkins)
• fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow c61e086 (Terry Howe)

---

Configuration

📅 Schedule: Branch creation - "after 1am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[elastic-renovate-prod]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go/iam	v1.6.0 -> v1.7.0
github.com/docker/cli	v29.3.1+incompatible -> v29.4.0+incompatible
golang.org/x/mod	v0.34.0 -> v0.35.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/term	v0.41.0 -> v0.42.0
golang.org/x/text	v0.35.0 -> v0.36.0
golang.org/x/tools	v0.43.0 -> v0.44.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260401001100-f93e5f3e9f0f -> v0.0.0-20260401024825-9d38bb4040a9

File name: hack/helm/release/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go/iam	v1.6.0 -> v1.7.0
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/term	v0.41.0 -> v0.42.0
golang.org/x/text	v0.35.0 -> v0.36.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260401001100-f93e5f3e9f0f -> v0.0.0-20260401024825-9d38bb4040a9

File name: hack/operatorhub/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/docker/cli	v29.3.1+incompatible -> v29.4.0+incompatible
golang.org/x/sys	v0.42.0 -> v0.43.0

[prodsecmachine]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

🔍 Preview links for changed docs

• docs/reference/third-party-dependencies/main.md

[github-actions]

Vale Linting Results

Summary: 1 warning found

⚠️ Warnings (1)

File	Line	Rule	Message
docs/reference/third-party-dependencies/main.md	17	Elastic.BritishSpellings	Use American English spelling 'license' instead of British English 'Licence'.

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.