chore(deps): bump SonarSource/sonarqube-scan-action from 7.0.0 to 7.1.0 (#27116)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/bump-major-version.yaml

@@ -37,7 +37,7 @@ jobs:
         working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
 
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Add ~/go/bin to PATH

.github/workflows/cherry-pick-single.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - name: Generate a token
         id: generate-token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
         with:
           app-id: ${{ secrets.CHERRYPICK_APP_ID }}
           private-key: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}

.github/workflows/ci-build.yaml

@@ -57,7 +57,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -77,7 +77,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build and module cache
@@ -108,7 +108,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
@@ -136,7 +136,7 @@ jobs:
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -204,7 +204,7 @@ jobs:
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -264,7 +264,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -404,7 +404,7 @@ jobs:
       - name: Upload code coverage information to codecov.io
         # Only run when the workflow is for upstream (PR target or push is in argoproj/argo-cd).
         if: github.repository == 'argoproj/argo-cd'
-        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           files: test-results/full-coverage.out
           fail_ci_if_error: true
@@ -413,7 +413,7 @@ jobs:
       - name: Upload test results to Codecov
         # Codecov uploads test results to Codecov.io on upstream master branch.
         if: github.repository == 'argoproj/argo-cd' && github.ref == 'refs/heads/master' && github.event_name == 'push'
-        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           files: test-results/junit.xml
           fail_ci_if_error: true
@@ -423,7 +423,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
+        uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0
         if: env.sonar_secret != ''
   test-e2e:
     name: Run end-to-end tests
@@ -466,7 +466,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Set GOPATH
@@ -510,7 +510,7 @@ jobs:
           go mod download
       - name: Install goreman
         run: |
-          go install github.com/mattn/goreman@latest
+          go install github.com/mattn/goreman@v0.3.17
       - name: Install all tools required for building & testing
         run: |
           make install-test-tools-local

.github/workflows/codeql.yml

@@ -44,7 +44,7 @@ jobs:
 
     # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
     - name: Setup Golang
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version-file: go.mod
       

.github/workflows/image-reuse.yaml

@@ -67,16 +67,26 @@ jobs:
         if: ${{ github.ref_type != 'tag'}}
 
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ inputs.go-version }}
           cache: false
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        with:
+          image: tonistiigi/binfmt@sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3 #qemu-v10.0.4
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          # buildkit v0.28.1
+          driver-opts: |
+            image=moby/buildkit@sha256:a82d1ab899cda51aade6fe818d71e4b58c4079e047a0cf29dbb93b2b0465ea69
+            
 
       - name: Setup tags for container image as a CSV type
         run: |

.github/workflows/release.yaml

@@ -133,7 +133,7 @@ jobs:
         run: git fetch --force --tags
 
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
           cache: false
@@ -162,7 +162,7 @@ jobs:
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         id: run-goreleaser
         with:
-          version: latest
+          version: v2.14.3
           args: release --clean --timeout 55m
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -219,7 +219,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Golang
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
           cache: false

.github/workflows/renovate.yaml

@@ -22,11 +22,17 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
 
+      # Renovate do not pin their docker image versions to SHA, so
+      # when bumping renovate action version please check if renovate image
+      # has been updated (see it's numeric version in action.yaml)
+      # and update `renovate-version` parameter accordingly
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@68a3ea99af6ad249940b5a9fdf44fc6d7f14378b #46.1.6
+        uses: renovatebot/github-action@3633cede7d4d4598438e654eac4a695e46004420 #46.1.7
         with:
           configurationFile: .github/configs/renovate-config.js
           token: '${{ steps.get_token.outputs.token }}'
+          renovate-image: "ghcr.io/renovatebot/renovate@sha256"
+          renovate-version: "5dfeab680f40edd2713b8fcae574824e60d2c831b8d89cc965e51621894c7084" #43
         env:
           LOG_LEVEL: 'debug'
           RENOVATE_REPOSITORIES: '${{ github.repository }}'

Makefile

@@ -487,7 +487,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	DIST_DIR=${DIST_DIR} RERUN_FAILS=$(ARGOCD_E2E_RERUN_FAILS) PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"
+	ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS=$${ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS:-true}  DIST_DIR=${DIST_DIR} RERUN_FAILS=$(ARGOCD_E2E_RERUN_FAILS) PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"
 
 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image

Procfile

@@ -10,5 +10,5 @@ git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 oci-registry: test/fixture/testrepos/start-authenticated-helm-registry.sh
 dev-mounter: [ "$ARGOCD_E2E_TEST" != "true" ] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
-applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS=${ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS:-true} $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
 notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"

README.md

@@ -19,7 +19,7 @@
 
 ## What is Argo CD?
 
-Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
+Argo CD is a declarative GitOps continuous delivery tool for Kubernetes.
 
 ![Argo CD UI](docs/assets/argocd-ui.gif)
 
@@ -45,7 +45,7 @@ Check live demo at https://cd.apps.argoproj.io/.
 
  You can reach the Argo CD community and developers via the following channels:
 
-* Q & A : [Github Discussions](https://github.com/argoproj/argo-cd/discussions)
+* Q & A : [GitHub Discussions](https://github.com/argoproj/argo-cd/discussions)
 * Chat : [The #argo-cd Slack channel](https://argoproj.github.io/community/join-slack)
 * Contributors Office Hours: [Every Thursday](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8)
 * User Community meeting: [First Wednesday of the month](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1ttgw98MO45Dq7ZUHpIiOIEfbyeitKHNfMjbY5dLLMKQ)

applicationset/utils/createOrUpdate_test.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"

cmd/argocd/commands/app_resources.go

@@ -8,7 +8,7 @@ import (
 	"strings"
 	"text/tabwriter"
 
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 
 	"github.com/argoproj/argo-cd/v3/util/templates"
 

cmd/argocd/commands/applicationset.go

@@ -40,6 +40,10 @@ var appSetExample = templates.Examples(`
 
 	# Delete an ApplicationSet
 	argocd appset delete APPSETNAME (APPSETNAME...)
+
+	# Namespace precedence for --appset-namespace (-N):
+	# - get/delete: if the argument is namespace/name, that namespace wins; -N is ignored.
+	# - create/generate: metadata.namespace in the YAML wins when set; -N applies only when the manifest omits namespace.
 	`)
 
 // NewAppSetCommand returns a new instance of an `argocd appset` command
@@ -64,8 +68,9 @@ func NewAppSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 // NewApplicationSetGetCommand returns a new instance of an `argocd appset get` command
 func NewApplicationSetGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		output     string
-		showParams bool
+		output          string
+		showParams      bool
+		appSetNamespace string
 	)
 	command := &cobra.Command{
 		Use:   "get APPSETNAME",
@@ -73,6 +78,13 @@ func NewApplicationSetGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 		Example: templates.Examples(`
 	# Get ApplicationSets
 	argocd appset get APPSETNAME
+
+	# Get ApplicationSet in a specific namespace using qualified name (namespace/name)
+	argocd appset get APPSET_NAMESPACE/APPSETNAME
+
+	# Get ApplicationSet in a specific namespace using --appset-namespace flag
+	argocd appset get --appset-namespace=APPSET_NAMESPACE APPSETNAME
+
 		`),
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
@@ -85,7 +97,7 @@ func NewApplicationSetGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 			conn, appIf := acdClient.NewApplicationSetClientOrDie()
 			defer utilio.Close(conn)
 
-			appSetName, appSetNs := argo.ParseFromQualifiedName(args[0], "")
+			appSetName, appSetNs := argo.ParseFromQualifiedName(args[0], appSetNamespace)
 
 			appSet, err := appIf.Get(ctx, &applicationset.ApplicationSetGetQuery{Name: appSetName, AppsetNamespace: appSetNs})
 			errors.CheckError(err)
@@ -113,6 +125,7 @@ func NewApplicationSetGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 	}
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
 	command.Flags().BoolVar(&showParams, "show-params", false, "Show ApplicationSet parameters and overrides")
+	command.Flags().StringVarP(&appSetNamespace, "appset-namespace", "N", "", "Only get ApplicationSet from a namespace (ignored when qualified name is provided)")
 	return command
 }
 
@@ -121,6 +134,7 @@ func NewApplicationSetCreateCommand(clientOpts *argocdclient.ClientOptions) *cob
 	var (
 		output               string
 		upsert, dryRun, wait bool
+		appSetNamespace      string
 	)
 	command := &cobra.Command{
 		Use:   "create",
@@ -129,6 +143,9 @@ func NewApplicationSetCreateCommand(clientOpts *argocdclient.ClientOptions) *cob
 	# Create ApplicationSets
 	argocd appset create <filename or URL> (<filename or URL>...)
 
+	# Create ApplicationSet in a specific namespace using
+	argocd appset create --appset-namespace=APPSET_NAMESPACE <filename or URL> (<filename or URL>...)
+
 	# Dry-run AppSet creation to see what applications would be managed
 	argocd appset create --dry-run <filename or URL> -o json | jq -r '.status.resources[].name' 
 		`),
@@ -157,6 +174,11 @@ func NewApplicationSetCreateCommand(clientOpts *argocdclient.ClientOptions) *cob
 				conn, appIf := argocdClient.NewApplicationSetClientOrDie()
 				defer utilio.Close(conn)
 
+				if appset.Namespace == "" && appSetNamespace != "" {
+					fmt.Printf("ApplicationSet YAML file does not have namespace; using --appset-namespace=%q.\n", appSetNamespace)
+					appset.Namespace = appSetNamespace
+				}
+
 				// Get app before creating to see if it is being updated or no change
 				existing, err := appIf.Get(ctx, &applicationset.ApplicationSetGetQuery{Name: appset.Name, AppsetNamespace: appset.Namespace})
 				if grpc.UnwrapGRPCStatus(err).Code() != codes.NotFound {
@@ -218,18 +240,23 @@ func NewApplicationSetCreateCommand(clientOpts *argocdclient.ClientOptions) *cob
 	command.Flags().BoolVar(&dryRun, "dry-run", false, "Allows to evaluate the ApplicationSet template on the server to get a preview of the applications that would be created")
 	command.Flags().BoolVar(&wait, "wait", false, "Wait until the ApplicationSet's resources are up to date. Will block indefinitely if the ApplicationSet has errors")
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
+	command.Flags().StringVarP(&appSetNamespace, "appset-namespace", "N", "", "Namespace where the ApplicationSet will be created in (ignored when provided YAML file has namespace set in metadata)")
 	return command
 }
 
 // NewApplicationSetGenerateCommand returns a new instance of an `argocd appset generate` command
 func NewApplicationSetGenerateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var output string
+	var appSetNamespace string
 	command := &cobra.Command{
 		Use:   "generate",
 		Short: "Generate apps of ApplicationSet rendered templates",
 		Example: templates.Examples(`
 	# Generate apps of ApplicationSet rendered templates
 	argocd appset generate <filename or URL> (<filename or URL>...)
+
+	# Generate apps of ApplicationSet rendered templates in a specific namespace
+	argocd appset generate --appset-namespace=APPSET_NAMESPACE <filename or URL> (<filename or URL>...)
 `),
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
@@ -252,6 +279,11 @@ func NewApplicationSetGenerateCommand(clientOpts *argocdclient.ClientOptions) *c
 				errors.Fatal(errors.ErrorGeneric, fmt.Sprintf("Error generating apps for ApplicationSet %s. ApplicationSet does not have Name field set", appset))
 			}
 
+			if appset.Namespace == "" && appSetNamespace != "" {
+				fmt.Printf("ApplicationSet YAML file does not have namespace; using --appset-namespace=%q.\n", appSetNamespace)
+				appset.Namespace = appSetNamespace
+			}
+
 			conn, appIf := argocdClient.NewApplicationSetClientOrDie()
 			defer utilio.Close(conn)
 
@@ -286,6 +318,7 @@ func NewApplicationSetGenerateCommand(clientOpts *argocdclient.ClientOptions) *c
 		},
 	}
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
+	command.Flags().StringVarP(&appSetNamespace, "appset-namespace", "N", "", "Namespace used for generating Applications (ignored when provided YAML file has namespace set in metadata)")
 	return command
 }
 
@@ -338,8 +371,9 @@ func NewApplicationSetListCommand(clientOpts *argocdclient.ClientOptions) *cobra
 // NewApplicationSetDeleteCommand returns a new instance of an `argocd appset delete` command
 func NewApplicationSetDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		noPrompt bool
-		wait     bool
+		noPrompt        bool
+		wait            bool
+		appSetNamespace string
 	)
 	command := &cobra.Command{
 		Use:   "delete",
@@ -347,6 +381,12 @@ func NewApplicationSetDeleteCommand(clientOpts *argocdclient.ClientOptions) *cob
 		Example: templates.Examples(`
 	# Delete an applicationset
 	argocd appset delete APPSETNAME (APPSETNAME...)
+
+	# Delete ApplicationSet in a specific namespace using qualified name (namespace/name)
+	argocd appset delete APPSET_NAMESPACE/APPSETNAME
+
+	# Delete ApplicationSet in a specific namespace using --appset-namespace flag
+	argocd appset delete --appset-namespace=APPSET_NAMESPACE APPSETNAME
 		`),
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
@@ -375,7 +415,7 @@ func NewApplicationSetDeleteCommand(clientOpts *argocdclient.ClientOptions) *cob
 			promptUtil := utils.NewPrompt(isTerminal && !noPrompt)
 
 			for _, appSetQualifiedName := range args {
-				appSetName, appSetNs := argo.ParseFromQualifiedName(appSetQualifiedName, "")
+				appSetName, appSetNs := argo.ParseFromQualifiedName(appSetQualifiedName, appSetNamespace)
 
 				appsetDeleteReq := applicationset.ApplicationSetDeleteRequest{
 					Name:            appSetName,
@@ -412,6 +452,7 @@ func NewApplicationSetDeleteCommand(clientOpts *argocdclient.ClientOptions) *cob
 	}
 	command.Flags().BoolVarP(&noPrompt, "yes", "y", false, "Turn off prompting to confirm cascaded deletion of Application resources")
 	command.Flags().BoolVar(&wait, "wait", false, "Wait until deletion of the applicationset(s) completes")
+	command.Flags().StringVarP(&appSetNamespace, "appset-namespace", "N", "", "Namespace where the ApplicationSet will be deleted from (ignored when qualified name is provided)")
 	return command
 }
 

commitserver/commit/hydratorhelper.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/Masterminds/sprig/v3"
 	log "github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"github.com/argoproj/argo-cd/v3/commitserver/apiclient"
@@ -102,9 +102,6 @@ func WriteForPaths(root *os.Root, repoUrl, drySha string, dryCommitMetadata *app
 		}
 	}
 	// if no manifest changes then skip commit
-	if !atleastOneManifestChanged {
-		return false, nil
-	}
 	return atleastOneManifestChanged, nil
 }
 
@@ -140,11 +137,13 @@ func writeReadme(root *os.Root, dirPath string, metadata hydrator.HydratorCommit
 	if err != nil && !os.IsExist(err) {
 		return fmt.Errorf("failed to create README file: %w", err)
 	}
+	defer func() {
+		err := readmeFile.Close()
+		if err != nil {
+			log.WithError(err).Error("failed to close README file")
+		}
+	}()
 	err = readmeTemplate.Execute(readmeFile, metadata)
-	closeErr := readmeFile.Close()
-	if closeErr != nil {
-		log.WithError(closeErr).Error("failed to close README file")
-	}
 	if err != nil {
 		return fmt.Errorf("failed to execute readme template: %w", err)
 	}

controller/appcontroller.go

@@ -1851,7 +1851,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		logCtx = logCtx.WithField(k, v.Milliseconds())
 	}
 
-	ctrl.normalizeApplication(origApp, app)
+	ctrl.normalizeApplication(app)
 	ts.AddCheckpoint("normalize_application_ms")
 
 	tree, err := ctrl.setAppManagedResources(destCluster, app, compareResult)
@@ -2090,7 +2090,8 @@ func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application)
 }
 
 // normalizeApplication normalizes an application.spec and additionally persists updates if it changed
-func (ctrl *ApplicationController) normalizeApplication(orig, app *appv1.Application) {
+func (ctrl *ApplicationController) normalizeApplication(app *appv1.Application) {
+	orig := app.DeepCopy()
 	app.Spec = *argo.NormalizeApplicationSpec(&app.Spec)
 	logCtx := log.WithFields(applog.GetAppLogFields(app))
 
@@ -2689,7 +2690,7 @@ func (ctrl *ApplicationController) applyImpersonationConfig(config *rest.Config,
 	if !impersonationEnabled {
 		return nil
 	}
-	user, err := deriveServiceAccountToImpersonate(proj, app, destCluster)
+	user, err := settings_util.DeriveServiceAccountToImpersonate(proj, app, destCluster)
 	if err != nil {
 		return fmt.Errorf("error deriving service account to impersonate: %w", err)
 	}

controller/clusterinfoupdater.go

@@ -132,11 +132,11 @@ func (c *clusterInfoUpdater) getUpdatedClusterInfo(ctx context.Context, apps []*
 				continue
 			}
 		}
-		destCluster, err := argo.GetDestinationCluster(ctx, a.Spec.Destination, c.db)
+		destServer, err := argo.GetDestinationServer(ctx, a.Spec.Destination, c.db)
 		if err != nil {
 			continue
 		}
-		if destCluster.Server == cluster.Server {
+		if destServer == cluster.Server {
 			appCount++
 		}
 	}

controller/clusterinfoupdater_test.go

@@ -101,6 +101,121 @@ func TestClusterSecretUpdater(t *testing.T) {
 	}
 }
 
+func TestGetUpdatedClusterInfo_AppCount(t *testing.T) {
+	const fakeNamespace = "fake-ns"
+	const clusterServer = "https://prod.example.com"
+	const clusterName = "prod"
+
+	emptyArgoCDConfigMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      common.ArgoCDConfigMapName,
+			Namespace: fakeNamespace,
+			Labels:    map[string]string{"app.kubernetes.io/part-of": "argocd"},
+		},
+		Data: map[string]string{},
+	}
+	argoCDSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      common.ArgoCDSecretName,
+			Namespace: fakeNamespace,
+			Labels:    map[string]string{"app.kubernetes.io/part-of": "argocd"},
+		},
+		Data: map[string][]byte{"admin.password": nil, "server.secretkey": nil},
+	}
+	clusterSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "prod-cluster",
+			Namespace: fakeNamespace,
+			Labels:    map[string]string{common.LabelKeySecretType: common.LabelValueSecretTypeCluster},
+			Annotations: map[string]string{
+				common.AnnotationKeyManagedBy: common.AnnotationValueManagedByArgoCD,
+			},
+		},
+		Data: map[string][]byte{
+			"name":   []byte(clusterName),
+			"server": []byte(clusterServer),
+			"config": []byte("{}"),
+		},
+	}
+
+	kubeclientset := fake.NewClientset(emptyArgoCDConfigMap, argoCDSecret, clusterSecret)
+	settingsManager := settings.NewSettingsManager(t.Context(), kubeclientset, fakeNamespace)
+	argoDB := db.NewDB(fakeNamespace, settingsManager, kubeclientset)
+
+	apps := []*v1alpha1.Application{
+		{Spec: v1alpha1.ApplicationSpec{Destination: v1alpha1.ApplicationDestination{Name: clusterName}}},
+		{Spec: v1alpha1.ApplicationSpec{Destination: v1alpha1.ApplicationDestination{Server: clusterServer}}},
+		{Spec: v1alpha1.ApplicationSpec{Destination: v1alpha1.ApplicationDestination{Server: "https://other.example.com"}}},
+	}
+
+	updater := &clusterInfoUpdater{db: argoDB, namespace: fakeNamespace}
+	cluster := v1alpha1.Cluster{Server: clusterServer}
+
+	info := updater.getUpdatedClusterInfo(t.Context(), apps, cluster, nil, metav1.Now())
+
+	assert.Equal(t, int64(2), info.ApplicationsCount)
+}
+
+func TestGetUpdatedClusterInfo_AmbiguousName(t *testing.T) {
+	const fakeNamespace = "fake-ns"
+	const clusterServer = "https://prod.example.com"
+	const clusterName = "prod"
+
+	emptyArgoCDConfigMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      common.ArgoCDConfigMapName,
+			Namespace: fakeNamespace,
+			Labels:    map[string]string{"app.kubernetes.io/part-of": "argocd"},
+		},
+		Data: map[string]string{},
+	}
+	argoCDSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      common.ArgoCDSecretName,
+			Namespace: fakeNamespace,
+			Labels:    map[string]string{"app.kubernetes.io/part-of": "argocd"},
+		},
+		Data: map[string][]byte{"admin.password": nil, "server.secretkey": nil},
+	}
+	makeClusterSecret := func(secretName, server string) *corev1.Secret {
+		return &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secretName,
+				Namespace: fakeNamespace,
+				Labels:    map[string]string{common.LabelKeySecretType: common.LabelValueSecretTypeCluster},
+				Annotations: map[string]string{
+					common.AnnotationKeyManagedBy: common.AnnotationValueManagedByArgoCD,
+				},
+			},
+			Data: map[string][]byte{
+				"name":   []byte(clusterName),
+				"server": []byte(server),
+				"config": []byte("{}"),
+			},
+		}
+	}
+
+	// Two secrets share the same cluster name
+	kubeclientset := fake.NewClientset(
+		emptyArgoCDConfigMap, argoCDSecret,
+		makeClusterSecret("prod-cluster-1", clusterServer),
+		makeClusterSecret("prod-cluster-2", "https://prod2.example.com"),
+	)
+	settingsManager := settings.NewSettingsManager(t.Context(), kubeclientset, fakeNamespace)
+	argoDB := db.NewDB(fakeNamespace, settingsManager, kubeclientset)
+
+	apps := []*v1alpha1.Application{
+		{Spec: v1alpha1.ApplicationSpec{Destination: v1alpha1.ApplicationDestination{Name: clusterName}}},
+	}
+
+	updater := &clusterInfoUpdater{db: argoDB, namespace: fakeNamespace}
+	cluster := v1alpha1.Cluster{Server: clusterServer}
+
+	info := updater.getUpdatedClusterInfo(t.Context(), apps, cluster, nil, metav1.Now())
+
+	assert.Equal(t, int64(0), info.ApplicationsCount, "ambiguous name should not count app")
+}
+
 func TestUpdateClusterLabels(t *testing.T) {
 	shouldNotBeInvoked := func(_ context.Context, _ *v1alpha1.Cluster) (*v1alpha1.Cluster, error) {
 		shouldNotHappen := errors.New("if an error happens here, something's wrong")

controller/hook.go

@@ -76,6 +76,21 @@ func isPostDeleteHook(obj *unstructured.Unstructured) bool {
 	return isHookOfType(obj, PostDeleteHookType)
 }
 
+// hasGitOpsEngineSyncPhaseHook is true when gitops-engine would run the resource during a sync
+// phase (PreSync, Sync, PostSync, SyncFail). PreDelete/PostDelete are not sync phases;
+// without this check, state reconciliation drops such resources
+// entirely because isPreDeleteHook/isPostDeleteHook match any comma-separated value.
+// HookTypeSkip is omitted as it is not a sync phase.
+func hasGitOpsEngineSyncPhaseHook(obj *unstructured.Unstructured) bool {
+	for _, t := range hook.Types(obj) {
+		switch t {
+		case common.HookTypePreSync, common.HookTypeSync, common.HookTypePostSync, common.HookTypeSyncFail:
+			return true
+		}
+	}
+	return false
+}
+
 // executeHooks is a generic function to execute hooks of a specified type
 func (ctrl *ApplicationController) executeHooks(hookType HookType, app *appv1.Application, proj *appv1.AppProject, liveObjs map[kube.ResourceKey]*unstructured.Unstructured, config *rest.Config, logCtx *log.Entry) (bool, error) {
 	appLabelKey, err := ctrl.settingsMgr.GetAppInstanceLabelKey()

controller/hook_test.go

@@ -192,6 +192,92 @@ func TestIsPostDeleteHook(t *testing.T) {
 	}
 }
 
+// TestPartitionTargetObjsForSync covers partitionTargetObjsForSync in state.go.
+func TestPartitionTargetObjsForSync(t *testing.T) {
+	newObj := func(name string, annot map[string]string) *unstructured.Unstructured {
+		u := &unstructured.Unstructured{}
+		u.SetName(name)
+		u.SetAnnotations(annot)
+		return u
+	}
+
+	tests := []struct {
+		name           string
+		in             []*unstructured.Unstructured
+		wantNames      []string
+		wantPreDelete  bool
+		wantPostDelete bool
+	}{
+		{
+			name: "PostSync with PreDelete and PostDelete in same annotation stays in sync set",
+			in: []*unstructured.Unstructured{
+				newObj("combined", map[string]string{"argocd.argoproj.io/hook": "PostSync,PreDelete,PostDelete"}),
+			},
+			wantNames:      []string{"combined"},
+			wantPreDelete:  true,
+			wantPostDelete: true,
+		},
+		{
+			name: "PreDelete-only manifest excluded from sync",
+			in: []*unstructured.Unstructured{
+				newObj("pre-del", map[string]string{"argocd.argoproj.io/hook": "PreDelete"}),
+			},
+			wantNames:      nil,
+			wantPreDelete:  true,
+			wantPostDelete: false,
+		},
+		{
+			name: "PostDelete-only manifest excluded from sync",
+			in: []*unstructured.Unstructured{
+				newObj("post-del", map[string]string{"argocd.argoproj.io/hook": "PostDelete"}),
+			},
+			wantNames:      nil,
+			wantPreDelete:  false,
+			wantPostDelete: true,
+		},
+		{
+			name: "Helm pre-delete only excluded from sync",
+			in: []*unstructured.Unstructured{
+				newObj("helm-pre-del", map[string]string{"helm.sh/hook": "pre-delete"}),
+			},
+			wantNames:      nil,
+			wantPreDelete:  true,
+			wantPostDelete: false,
+		},
+		{
+			name: "Helm pre-install with pre-delete stays in sync (sync-phase hook wins)",
+			in: []*unstructured.Unstructured{
+				newObj("helm-mixed", map[string]string{"helm.sh/hook": "pre-install,pre-delete"}),
+			},
+			wantNames:      []string{"helm-mixed"},
+			wantPreDelete:  true,
+			wantPostDelete: false,
+		},
+		{
+			name: "Non-hook resource unchanged",
+			in: []*unstructured.Unstructured{
+				newObj("pod", map[string]string{"app": "x"}),
+			},
+			wantNames:      []string{"pod"},
+			wantPreDelete:  false,
+			wantPostDelete: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, hasPre, hasPost := partitionTargetObjsForSync(tt.in)
+			var names []string
+			for _, o := range got {
+				names = append(names, o.GetName())
+			}
+			assert.Equal(t, tt.wantNames, names)
+			assert.Equal(t, tt.wantPreDelete, hasPre, "hasPreDeleteHooks")
+			assert.Equal(t, tt.wantPostDelete, hasPost, "hasPostDeleteHooks")
+		})
+	}
+}
+
 func TestMultiHookOfType(t *testing.T) {
 	tests := []struct {
 		name     string

controller/state.go

@@ -543,6 +543,28 @@ func isManagedNamespace(ns *unstructured.Unstructured, app *v1alpha1.Application
 	return ns != nil && ns.GetKind() == kubeutil.NamespaceKind && ns.GetName() == app.Spec.Destination.Namespace && app.Spec.SyncPolicy != nil && app.Spec.SyncPolicy.ManagedNamespaceMetadata != nil
 }
 
+// partitionTargetObjsForSync returns the manifest subset passed to gitops-engine sync, and whether
+// the full manifest set declared PreDelete and/or PostDelete hooks (for finalizer handling).
+// Uses isPreDeleteHook / isPostDeleteHook / hasGitOpsEngineSyncPhaseHook from hook.go.
+func partitionTargetObjsForSync(targetObjs []*unstructured.Unstructured) (syncObjs []*unstructured.Unstructured, hasPreDeleteHooks, hasPostDeleteHooks bool) {
+	for _, obj := range targetObjs {
+		if isPreDeleteHook(obj) {
+			hasPreDeleteHooks = true
+			if !hasGitOpsEngineSyncPhaseHook(obj) {
+				continue
+			}
+		}
+		if isPostDeleteHook(obj) {
+			hasPostDeleteHooks = true
+			if !hasGitOpsEngineSyncPhaseHook(obj) {
+				continue
+			}
+		}
+		syncObjs = append(syncObjs, obj)
+	}
+	return syncObjs, hasPreDeleteHooks, hasPostDeleteHooks
+}
+
 // CompareAppState compares application git state to the live app state, using the specified
 // revision and supplied source. If revision or overrides are empty, then compares against
 // revision and overrides in the app spec.
@@ -770,24 +792,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 			}
 		}
 	}
-	hasPreDeleteHooks := false
-	hasPostDeleteHooks := false
-	// Filter out PreDelete and PostDelete hooks from targetObjs since they should not be synced
-	// as regular resources. They are only executed during deletion.
-	var targetObjsForSync []*unstructured.Unstructured
-	for _, obj := range targetObjs {
-		if isPreDeleteHook(obj) {
-			hasPreDeleteHooks = true
-			// Skip PreDelete hooks - they are not synced, only executed during deletion
-			continue
-		}
-		if isPostDeleteHook(obj) {
-			hasPostDeleteHooks = true
-			// Skip PostDelete hooks - they are not synced, only executed after deletion
-			continue
-		}
-		targetObjsForSync = append(targetObjsForSync, obj)
-	}
+	targetObjsForSync, hasPreDeleteHooks, hasPostDeleteHooks := partitionTargetObjsForSync(targetObjs)
 
 	reconciliation := sync.Reconcile(targetObjsForSync, liveObjByKey, app.Spec.Destination.Namespace, infoProvider)
 	ts.AddCheckpoint("live_ms")
@@ -842,9 +847,10 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 		if err != nil {
 			log.Errorf("CompareAppState error getting server side diff dry run applier: %s", err)
 			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionUnknownError, Message: err.Error(), LastTransitionTime: &now})
+		} else {
+			defer cleanup()
+			diffConfigBuilder.WithServerSideDryRunner(diff.NewK8sServerSideDryRunner(applier))
 		}
-		defer cleanup()
-		diffConfigBuilder.WithServerSideDryRunner(diff.NewK8sServerSideDryRunner(applier))
 	}
 
 	// enable structured merge diff if application syncs with server-side apply

controller/sync.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"os"
 	"strconv"
-	"strings"
 	"time"
 
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
@@ -33,20 +32,16 @@ import (
 	applog "github.com/argoproj/argo-cd/v3/util/app/log"
 	"github.com/argoproj/argo-cd/v3/util/argo"
 	"github.com/argoproj/argo-cd/v3/util/argo/diff"
-	"github.com/argoproj/argo-cd/v3/util/glob"
 	kubeutil "github.com/argoproj/argo-cd/v3/util/kube"
 	logutils "github.com/argoproj/argo-cd/v3/util/log"
 	"github.com/argoproj/argo-cd/v3/util/lua"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )
 
 const (
 	// EnvVarSyncWaveDelay is an environment variable which controls the delay in seconds between
 	// each sync-wave
 	EnvVarSyncWaveDelay = "ARGOCD_SYNC_WAVE_DELAY"
-
-	// serviceAccountDisallowedCharSet contains the characters that are not allowed to be present
-	// in a DefaultServiceAccount configured for a DestinationServiceAccount
-	serviceAccountDisallowedCharSet = "!*[]{}\\/"
 )
 
 func (m *appStateManager) getOpenAPISchema(server *v1alpha1.Cluster) (openapi.Resources, error) {
@@ -288,7 +283,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, project *v1alp
 		return
 	}
 	if impersonationEnabled {
-		serviceAccountToImpersonate, err := deriveServiceAccountToImpersonate(project, app, destCluster)
+		serviceAccountToImpersonate, err := settings.DeriveServiceAccountToImpersonate(project, app, destCluster)
 		if err != nil {
 			state.Phase = common.OperationError
 			state.Message = fmt.Sprintf("failed to find a matching service account to impersonate: %v", err)
@@ -558,41 +553,6 @@ func syncWindowPreventsSync(app *v1alpha1.Application, proj *v1alpha1.AppProject
 	return !canSync, nil
 }
 
-// deriveServiceAccountToImpersonate determines the service account to be used for impersonation for the sync operation.
-// The returned service account will be fully qualified including namespace and the service account name in the format system:serviceaccount:<namespace>:<service_account>
-func deriveServiceAccountToImpersonate(project *v1alpha1.AppProject, application *v1alpha1.Application, destCluster *v1alpha1.Cluster) (string, error) {
-	// spec.Destination.Namespace is optional. If not specified, use the Application's
-	// namespace
-	serviceAccountNamespace := application.Spec.Destination.Namespace
-	if serviceAccountNamespace == "" {
-		serviceAccountNamespace = application.Namespace
-	}
-	// Loop through the destinationServiceAccounts and see if there is any destination that is a candidate.
-	// if so, return the service account specified for that destination.
-	for _, item := range project.Spec.DestinationServiceAccounts {
-		dstServerMatched, err := glob.MatchWithError(item.Server, destCluster.Server)
-		if err != nil {
-			return "", fmt.Errorf("invalid glob pattern for destination server: %w", err)
-		}
-		dstNamespaceMatched, err := glob.MatchWithError(item.Namespace, application.Spec.Destination.Namespace)
-		if err != nil {
-			return "", fmt.Errorf("invalid glob pattern for destination namespace: %w", err)
-		}
-		if dstServerMatched && dstNamespaceMatched {
-			if strings.Trim(item.DefaultServiceAccount, " ") == "" || strings.ContainsAny(item.DefaultServiceAccount, serviceAccountDisallowedCharSet) {
-				return "", fmt.Errorf("default service account contains invalid chars '%s'", item.DefaultServiceAccount)
-			} else if strings.Contains(item.DefaultServiceAccount, ":") {
-				// service account is specified along with its namespace.
-				return "system:serviceaccount:" + item.DefaultServiceAccount, nil
-			}
-			// service account needs to be prefixed with a namespace
-			return fmt.Sprintf("system:serviceaccount:%s:%s", serviceAccountNamespace, item.DefaultServiceAccount), nil
-		}
-	}
-	// if there is no match found in the AppProject.Spec.DestinationServiceAccounts, use the default service account of the destination namespace.
-	return "", fmt.Errorf("no matching service account found for destination server %s and namespace %s", application.Spec.Destination.Server, serviceAccountNamespace)
-}
-
 // validateSyncPermissions checks whether the given resource is permitted by the project's
 // allow/deny lists and destination rules. It returns an error if the API resource info is nil
 // (preventing a nil-pointer panic), if the resource's group/kind is not permitted, or if

controller/sync_test.go

@@ -22,6 +22,7 @@ import (
 	"github.com/argoproj/argo-cd/v3/test"
 	"github.com/argoproj/argo-cd/v3/util/argo/diff"
 	"github.com/argoproj/argo-cd/v3/util/argo/normalizers"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )
 
 func TestPersistRevisionHistory(t *testing.T) {
@@ -726,7 +727,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 		assert.Equal(t, expectedSA, sa)
 
 		// then, there should be an error saying no valid match was found
@@ -750,7 +751,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should be no error and should use the right service account for impersonation
 		require.NoError(t, err)
@@ -789,7 +790,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should be no error and should use the right service account for impersonation
 		require.NoError(t, err)
@@ -828,7 +829,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should be no error and it should use the first matching service account for impersonation
 		require.NoError(t, err)
@@ -862,7 +863,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should not be any error and should use the first matching glob pattern service account for impersonation
 		require.NoError(t, err)
@@ -897,7 +898,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should be an error saying no match was found
 		require.EqualError(t, err, expectedErrMsg)
@@ -925,7 +926,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should not be any error and the service account configured for with empty namespace should be used.
 		require.NoError(t, err)
@@ -959,7 +960,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should not be any error and the catch all service account should be returned
 		require.NoError(t, err)
@@ -983,7 +984,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there must be an error as the glob pattern is invalid.
 		require.ErrorContains(t, err, "invalid glob pattern for destination namespace")
@@ -1017,7 +1018,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 		assert.Equal(t, expectedSA, sa)
 
 		// then, there should not be any error and the service account with its namespace should be returned.
@@ -1045,7 +1046,7 @@ func TestDeriveServiceAccountMatchingNamespaces(t *testing.T) {
 		f.application.Spec.Destination.Name = f.cluster.Name
 
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 		assert.Equal(t, expectedSA, sa)
 
 		// then, there should not be any error and the service account with its namespace should be returned.
@@ -1128,7 +1129,7 @@ func TestDeriveServiceAccountMatchingServers(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should not be any error and the right service account must be returned.
 		require.NoError(t, err)
@@ -1167,7 +1168,7 @@ func TestDeriveServiceAccountMatchingServers(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should not be any error and first matching service account should be used
 		require.NoError(t, err)
@@ -1201,7 +1202,7 @@ func TestDeriveServiceAccountMatchingServers(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 		assert.Equal(t, expectedSA, sa)
 
 		// then, there should not be any error and the service account of the glob pattern, being the first match should be returned.
@@ -1236,7 +1237,7 @@ func TestDeriveServiceAccountMatchingServers(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, &v1alpha1.Cluster{Server: destinationServerURL})
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, &v1alpha1.Cluster{Server: destinationServerURL})
 
 		// then, there an error with appropriate message must be returned
 		require.EqualError(t, err, expectedErr)
@@ -1270,7 +1271,7 @@ func TestDeriveServiceAccountMatchingServers(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there should not be any error and the service account of the glob pattern match must be returned.
 		require.NoError(t, err)
@@ -1294,7 +1295,7 @@ func TestDeriveServiceAccountMatchingServers(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 
 		// then, there must be an error as the glob pattern is invalid.
 		require.ErrorContains(t, err, "invalid glob pattern for destination server")
@@ -1328,7 +1329,7 @@ func TestDeriveServiceAccountMatchingServers(t *testing.T) {
 
 		f := setup(destinationServiceAccounts, destinationNamespace, destinationServerURL, applicationNamespace)
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, &v1alpha1.Cluster{Server: destinationServerURL})
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, &v1alpha1.Cluster{Server: destinationServerURL})
 
 		// then, there should not be any error and the service account with the given namespace prefix must be returned.
 		require.NoError(t, err)
@@ -1356,7 +1357,7 @@ func TestDeriveServiceAccountMatchingServers(t *testing.T) {
 		f.application.Spec.Destination.Name = f.cluster.Name
 
 		// when
-		sa, err := deriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
+		sa, err := settings.DeriveServiceAccountToImpersonate(f.project, f.application, f.cluster)
 		assert.Equal(t, expectedSA, sa)
 
 		// then, there should not be any error and the service account with its namespace should be returned.

docs/operator-manual/app-sync-using-impersonation.md

@@ -30,7 +30,7 @@ Impersonation requests first authenticate as the requesting user, then switch to
 
 ### Feature scope 
 
-Impersonation is currently only supported for the lifecycle of objects managed by an Application directly, which includes sync operations (creation, update and pruning of resources) and deletion as part of Application finalizer logic. This *does not* includes operations triggered via ArgoCD's UI, which will still be executed with Argo CD's control-plane service account.
+Impersonation is supported for the lifecycle of objects managed by an Application directly, which includes sync operations (creation, update and pruning of resources) and deletion as part of Application finalizer logic. It is also supported for UI operations triggered by the user.
 
 ## Prerequisites
 

docs/operator-manual/applicationset/Progressive-Syncs.md

@@ -14,7 +14,7 @@ The Progressive Syncs feature set is intended to be light and flexible. The feat
 
 - Progressive Syncs watch for the managed Application resources to become "Healthy" before proceeding to the next stage.
 - Deployments, DaemonSets, StatefulSets, and [Argo Rollouts](https://argoproj.github.io/argo-rollouts/) are all supported, because the Application enters a "Progressing" state while pods are being rolled out. In fact, any resource with a health check that can report a "Progressing" status is supported.
-- [Argo CD Resource Hooks](../../user-guide/resource_hooks.md) are supported. We recommend this approach for users that need advanced functionality when an Argo Rollout cannot be used, such as smoke testing after a DaemonSet change.
+- [Argo CD Resource Hooks](../../user-guide/sync-waves.md) are supported. We recommend this approach for users that need advanced functionality when an Argo Rollout cannot be used, such as smoke testing after a DaemonSet change.
 
 ## Enabling Progressive Syncs
 

docs/operator-manual/signed-release-assets.md

@@ -1,7 +1,7 @@
 # Verification of Argo CD Artifacts
 
 ## Prerequisites
-- cosign `v2.0.0` or higher [installation instructions](https://docs.sigstore.dev/cosign/installation)
+- cosign `v2.0.0` or higher [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/)
 - slsa-verifier [installation instructions](https://github.com/slsa-framework/slsa-verifier#installation)
 - crane [installation instructions](https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md) (for container verification only)
 
@@ -154,4 +154,4 @@ slsa-verifier verify-artifact sbom.tar.gz \
 > [!NOTE]
 > We encourage all users to verify signatures and provenances with your admission/policy controller of choice. Doing so will verify that an image was built by us before it's deployed on your Kubernetes cluster.
 
-Cosign signatures and SLSA provenances are compatible with several types of admission controllers. Please see the [cosign documentation](https://docs.sigstore.dev/cosign/overview/#kubernetes-integrations) and [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#verification) for supported controllers.
+Cosign signatures and SLSA provenances are compatible with several types of admission controllers. Please see the [cosign documentation](https://docs.sigstore.dev/policy-controller/overview/) and [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#verification) for supported controllers.

docs/operator-manual/upgrading/3.4-3.5.md

@@ -0,0 +1,40 @@
+# v3.4 to 3.5
+
+## Breaking Changes
+
+## Behavioral Improvements / Fixes
+
+### Impersonation extended to server operations
+
+When [impersonation](../app-sync-using-impersonation.md) is enabled, it now applies to all API server operations, not just sync operations. This means that actions triggered through the UI or API (viewing logs, listing events, deleting resources, running resource actions, etc.) will use the impersonated service account derived from the AppProject's `destinationServiceAccounts` configuration.
+
+Previously, impersonation only applied to sync operations.
+
+**Affected operations and required permissions:**
+
+| Operation | Kubernetes API call | Required RBAC verbs |
+|---|---|---|
+| Get resource | `GET` on the target resource | `get` |
+| Patch resource | `PATCH` on the target resource | `get`, `patch` |
+| Delete resource | `DELETE` on the target resource | `delete` |
+| List resource events | `LIST` on `events` (core/v1) | `list` |
+| View pod logs | `GET` on `pods` and `pods/log` | `get` |
+| Run resource action | `GET`, `CREATE`, `PATCH` on the target resource | `get`, `create`, `patch` |
+
+This list covers built-in operations. Custom resource actions may require additional permissions depending on what Kubernetes API calls they make.
+
+Users with impersonation enabled must ensure the service accounts configured in `destinationServiceAccounts` have permissions for these operations.
+
+No action is required for users who do not have impersonation enabled.
+
+## API Changes
+
+## Security Changes
+
+## Deprecated Items
+
+## Kustomize Upgraded
+
+## Helm Upgraded
+
+## Custom Healthchecks Added

docs/operator-manual/upgrading/overview.md

@@ -39,6 +39,7 @@ kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubuse
 
 <hr/>
 
+- [v3.4 to v3.5](./3.4-3.5.md)
 - [v3.3 to v3.4](./3.3-3.4.md)
 - [v3.2 to v3.3](./3.2-3.3.md)
 - [v3.1 to v3.2](./3.1-3.2.md)

docs/operator-manual/user-management/keycloak.md

@@ -1,21 +1,21 @@
 # Keycloak
-Keycloak and ArgoCD integration can be configured in two ways with Client authentication and with PKCE.
+Keycloak and Argo CD integration can be configured in two ways with Client authentication and with PKCE.
 
 If you need to authenticate with __argo-cd command line__, you must choose PKCE way.
 
-* [Keycloak and ArgoCD with Client authentication](#keycloak-and-argocd-with-client-authentication)
-* [Keycloak and ArgoCD with PKCE](#keycloak-and-argocd-with-pkce)
+* [Keycloak and Argo CD with Client authentication](#keycloak-and-argocd-with-client-authentication)
+* [Keycloak and Argo CD with PKCE](#keycloak-and-argocd-with-pkce)
 
-## Keycloak and ArgoCD with Client authentication
+## Keycloak and Argo CD with Client authentication
 
-These instructions will take you through the entire process of getting your ArgoCD application authenticating with Keycloak.
+These instructions will take you through the entire process of getting your Argo CD application to authenticate with Keycloak.
 
-You will create a client within Keycloak and configure ArgoCD to use Keycloak for authentication, using groups set in Keycloak
+Start by creating a client within Keycloak and configure Argo CD to use Keycloak for authentication, using groups set in Keycloak
 to determine privileges in Argo.
 
 ### Creating a new client in Keycloak
 
-First we need to setup a new client.
+First, setup a new client.
 
 Start by logging into your keycloak server, select the realm you want to use (`master` by default)
 and then go to __Clients__ and click the __Create client__ button at the top.
@@ -37,11 +37,11 @@ but it's not recommended in production).
 
 Make sure to click __Save__.
 
-There should be a tab called __Credentials__. You can copy the Client Secret that we'll use in our ArgoCD configuration.
+There should be a tab called __Credentials__. You can copy the Client Secret that we'll use in our Argo CD configuration.
 
 ![Keycloak client secret](../../assets/keycloak-client-secret.png "Keycloak client secret")
 
-### Configuring ArgoCD OIDC
+### Configuring Argo CD OIDC
 
 Let's start by storing the client secret you generated earlier in the argocd secret _argocd-secret_.
 
@@ -68,7 +68,7 @@ data:
     clientID: argocd
     clientSecret: $oidc.keycloak.clientSecret
     refreshTokenThreshold: 2m
-    requestedScopes: ["openid", "profile", "email", "groups"]
+    requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
 ```
 
 Make sure that:
@@ -80,18 +80,18 @@ Make sure that:
 - __requestedScopes__ contains the _groups_ claim if you didn't add it to the Default scopes
 - __refreshTokenThreshold__ is less than the client token lifetime.  If this setting is not less than the token lifetime, a new token will be obtained for every request.  Keycloak sets the client token lifetime to 5 minutes by default.
 
-## Keycloak and ArgoCD with PKCE
+## Keycloak and Argo CD with PKCE
 
-These instructions will take you through the entire process of getting your ArgoCD application authenticating with Keycloak.
+These instructions will take you through the entire process of getting your Argo CD application authenticating with Keycloak.
 
-You will create a client within Keycloak and configure ArgoCD to use Keycloak for authentication, using groups set in Keycloak
+You will create a client within Keycloak and configure Argo CD to use Keycloak for authentication, using groups set in Keycloak
 to determine privileges in Argo.
 
 You will also be able to authenticate using argo-cd command line.
 
 ### Creating a new client in Keycloak
 
-First we need to setup a new client.
+First, setup a new client.
 
 Start by logging into your keycloak server, select the realm you want to use (`master` by default)
 and then go to __Clients__ and click the __Create client__ button at the top.
@@ -119,7 +119,7 @@ Now go to a tab called __Advanced__, look for parameter named __Proof Key for Co
 ![Keycloak configure client Step 2](../../assets/keycloak-configure-client-pkce_2.png "Keycloak configure client Step 2")
 Make sure to click __Save__.
 
-### Configuring ArgoCD OIDC
+### Configuring Argo CD OIDC
 Now we can configure the config map and add the oidc configuration to enable our keycloak authentication.
 You can use `$ kubectl edit configmap argocd-cm`.
 
@@ -138,7 +138,7 @@ data:
     clientID: argocd
     enablePKCEAuthentication: true
     refreshTokenThreshold: 2m
-    requestedScopes: ["openid", "profile", "email", "groups"]
+    requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
 ```
 
 Make sure that:
@@ -146,13 +146,13 @@ Make sure that:
 - __issuer__ ends with the correct realm (in this example _master_)
 - __issuer__ on Keycloak releases older than version 17 the URL must include /auth (in this example /auth/realms/master)
 - __clientID__ is set to the Client ID you configured in Keycloak
-- __enablePKCEAuthentication__ must be set to true to enable correct ArgoCD behaviour with PKCE
+- __enablePKCEAuthentication__ must be set to true to enable correct Argo CD behaviour with PKCE
 - __requestedScopes__ contains the _groups_ claim if you didn't add it to the Default scopes
 - __refreshTokenThreshold__ is less than the client token lifetime.  If this setting is not less than the token lifetime, a new token will be obtained for every request.  Keycloak sets the client token lifetime to 5 minutes by default.
 
 ## Configuring the groups claim
 
-In order for ArgoCD to provide the groups the user is in we need to configure a groups claim that can be included in the authentication token.
+In order for Argo CD to provide the groups the user is in we need to configure a groups claim that can be included in the authentication token.
 
 To do this we'll start by creating a new __Client Scope__ called _groups_.
 
@@ -174,7 +174,7 @@ Go back to the client we've created earlier and go to the Tab "Client Scopes".
 Click on "Add client scope", choose the _groups_ scope and add it either to the __Default__ or to the __Optional__ Client Scope.
 
 If you put it in the Optional
-category you will need to make sure that ArgoCD requests the scope in its OIDC configuration.
+category you will need to make sure that Argo CD requests the scope in its OIDC configuration.
 Since we will always want group information, I recommend
 using the Default category.
 
@@ -184,7 +184,7 @@ Create a group called _ArgoCDAdmins_ and have your current user join the group.
 
 ![Keycloak user group](../../assets/keycloak-user-group.png "Keycloak user group")
 
-## Configuring ArgoCD Policy
+## Configuring Argo CD Policy
 
 Now that we have an authentication that provides groups we want to apply a policy to these groups.
 We can modify the _argocd-rbac-cm_ ConfigMap using `$ kubectl edit configmap argocd-rbac-cm`.
@@ -205,7 +205,7 @@ In this example we give the role _role:admin_ to all users in the group _ArgoCDA
 
 You can now login using our new Keycloak OIDC authentication:
 
-![Keycloak ArgoCD login](../../assets/keycloak-login.png "Keycloak ArgoCD login")
+![Keycloak Argo CD login](../../assets/keycloak-login.png "Keycloak Argo CD login")
 
 If you have used PKCE method, you can also authenticate using command line:
 ```bash
@@ -219,7 +219,7 @@ Once done, you should see
 ![Authentication successful!](../../assets/keycloak-authentication-successful.png "Authentication successful!")
 
 ## Troubleshoot
-If ArgoCD auth returns 401 or when the login attempt leads to the loop, then restart the argocd-server pod.
+If Argo CD auth returns 401 or when the login attempt leads to the loop, then restart the argocd-server pod.
 ```
 kubectl rollout restart deployment argocd-server -n argocd
 ```

docs/snyk/index.md

@@ -15,64 +15,64 @@ recent minor releases.
 |---:|:--------:|:----:|:------:|:---:|
 | [gitops-engine/go.mod](master/argocd-test.html) | 0 | 0 | 2 | 0 |
 | [go.mod](master/argocd-test.html) | 0 | 0 | 9 | 0 |
-| [ui/yarn.lock](master/argocd-test.html) | 0 | 6 | 5 | 2 |
-| [dex:v2.45.0](master/ghcr.io_dexidp_dex_v2.45.0.html) | 0 | 1 | 1 | 0 |
+| [ui/yarn.lock](master/argocd-test.html) | 0 | 7 | 5 | 2 |
+| [dex:v2.45.0](master/ghcr.io_dexidp_dex_v2.45.0.html) | 0 | 0 | 1 | 0 |
 | [haproxy:3.0.8-alpine](master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
 | [redis:8.2.3-alpine](master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
 | [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 6 | 4 |
 | [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v3.4.0-rc2
+### v3.4.0-rc4
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [gitops-engine/go.mod](v3.4.0-rc2/argocd-test.html) | 0 | 0 | 2 | 0 |
-| [go.mod](v3.4.0-rc2/argocd-test.html) | 1 | 0 | 9 | 0 |
-| [ui/yarn.lock](v3.4.0-rc2/argocd-test.html) | 0 | 6 | 5 | 2 |
-| [dex:v2.45.0](v3.4.0-rc2/ghcr.io_dexidp_dex_v2.45.0.html) | 0 | 1 | 1 | 0 |
-| [haproxy:3.0.8-alpine](v3.4.0-rc2/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
-| [redis:8.2.3-alpine](v3.4.0-rc2/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v3.4.0-rc2](v3.4.0-rc2/quay.io_argoproj_argocd_v3.4.0-rc2.html) | 0 | 0 | 6 | 4 |
-| [install.yaml](v3.4.0-rc2/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v3.4.0-rc2/argocd-iac-namespace-install.html) | - | - | - | - |
+| [gitops-engine/go.mod](v3.4.0-rc4/argocd-test.html) | 0 | 0 | 2 | 0 |
+| [go.mod](v3.4.0-rc4/argocd-test.html) | 0 | 0 | 9 | 0 |
+| [ui/yarn.lock](v3.4.0-rc4/argocd-test.html) | 0 | 7 | 6 | 2 |
+| [dex:v2.45.0](v3.4.0-rc4/ghcr.io_dexidp_dex_v2.45.0.html) | 0 | 0 | 1 | 0 |
+| [haproxy:3.0.8-alpine](v3.4.0-rc4/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
+| [redis:8.2.3-alpine](v3.4.0-rc4/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v3.4.0-rc3](v3.4.0-rc4/quay.io_argoproj_argocd_v3.4.0-rc3.html) | 0 | 0 | 6 | 4 |
+| [install.yaml](v3.4.0-rc4/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v3.4.0-rc4/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v3.3.4
+### v3.3.6
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [gitops-engine/go.mod](v3.3.4/argocd-test.html) | 0 | 0 | 2 | 0 |
-| [go.mod](v3.3.4/argocd-test.html) | 1 | 0 | 7 | 0 |
-| [ui/yarn.lock](v3.3.4/argocd-test.html) | 0 | 8 | 7 | 2 |
-| [dex:v2.43.0](v3.3.4/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
-| [haproxy:3.0.8-alpine](v3.3.4/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
-| [redis:8.2.3-alpine](v3.3.4/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v3.3.4](v3.3.4/quay.io_argoproj_argocd_v3.3.4.html) | 0 | 0 | 6 | 6 |
-| [install.yaml](v3.3.4/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v3.3.4/argocd-iac-namespace-install.html) | - | - | - | - |
+| [gitops-engine/go.mod](v3.3.6/argocd-test.html) | 0 | 0 | 2 | 0 |
+| [go.mod](v3.3.6/argocd-test.html) | 0 | 0 | 7 | 0 |
+| [ui/yarn.lock](v3.3.6/argocd-test.html) | 0 | 9 | 8 | 2 |
+| [dex:v2.43.0](v3.3.6/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
+| [haproxy:3.0.8-alpine](v3.3.6/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
+| [redis:8.2.3-alpine](v3.3.6/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v3.3.6](v3.3.6/quay.io_argoproj_argocd_v3.3.6.html) | 0 | 0 | 6 | 6 |
+| [install.yaml](v3.3.6/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v3.3.6/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v3.2.7
+### v3.2.8
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v3.2.7/argocd-test.html) | 1 | 1 | 7 | 0 |
-| [ui/yarn.lock](v3.2.7/argocd-test.html) | 0 | 8 | 9 | 2 |
-| [dex:v2.43.0](v3.2.7/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
-| [haproxy:3.0.8-alpine](v3.2.7/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
-| [redis:8.2.2-alpine](v3.2.7/public.ecr.aws_docker_library_redis_8.2.2-alpine.html) | 0 | 1 | 0 | 13 |
-| [argocd:v3.2.7](v3.2.7/quay.io_argoproj_argocd_v3.2.7.html) | 0 | 0 | 0 | 1 |
-| [install.yaml](v3.2.7/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v3.2.7/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v3.2.8/argocd-test.html) | 1 | 1 | 7 | 0 |
+| [ui/yarn.lock](v3.2.8/argocd-test.html) | 0 | 9 | 10 | 2 |
+| [dex:v2.43.0](v3.2.8/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
+| [haproxy:3.0.8-alpine](v3.2.8/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
+| [redis:8.2.2-alpine](v3.2.8/public.ecr.aws_docker_library_redis_8.2.2-alpine.html) | 0 | 1 | 0 | 13 |
+| [argocd:v3.2.8](v3.2.8/quay.io_argoproj_argocd_v3.2.8.html) | 0 | 0 | 0 | 1 |
+| [install.yaml](v3.2.8/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v3.2.8/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v3.1.12
+### v3.1.13
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v3.1.12/argocd-test.html) | 1 | 1 | 7 | 0 |
-| [ui/yarn.lock](v3.1.12/argocd-test.html) | 1 | 8 | 9 | 2 |
-| [dex:v2.43.0](v3.1.12/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
-| [haproxy:3.0.8-alpine](v3.1.12/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
-| [redis:7.2.11-alpine](v3.1.12/public.ecr.aws_docker_library_redis_7.2.11-alpine.html) | 0 | 1 | 0 | 11 |
-| [argocd:v3.1.12](v3.1.12/quay.io_argoproj_argocd_v3.1.12.html) | 0 | 0 | 22 | 28 |
-| [install.yaml](v3.1.12/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v3.1.12/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v3.1.13/argocd-test.html) | 1 | 1 | 7 | 0 |
+| [ui/yarn.lock](v3.1.13/argocd-test.html) | 1 | 9 | 8 | 2 |
+| [dex:v2.43.0](v3.1.13/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
+| [haproxy:3.0.8-alpine](v3.1.13/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
+| [redis:7.2.11-alpine](v3.1.13/public.ecr.aws_docker_library_redis_7.2.11-alpine.html) | 0 | 1 | 0 | 11 |
+| [argocd:v3.1.13](v3.1.13/quay.io_argoproj_argocd_v3.1.13.html) | 0 | 0 | 7 | 7 |
+| [install.yaml](v3.1.13/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v3.1.13/argocd-iac-namespace-install.html) | - | - | - | - |

docs/snyk/master/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:32:24 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:35:51 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/master/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:32:34 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:36:00 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/master/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="24 known vulnerabilities found in 60 vulnerable dependency paths.">
+  <meta name="description" content="25 known vulnerabilities found in 63 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:30:06 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:33:19 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -505,8 +505,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>24</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>60 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>25</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>63 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>2860</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -1154,6 +1154,114 @@
                 <p><a href="https://snyk.io/vuln/SNYK-JS-FASTXMLPARSER-15699647">More about this vulnerability</a></p>
             </div>
         
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Infinite loop</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: npm
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            brace-expansion
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    argo-cd-ui@1.0.0, argo-ui@1.0.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        argo-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        minimatch@5.1.6
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        brace-expansion@2.0.1
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        @redocly/openapi-core@1.30.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        minimatch@5.1.6
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        brace-expansion@2.0.1
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        minimatch@3.1.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        brace-expansion@1.1.11
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/juliangruber/brace-expansion">brace-expansion</a> is a Brace expansion as known from sh/bash</p>
+        <p>Affected versions of this package are vulnerable to Infinite loop through the <code>expand</code> function when processing a brace pattern with a zero step value. An attacker can cause the process to hang and exhaust system memory by supplying specially crafted input, such as <code>{1..2..0}</code>. This can lead to significant resource consumption and denial of service. </p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by sanitizing strings passed to <code>expand</code> to ensure a step value of <code>0</code> is not used.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>brace-expansion</code> to version 5.0.5 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v">GitHub Advisory</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/commit/9a02af5c5c80731fae470cc3218c16876bb25051">GitHub Commit</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113">Vulnerable Code</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184">Vulnerable Code</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759">More about this vulnerability</a></p>
+            </div>
+        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Inefficient Algorithmic Complexity</h2>

docs/snyk/master/ghcr.io_dexidp_dex_v2.45.0.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="29 known vulnerabilities found in 49 vulnerable dependency paths.">
+  <meta name="description" content="28 known vulnerabilities found in 46 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:30:17 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:33:29 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -505,9 +505,9 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>29</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>49 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>1189</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>28</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>46 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>1192</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -597,105 +597,6 @@
                 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
             </div>
         
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
-            <h2 class="card__title">Out-of-bounds Write</h2>
-            <div class="card__section">
-        
-                <div class="card__labels">
-                    <div class="label label--high">
-                        <span class="label__text">high severity</span>
-                    </div>
-                    <div class="label label--exploit">
-                        <span class="label__text">Exploit: Not Defined</span>
-                    </div>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: alpine:3.23
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            zlib/zlib
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                docker-image|ghcr.io/dexidp/dex@v2.45.0 and zlib/zlib@1.3.1-r2
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|ghcr.io/dexidp/dex@v2.45.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        zlib/zlib@1.3.1-r2
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|ghcr.io/dexidp/dex@v2.45.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        apk-tools/apk-tools@3.0.3-r1
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        zlib/zlib@1.3.1-r2
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|ghcr.io/dexidp/dex@v2.45.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        apk-tools/apk-tools@3.0.3-r1
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        apk-tools/libapk@3.0.3-r1
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        zlib/zlib@1.3.1-r2
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>zlib</code> package and not the <code>zlib</code> package as distributed by <code>Alpine</code>.</em>
-        <em>See <code>How to fix?</code> for <code>Alpine:3.23</code> relevant fixed versions and status.</em></p>
-        <p>zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>Alpine:3.23</code> <code>zlib</code> to version 1.3.2-r0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/madler/zlib">https://github.com/madler/zlib</a></li>
-        <li><a href="https://seclists.org/fulldisclosure/2026/Jan/3">https://seclists.org/fulldisclosure/2026/Jan/3</a></li>
-        <li><a href="https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname">https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname</a></li>
-        <li><a href="https://zlib.net/">https://zlib.net/</a></li>
-        <li><a href="https://github.com/madler/zlib/issues/1142">https://github.com/madler/zlib/issues/1142</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-ALPINE323-ZLIB-15435528">More about this vulnerability</a></p>
-            </div>
-        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Untrusted Search Path</h2>
@@ -1043,9 +944,9 @@
         <h2 id="references">References</h2>
         <ul>
         <li><a href="https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/">https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/</a></li>
-        <li><a href="https://github.com/madler/zlib/issues/904">https://github.com/madler/zlib/issues/904</a></li>
         <li><a href="https://github.com/madler/zlib/releases/tag/v1.3.2">https://github.com/madler/zlib/releases/tag/v1.3.2</a></li>
         <li><a href="https://ostif.org/zlib-audit-complete/">https://ostif.org/zlib-audit-complete/</a></li>
+        <li><a href="https://github.com/madler/zlib/issues/904">https://github.com/madler/zlib/issues/904</a></li>
         <li><a href="https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf">https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf</a></li>
         </ul>
         

docs/snyk/master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:30:24 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:33:39 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:30:32 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:33:46 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/master/quay.io_argoproj_argocd_latest.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:30:52 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:34:10 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -508,7 +508,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>19</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>76 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2346</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>2350</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/v3.1.13/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:42:49 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:46:52 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v3.1.13/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:42:58 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:47:01 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v3.1.13/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="29 known vulnerabilities found in 136 vulnerable dependency paths.">
+  <meta name="description" content="29 known vulnerabilities found in 134 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:40:53 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:44:50 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -505,7 +505,7 @@
     
               <div class="meta-counts">
                 <div class="meta-count"><span>29</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>136 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>134 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>2105</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -2973,6 +2973,240 @@
                 <p><a href="https://snyk.io/vuln/SNYK-JS-FASTXMLPARSER-15699647">More about this vulnerability</a></p>
             </div>
         
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Infinite loop</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: npm
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            brace-expansion
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    argo-cd-ui@1.0.0, minimatch@3.1.2 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        minimatch@3.1.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        brace-expansion@1.1.11
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        @redocly/openapi-core@1.30.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        minimatch@5.1.6
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        brace-expansion@2.0.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/juliangruber/brace-expansion">brace-expansion</a> is a Brace expansion as known from sh/bash</p>
+        <p>Affected versions of this package are vulnerable to Infinite loop through the <code>expand</code> function when processing a brace pattern with a zero step value. An attacker can cause the process to hang and exhaust system memory by supplying specially crafted input, such as <code>{1..2..0}</code>. This can lead to significant resource consumption and denial of service. </p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by sanitizing strings passed to <code>expand</code> to ensure a step value of <code>0</code> is not used.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>brace-expansion</code> to version 5.0.5 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v">GitHub Advisory</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/commit/9a02af5c5c80731fae470cc3218c16876bb25051">GitHub Commit</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113">Vulnerable Code</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184">Vulnerable Code</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Uncontrolled Recursion</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Proof of Concept</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: npm
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            yaml
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    argo-cd-ui@1.0.0, redoc@2.4.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        swagger2openapi@7.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        yaml@1.10.2
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        swagger2openapi@7.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        oas-resolver@2.5.6
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        yaml@1.10.2
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        swagger2openapi@7.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        oas-validator@5.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        yaml@1.10.2
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        swagger2openapi@7.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        oas-validator@5.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        oas-linter@3.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        yaml@1.10.2
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Uncontrolled Recursion in the <code>compose/resolve</code> phase due to using recursive function calls without a depth bound. An attacker can cause the application to throw a <code>RangeError</code> and potentially terminate the Node.js process by supplying a deeply nested YAML payload that exhausts the call stack.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-js">const YAML = require(&#39;yaml&#39;);
+        
+        // ~10 KB payload: 5000 levels of nested flow sequences
+        const payload = &#39;[&#39;.repeat(5000) + &#39;1&#39; + &#39;]&#39;.repeat(5000);
+        
+        try {
+          YAML.parse(payload);
+        } catch (e) {
+          console.log(e.constructor.name); // RangeError (NOT YAMLParseError)
+          console.log(e.message);          // Maximum call stack size exceeded
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>yaml</code> to version 1.10.3, 2.8.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp">GitHub Advisory</a></li>
+        <li><a href="https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b">GitHub Commit</a></li>
+        <li><a href="https://github.com/eemeli/yaml/releases/tag/v1.10.3">GitHub Release</a></li>
+        <li><a href="https://github.com/eemeli/yaml/releases/tag/v2.8.3">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-JS-YAML-15765520">More about this vulnerability</a></p>
+            </div>
+        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Prototype Pollution</h2>
@@ -3137,399 +3371,6 @@
                 <p><a href="https://snyk.io/vuln/SNYK-JS-MINDOCUMENT-13045385">More about this vulnerability</a></p>
             </div>
         
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Prototype Pollution</h2>
-            <div class="card__section">
-        
-                <div class="card__labels">
-                    <div class="label label--medium">
-                        <span class="label__text">medium severity</span>
-                    </div>
-                    <div class="label label--exploit">
-                        <span class="label__text">Exploit: Not Defined</span>
-                    </div>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: npm
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            lodash-es
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                argo-cd-ui@1.0.0 and lodash-es@4.17.21
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        lodash-es@4.17.21
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        react-form@2.16.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        redux@3.7.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        lodash-es@4.17.21
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        argo-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        react-form@2.16.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        redux@3.7.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        lodash-es@4.17.21
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p>Affected versions of this package are vulnerable to Prototype Pollution via the <code>_.unset</code> and <code>_.omit</code> functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.</p>
-        <h2 id="details">Details</h2>
-        <p>Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as <code>__proto__</code>, <code>constructor</code> and <code>prototype</code>. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.  Properties on the <code>Object.prototype</code> are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.</p>
-        <p>There are two main ways in which the pollution of prototypes occurs:</p>
-        <ul>
-        <li><p>Unsafe <code>Object</code> recursive merge</p>
-        </li>
-        <li><p>Property definition by path</p>
-        </li>
-        </ul>
-        <h3 id="unsafe-object-recursive-merge">Unsafe Object recursive merge</h3>
-        <p>The logic of a vulnerable recursive merge function follows the following high-level model:</p>
-        <pre><code>merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-        </code></pre>
-        <br>  
-        
-        <p>When the source object contains a property named <code>__proto__</code> defined with <code>Object.defineProperty()</code> , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of <code>Object</code> and the source of <code>Object</code> as defined by the attacker. Properties are then copied on the <code>Object</code> prototype.</p>
-        <p>Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: <code>merge({},source)</code>.</p>
-        <p><code>lodash</code> and <code>Hoek</code> are examples of libraries susceptible to recursive merge attacks.</p>
-        <h3 id="property-definition-by-path">Property definition by path</h3>
-        <p>There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: <code>theFunction(object, path, value)</code></p>
-        <p>If the attacker can control the value of “path”, they can set this value to <code>__proto__.myValue</code>. <code>myValue</code> is then assigned to the prototype of the class of the object.</p>
-        <h2 id="types-of-attacks">Types of attacks</h2>
-        <p>There are a few methods by which Prototype Pollution can be manipulated:</p>
-        <table>
-        <thead>
-        <tr>
-        <th>Type</th>
-        <th>Origin</th>
-        <th>Short description</th>
-        </tr>
-        </thead>
-        <tbody><tr>
-        <td><strong>Denial of service (DoS)</strong></td>
-        <td>Client</td>
-        <td>This is the most likely attack. <br>DoS occurs when <code>Object</code> holds generic functions that are implicitly called for various operations (for example, <code>toString</code> and <code>valueOf</code>). <br> The attacker pollutes <code>Object.prototype.someattr</code> and alters its state to an unexpected value such as <code>Int</code> or <code>Object</code>. In this case, the code fails and is likely to cause a denial of service.  <br><strong>For example:</strong> if an attacker pollutes <code>Object.prototype.toString</code> by defining it as an integer, if the codebase at any point was reliant on <code>someobject.toString()</code> it would fail.</td>
-        </tr>
-        <tr>
-        <td><strong>Remote Code Execution</strong></td>
-        <td>Client</td>
-        <td>Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.<br><strong>For example:</strong> <code>eval(someobject.someattr)</code>. In this case, if the attacker pollutes <code>Object.prototype.someattr</code> they are likely to be able to leverage this in order to execute code.</td>
-        </tr>
-        <tr>
-        <td><strong>Property Injection</strong></td>
-        <td>Client</td>
-        <td>The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.<br>  <strong>For example:</strong> if a codebase checks privileges for <code>someuser.isAdmin</code>, then when the attacker pollutes <code>Object.prototype.isAdmin</code> and sets it to equal <code>true</code>, they can then achieve admin privileges.</td>
-        </tr>
-        </tbody></table>
-        <h2 id="affected-environments">Affected environments</h2>
-        <p>The following environments are susceptible to a Prototype Pollution attack:</p>
-        <ul>
-        <li><p>Application server</p>
-        </li>
-        <li><p>Web server</p>
-        </li>
-        <li><p>Web browser</p>
-        </li>
-        </ul>
-        <h2 id="how-to-prevent">How to prevent</h2>
-        <ol>
-        <li><p>Freeze the prototype— use <code>Object.freeze (Object.prototype)</code>.</p>
-        </li>
-        <li><p>Require schema validation of JSON input.</p>
-        </li>
-        <li><p>Avoid using unsafe recursive merge functions.</p>
-        </li>
-        <li><p>Consider using objects without prototypes (for example, <code>Object.create(null)</code>), breaking the prototype chain and preventing pollution.</p>
-        </li>
-        <li><p>As a best practice use <code>Map</code> instead of <code>Object</code>.</p>
-        </li>
-        </ol>
-        <h3 id="for-more-information-on-this-vulnerability-type">For more information on this vulnerability type:</h3>
-        <p><a href="https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf">Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018</a></p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>lodash-es</code> to version 4.17.23 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81">GitHub Commit</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-JS-LODASHES-15053836">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Prototype Pollution</h2>
-            <div class="card__section">
-        
-                <div class="card__labels">
-                    <div class="label label--medium">
-                        <span class="label__text">medium severity</span>
-                    </div>
-                    <div class="label label--exploit">
-                        <span class="label__text">Exploit: Not Defined</span>
-                    </div>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: npm
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            lodash
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    argo-cd-ui@1.0.0, dagre@0.8.5 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        dagre@0.8.5
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        lodash@4.17.21
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        react-form@2.16.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        redux@3.7.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        lodash@4.17.21
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        dagre@0.8.5
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        graphlib@2.1.8
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        lodash@4.17.21
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        react-hot-loader@3.1.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        react-proxy@3.0.0-alpha.1
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        lodash@4.17.21
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        argo-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        react-form@2.16.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        redux@3.7.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        lodash@4.17.21
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://www.npmjs.com/package/lodash">lodash</a> is a modern JavaScript utility library delivering modularity, performance, &amp; extras.</p>
-        <p>Affected versions of this package are vulnerable to Prototype Pollution via the <code>_.unset</code> and <code>_.omit</code> functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.</p>
-        <h2 id="details">Details</h2>
-        <p>Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as <code>__proto__</code>, <code>constructor</code> and <code>prototype</code>. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.  Properties on the <code>Object.prototype</code> are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.</p>
-        <p>There are two main ways in which the pollution of prototypes occurs:</p>
-        <ul>
-        <li><p>Unsafe <code>Object</code> recursive merge</p>
-        </li>
-        <li><p>Property definition by path</p>
-        </li>
-        </ul>
-        <h3 id="unsafe-object-recursive-merge">Unsafe Object recursive merge</h3>
-        <p>The logic of a vulnerable recursive merge function follows the following high-level model:</p>
-        <pre><code>merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-        </code></pre>
-        <br>  
-        
-        <p>When the source object contains a property named <code>__proto__</code> defined with <code>Object.defineProperty()</code> , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of <code>Object</code> and the source of <code>Object</code> as defined by the attacker. Properties are then copied on the <code>Object</code> prototype.</p>
-        <p>Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: <code>merge({},source)</code>.</p>
-        <p><code>lodash</code> and <code>Hoek</code> are examples of libraries susceptible to recursive merge attacks.</p>
-        <h3 id="property-definition-by-path">Property definition by path</h3>
-        <p>There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: <code>theFunction(object, path, value)</code></p>
-        <p>If the attacker can control the value of “path”, they can set this value to <code>__proto__.myValue</code>. <code>myValue</code> is then assigned to the prototype of the class of the object.</p>
-        <h2 id="types-of-attacks">Types of attacks</h2>
-        <p>There are a few methods by which Prototype Pollution can be manipulated:</p>
-        <table>
-        <thead>
-        <tr>
-        <th>Type</th>
-        <th>Origin</th>
-        <th>Short description</th>
-        </tr>
-        </thead>
-        <tbody><tr>
-        <td><strong>Denial of service (DoS)</strong></td>
-        <td>Client</td>
-        <td>This is the most likely attack. <br>DoS occurs when <code>Object</code> holds generic functions that are implicitly called for various operations (for example, <code>toString</code> and <code>valueOf</code>). <br> The attacker pollutes <code>Object.prototype.someattr</code> and alters its state to an unexpected value such as <code>Int</code> or <code>Object</code>. In this case, the code fails and is likely to cause a denial of service.  <br><strong>For example:</strong> if an attacker pollutes <code>Object.prototype.toString</code> by defining it as an integer, if the codebase at any point was reliant on <code>someobject.toString()</code> it would fail.</td>
-        </tr>
-        <tr>
-        <td><strong>Remote Code Execution</strong></td>
-        <td>Client</td>
-        <td>Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.<br><strong>For example:</strong> <code>eval(someobject.someattr)</code>. In this case, if the attacker pollutes <code>Object.prototype.someattr</code> they are likely to be able to leverage this in order to execute code.</td>
-        </tr>
-        <tr>
-        <td><strong>Property Injection</strong></td>
-        <td>Client</td>
-        <td>The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.<br>  <strong>For example:</strong> if a codebase checks privileges for <code>someuser.isAdmin</code>, then when the attacker pollutes <code>Object.prototype.isAdmin</code> and sets it to equal <code>true</code>, they can then achieve admin privileges.</td>
-        </tr>
-        </tbody></table>
-        <h2 id="affected-environments">Affected environments</h2>
-        <p>The following environments are susceptible to a Prototype Pollution attack:</p>
-        <ul>
-        <li><p>Application server</p>
-        </li>
-        <li><p>Web server</p>
-        </li>
-        <li><p>Web browser</p>
-        </li>
-        </ul>
-        <h2 id="how-to-prevent">How to prevent</h2>
-        <ol>
-        <li><p>Freeze the prototype— use <code>Object.freeze (Object.prototype)</code>.</p>
-        </li>
-        <li><p>Require schema validation of JSON input.</p>
-        </li>
-        <li><p>Avoid using unsafe recursive merge functions.</p>
-        </li>
-        <li><p>Consider using objects without prototypes (for example, <code>Object.create(null)</code>), breaking the prototype chain and preventing pollution.</p>
-        </li>
-        <li><p>As a best practice use <code>Map</code> instead of <code>Object</code>.</p>
-        </li>
-        </ol>
-        <h3 id="for-more-information-on-this-vulnerability-type">For more information on this vulnerability type:</h3>
-        <p><a href="https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf">Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018</a></p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>lodash</code> to version 4.17.23 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81">GitHub Commit</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-JS-LODASH-15053838">More about this vulnerability</a></p>
-            </div>
-        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Prototype Pollution</h2>

docs/snyk/v3.1.13/ghcr.io_dexidp_dex_v2.43.0.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:35:42 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:44:58 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -507,7 +507,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>48</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>144 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>1131</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>1134</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/v3.1.13/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:38:31 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:45:03 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v3.1.13/public.ecr.aws_docker_library_redis_7.2.11-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:41:14 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:45:11 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -505,7 +505,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>12</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>100 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>19</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>20</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/v3.2.8/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:40:14 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:44:19 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v3.2.8/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:40:24 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:44:28 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v3.2.8/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="28 known vulnerabilities found in 135 vulnerable dependency paths.">
+  <meta name="description" content="30 known vulnerabilities found in 141 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:38:18 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:42:18 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -504,8 +504,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>28</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>135 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>30</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>141 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>2115</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -2895,6 +2895,240 @@
                 <p><a href="https://snyk.io/vuln/SNYK-JS-FASTXMLPARSER-15699647">More about this vulnerability</a></p>
             </div>
         
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Infinite loop</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: npm
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            brace-expansion
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    argo-cd-ui@1.0.0, minimatch@3.1.2 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        minimatch@3.1.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        brace-expansion@1.1.11
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        @redocly/openapi-core@1.30.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        minimatch@5.1.6
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        brace-expansion@2.0.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/juliangruber/brace-expansion">brace-expansion</a> is a Brace expansion as known from sh/bash</p>
+        <p>Affected versions of this package are vulnerable to Infinite loop through the <code>expand</code> function when processing a brace pattern with a zero step value. An attacker can cause the process to hang and exhaust system memory by supplying specially crafted input, such as <code>{1..2..0}</code>. This can lead to significant resource consumption and denial of service. </p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by sanitizing strings passed to <code>expand</code> to ensure a step value of <code>0</code> is not used.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>brace-expansion</code> to version 5.0.5 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v">GitHub Advisory</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/commit/9a02af5c5c80731fae470cc3218c16876bb25051">GitHub Commit</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113">Vulnerable Code</a></li>
+        <li><a href="https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184">Vulnerable Code</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Uncontrolled Recursion</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Proof of Concept</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: npm
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            yaml
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    argo-cd-ui@1.0.0, redoc@2.4.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        swagger2openapi@7.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        yaml@1.10.2
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        swagger2openapi@7.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        oas-resolver@2.5.6
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        yaml@1.10.2
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        swagger2openapi@7.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        oas-validator@5.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        yaml@1.10.2
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        swagger2openapi@7.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        oas-validator@5.0.8
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        oas-linter@3.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        yaml@1.10.2
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Uncontrolled Recursion in the <code>compose/resolve</code> phase due to using recursive function calls without a depth bound. An attacker can cause the application to throw a <code>RangeError</code> and potentially terminate the Node.js process by supplying a deeply nested YAML payload that exhausts the call stack.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-js">const YAML = require(&#39;yaml&#39;);
+        
+        // ~10 KB payload: 5000 levels of nested flow sequences
+        const payload = &#39;[&#39;.repeat(5000) + &#39;1&#39; + &#39;]&#39;.repeat(5000);
+        
+        try {
+          YAML.parse(payload);
+        } catch (e) {
+          console.log(e.constructor.name); // RangeError (NOT YAMLParseError)
+          console.log(e.message);          // Maximum call stack size exceeded
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>yaml</code> to version 1.10.3, 2.8.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp">GitHub Advisory</a></li>
+        <li><a href="https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b">GitHub Commit</a></li>
+        <li><a href="https://github.com/eemeli/yaml/releases/tag/v1.10.3">GitHub Release</a></li>
+        <li><a href="https://github.com/eemeli/yaml/releases/tag/v2.8.3">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-JS-YAML-15765520">More about this vulnerability</a></p>
+            </div>
+        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Prototype Pollution</h2>

docs/snyk/v3.2.8/ghcr.io_dexidp_dex_v2.43.0.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:38:26 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:42:26 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -507,7 +507,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>48</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>144 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>1131</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>1134</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/v3.2.8/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:41:06 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:42:31 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v3.2.8/public.ecr.aws_docker_library_redis_8.2.2-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:38:39 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:42:38 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v3.2.8/quay.io_argoproj_argocd_v3.2.8.html

@@ -492,23 +492,23 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:39:01 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:42:59 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
                 <ul>
-                  <li class="paths">quay.io/argoproj/argocd:v3.2.7/argoproj/argocd/Dockerfile (deb)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.2.7//usr/local/bin/kustomize (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.2.7/helm/v3//usr/local/bin/helm (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.2.7/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.2.8/argoproj/argocd/Dockerfile (deb)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.2.8//usr/local/bin/kustomize (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.2.8/helm/v3//usr/local/bin/helm (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.2.8/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)</li>
                 </ul>
               </div>
     
               <div class="meta-counts">
                 <div class="meta-count"><span>13</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>14 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2322</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>2326</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -533,7 +533,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -607,7 +607,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -680,7 +680,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -756,7 +756,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -832,7 +832,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -902,7 +902,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -964,7 +964,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1026,7 +1026,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1088,7 +1088,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1150,7 +1150,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1212,7 +1212,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1277,7 +1277,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1352,7 +1352,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.04
@@ -1365,7 +1365,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.2.7 and glibc/libc-bin@2.41-6ubuntu1.2
+                                docker-image|quay.io/argoproj/argocd@v3.2.8 and glibc/libc-bin@2.41-6ubuntu1.2
         
                     </li>
                 </ul>
@@ -1378,7 +1378,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.2.7
+                                        docker-image|quay.io/argoproj/argocd@v3.2.8
                                          <span class="list-paths__item__arrow">›</span> 
                                         glibc/libc-bin@2.41-6ubuntu1.2
                                         
@@ -1387,7 +1387,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.2.7
+                                        docker-image|quay.io/argoproj/argocd@v3.2.8
                                          <span class="list-paths__item__arrow">›</span> 
                                         glibc/libc6@2.41-6ubuntu1.2
                                         

docs/snyk/v3.3.6/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:37:44 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:41:54 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v3.3.6/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:38:02 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:42:04 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v3.3.6/ghcr.io_dexidp_dex_v2.43.0.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:41:02 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:39:36 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -507,7 +507,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>48</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>144 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>1131</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>1134</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/v3.3.6/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:35:47 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:39:41 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v3.3.6/public.ecr.aws_docker_library_redis_8.2.3-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:35:52 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:39:48 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v3.3.6/quay.io_argoproj_argocd_v3.3.6.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="21 known vulnerabilities found in 84 vulnerable dependency paths.">
+  <meta name="description" content="20 known vulnerabilities found in 83 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -492,23 +492,23 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:36:13 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:40:10 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
                 <ul>
-                  <li class="paths">quay.io/argoproj/argocd:v3.3.4/argoproj/argocd/Dockerfile (deb)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.3.4//usr/local/bin/kustomize (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.3.4/helm/v3//usr/local/bin/helm (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.3.4/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.3.6/argoproj/argocd/Dockerfile (deb)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.3.6/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.3.6//usr/local/bin/kustomize (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.3.6/helm/v3//usr/local/bin/helm (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.3.6/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)</li>
                 </ul>
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>21</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>84 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2325</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>20</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>83 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2330</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -516,80 +516,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Authorization</h2>
-            <div class="card__section">
-        
-                <div class="card__labels">
-                    <div class="label label--critical">
-                        <span class="label__text">critical severity</span>
-                    </div>
-                    <div class="label label--exploit">
-                        <span class="label__text">Exploit: Not Defined</span>
-                    </div>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            google.golang.org/grpc
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/argoproj/argo-cd/v3@* and google.golang.org/grpc@v1.77.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v3@*
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        google.golang.org/grpc@v1.77.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p>Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 <code>:path</code> pseudo-headers in <code>handleStream()</code>. An attacker can gain unauthorized access to restricted resources by sending requests with malformed <code>:path</code> headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.</p>
-        <h2 id="workaround">Workaround</h2>
-        <p>This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>google.golang.org/grpc</code> to version 1.79.3 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5">GitHub Commit</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">CVE-2026-3184</h2>
             <div class="card__section">
@@ -607,7 +533,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -620,7 +546,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and util-linux/libblkid1@2.41-4ubuntu4.2
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and util-linux/libblkid1@2.41-4ubuntu4.2
         
                     </li>
                 </ul>
@@ -633,7 +559,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libblkid1@2.41-4ubuntu4.2
                                         
@@ -642,7 +568,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         e2fsprogs@1.47.2-3ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -653,7 +579,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libmount1@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -664,7 +590,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -675,7 +601,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/mount@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -686,7 +612,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libuuid1@2.41-4ubuntu4.2
                                         
@@ -695,7 +621,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         e2fsprogs@1.47.2-3ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -706,7 +632,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -717,7 +643,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/liblastlog2-2@2.41-4ubuntu4.2
                                         
@@ -726,7 +652,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -737,7 +663,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libmount1@2.41-4ubuntu4.2
                                         
@@ -746,7 +672,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -757,7 +683,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/mount@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -768,7 +694,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libsmartcols1@2.41-4ubuntu4.2
                                         
@@ -777,7 +703,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -788,7 +714,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/mount@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -799,7 +725,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                         
@@ -808,7 +734,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/bsdutils@1:2.41-4ubuntu4.2
                                         
@@ -817,7 +743,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                         
@@ -826,7 +752,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/mount@2.41-4ubuntu4.2
                                         
@@ -872,7 +798,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -885,7 +811,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and tar@1.35+dfsg-3.1build1
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and tar@1.35+dfsg-3.1build1
         
                     </li>
                 </ul>
@@ -898,7 +824,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         tar@1.35+dfsg-3.1build1
                                         
@@ -907,7 +833,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         dpkg@1.22.21ubuntu3.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -963,7 +889,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -976,7 +902,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and pam/libpam0g@1.7.0-5ubuntu2
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and pam/libpam0g@1.7.0-5ubuntu2
         
                     </li>
                 </ul>
@@ -989,7 +915,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam0g@1.7.0-5ubuntu2
                                         
@@ -998,7 +924,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1009,7 +935,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1020,7 +946,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1035,7 +961,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1052,7 +978,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1071,7 +997,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam-modules-bin@1.7.0-5ubuntu2
                                         
@@ -1080,7 +1006,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1097,7 +1023,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam-modules@1.7.0-5ubuntu2
                                         
@@ -1106,7 +1032,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam-runtime@1.7.0-5ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1117,7 +1043,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1128,7 +1054,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1139,7 +1065,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1154,7 +1080,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam-runtime@1.7.0-5ubuntu2
                                         
@@ -1163,7 +1089,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1174,7 +1100,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1243,7 +1169,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -1256,7 +1182,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and gnupg2/gpgv@2.4.8-2ubuntu2.1
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and gnupg2/gpgv@2.4.8-2ubuntu2.1
         
                     </li>
                 </ul>
@@ -1269,7 +1195,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpgv@2.4.8-2ubuntu2.1
                                         
@@ -1278,7 +1204,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1289,7 +1215,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/dirmngr@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1300,7 +1226,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1311,7 +1237,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1322,7 +1248,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/dirmngr@2.4.8-2ubuntu2.1
                                         
@@ -1331,7 +1257,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                         
@@ -1340,7 +1266,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                         
@@ -1391,7 +1317,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1461,7 +1387,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1523,7 +1449,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1585,7 +1511,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1647,7 +1573,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1709,7 +1635,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1771,7 +1697,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1836,7 +1762,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1911,7 +1837,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -1925,7 +1851,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    docker-image|quay.io/argoproj/argocd@v3.3.4, git@1:2.51.0-1ubuntu1 and others
+                                    docker-image|quay.io/argoproj/argocd@v3.3.6, git@1:2.51.0-1ubuntu1 and others
                     </li>
                 </ul>
         
@@ -1937,7 +1863,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         git@1:2.51.0-1ubuntu1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1948,7 +1874,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         git@1:2.51.0-1ubuntu1
                                         
@@ -1957,7 +1883,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         git-lfs@3.6.1-1ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2009,7 +1935,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2023,7 +1949,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    docker-image|quay.io/argoproj/argocd@v3.3.4, git@1:2.51.0-1ubuntu1 and others
+                                    docker-image|quay.io/argoproj/argocd@v3.3.6, git@1:2.51.0-1ubuntu1 and others
                     </li>
                 </ul>
         
@@ -2035,7 +1961,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         git@1:2.51.0-1ubuntu1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2087,7 +2013,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2100,7 +2026,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and shadow/login.defs@1:4.17.4-2ubuntu2
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and shadow/login.defs@1:4.17.4-2ubuntu2
         
                     </li>
                 </ul>
@@ -2113,7 +2039,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/login.defs@1:4.17.4-2ubuntu2
                                         
@@ -2122,7 +2048,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2133,7 +2059,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2148,7 +2074,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/passwd@1:4.17.4-2ubuntu2
                                         
@@ -2157,7 +2083,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         openssh/openssh-client@1:10.0p1-5ubuntu5.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2168,7 +2094,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2223,7 +2149,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2236,7 +2162,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and patch@2.8-2
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and patch@2.8-2
         
                     </li>
                 </ul>
@@ -2249,7 +2175,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         patch@2.8-2
                                         
@@ -2298,7 +2224,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2311,7 +2237,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and patch@2.8-2
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and patch@2.8-2
         
                     </li>
                 </ul>
@@ -2324,7 +2250,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         patch@2.8-2
                                         
@@ -2378,7 +2304,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2391,7 +2317,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and libgcrypt20@1.11.0-7build1
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and libgcrypt20@1.11.0-7build1
         
                     </li>
                 </ul>
@@ -2404,7 +2330,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         libgcrypt20@1.11.0-7build1
                                         
@@ -2413,7 +2339,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/dirmngr@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2424,7 +2350,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2435,7 +2361,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2446,7 +2372,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2459,7 +2385,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2517,7 +2443,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2530,7 +2456,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and gnupg2/gpgv@2.4.8-2ubuntu2.1
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and gnupg2/gpgv@2.4.8-2ubuntu2.1
         
                     </li>
                 </ul>
@@ -2543,7 +2469,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpgv@2.4.8-2ubuntu2.1
                                         
@@ -2552,7 +2478,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2563,7 +2489,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/dirmngr@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2574,7 +2500,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2585,7 +2511,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2596,7 +2522,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/dirmngr@2.4.8-2ubuntu2.1
                                         
@@ -2605,7 +2531,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                         
@@ -2614,7 +2540,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                         
@@ -2668,7 +2594,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.3.4/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.3.6/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2681,7 +2607,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.3.4 and coreutils/gnu-coreutils@9.5-1ubuntu4.1
+                                docker-image|quay.io/argoproj/argocd@v3.3.6 and coreutils/gnu-coreutils@9.5-1ubuntu4.1
         
                     </li>
                 </ul>
@@ -2694,7 +2620,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         coreutils/gnu-coreutils@9.5-1ubuntu4.1
                                         
@@ -2703,7 +2629,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         tzdata@2025b-3ubuntu1.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2714,7 +2640,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.3.4
+                                        docker-image|quay.io/argoproj/argocd@v3.3.6
                                          <span class="list-paths__item__arrow">›</span> 
                                         coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu24
                                          <span class="list-paths__item__arrow">›</span> 

docs/snyk/v3.4.0-rc4/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:34:57 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:38:44 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v3.4.0-rc4/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:35:07 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:39:01 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v3.4.0-rc4/ghcr.io_dexidp_dex_v2.45.0.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="29 known vulnerabilities found in 49 vulnerable dependency paths.">
+  <meta name="description" content="28 known vulnerabilities found in 46 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:32:56 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:36:21 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -505,9 +505,9 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>29</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>49 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>1189</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>28</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>46 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>1192</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -597,105 +597,6 @@
                 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
             </div>
         
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
-            <h2 class="card__title">Out-of-bounds Write</h2>
-            <div class="card__section">
-        
-                <div class="card__labels">
-                    <div class="label label--high">
-                        <span class="label__text">high severity</span>
-                    </div>
-                    <div class="label label--exploit">
-                        <span class="label__text">Exploit: Not Defined</span>
-                    </div>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: alpine:3.23
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            zlib/zlib
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                docker-image|ghcr.io/dexidp/dex@v2.45.0 and zlib/zlib@1.3.1-r2
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|ghcr.io/dexidp/dex@v2.45.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        zlib/zlib@1.3.1-r2
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|ghcr.io/dexidp/dex@v2.45.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        apk-tools/apk-tools@3.0.3-r1
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        zlib/zlib@1.3.1-r2
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|ghcr.io/dexidp/dex@v2.45.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        apk-tools/apk-tools@3.0.3-r1
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        apk-tools/libapk@3.0.3-r1
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        zlib/zlib@1.3.1-r2
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>zlib</code> package and not the <code>zlib</code> package as distributed by <code>Alpine</code>.</em>
-        <em>See <code>How to fix?</code> for <code>Alpine:3.23</code> relevant fixed versions and status.</em></p>
-        <p>zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>Alpine:3.23</code> <code>zlib</code> to version 1.3.2-r0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/madler/zlib">https://github.com/madler/zlib</a></li>
-        <li><a href="https://seclists.org/fulldisclosure/2026/Jan/3">https://seclists.org/fulldisclosure/2026/Jan/3</a></li>
-        <li><a href="https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname">https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname</a></li>
-        <li><a href="https://zlib.net/">https://zlib.net/</a></li>
-        <li><a href="https://github.com/madler/zlib/issues/1142">https://github.com/madler/zlib/issues/1142</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-ALPINE323-ZLIB-15435528">More about this vulnerability</a></p>
-            </div>
-        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Untrusted Search Path</h2>
@@ -1043,9 +944,9 @@
         <h2 id="references">References</h2>
         <ul>
         <li><a href="https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/">https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/</a></li>
-        <li><a href="https://github.com/madler/zlib/issues/904">https://github.com/madler/zlib/issues/904</a></li>
         <li><a href="https://github.com/madler/zlib/releases/tag/v1.3.2">https://github.com/madler/zlib/releases/tag/v1.3.2</a></li>
         <li><a href="https://ostif.org/zlib-audit-complete/">https://ostif.org/zlib-audit-complete/</a></li>
+        <li><a href="https://github.com/madler/zlib/issues/904">https://github.com/madler/zlib/issues/904</a></li>
         <li><a href="https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf">https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf</a></li>
         </ul>
         

docs/snyk/v3.4.0-rc4/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:33:01 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:36:26 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v3.4.0-rc4/public.ecr.aws_docker_library_redis_8.2.3-alpine.html

@@ -492,7 +492,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:33:06 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:36:33 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v3.4.0-rc4/quay.io_argoproj_argocd_v3.4.0-rc3.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="20 known vulnerabilities found in 77 vulnerable dependency paths.">
+  <meta name="description" content="19 known vulnerabilities found in 76 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -492,23 +492,23 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">March 22nd 2026, 12:33:25 am (UTC+00:00)</p>
+                <p class="timestamp">March 29th 2026, 12:36:53 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
                 <ul>
-                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd/Dockerfile (deb)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc2//usr/local/bin/git-lfs (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc2//usr/local/bin/kustomize (gomodules)</li>
-                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc2/helm/v3//usr/local/bin/helm (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd/Dockerfile (deb)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc3//usr/local/bin/git-lfs (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc3//usr/local/bin/kustomize (gomodules)</li>
+                  <li class="paths">quay.io/argoproj/argocd:v3.4.0-rc3/helm/v3//usr/local/bin/helm (gomodules)</li>
                 </ul>
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>20</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>77 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2359</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>19</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>76 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2363</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -516,80 +516,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Authorization</h2>
-            <div class="card__section">
-        
-                <div class="card__labels">
-                    <div class="label label--critical">
-                        <span class="label__text">critical severity</span>
-                    </div>
-                    <div class="label label--exploit">
-                        <span class="label__text">Exploit: Not Defined</span>
-                    </div>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            google.golang.org/grpc
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/argoproj/argo-cd/v3@* and google.golang.org/grpc@v1.79.2
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v3@*
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        google.golang.org/grpc@v1.79.2
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p>Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 <code>:path</code> pseudo-headers in <code>handleStream()</code>. An attacker can gain unauthorized access to restricted resources by sending requests with malformed <code>:path</code> headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.</p>
-        <h2 id="workaround">Workaround</h2>
-        <p>This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>google.golang.org/grpc</code> to version 1.79.3 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5">GitHub Commit</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">CVE-2026-3184</h2>
             <div class="card__section">
@@ -607,7 +533,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -620,7 +546,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc2 and util-linux/libblkid1@2.41-4ubuntu4.2
+                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc3 and util-linux/libblkid1@2.41-4ubuntu4.2
         
                     </li>
                 </ul>
@@ -633,7 +559,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libblkid1@2.41-4ubuntu4.2
                                         
@@ -642,7 +568,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         e2fsprogs@1.47.2-3ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -653,7 +579,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libmount1@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -664,7 +590,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -675,7 +601,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/mount@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -686,7 +612,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libuuid1@2.41-4ubuntu4.2
                                         
@@ -695,7 +621,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         e2fsprogs@1.47.2-3ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -706,7 +632,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -717,7 +643,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/liblastlog2-2@2.41-4ubuntu4.2
                                         
@@ -726,7 +652,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -737,7 +663,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libmount1@2.41-4ubuntu4.2
                                         
@@ -746,7 +672,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -757,7 +683,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/mount@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -768,7 +694,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/libsmartcols1@2.41-4ubuntu4.2
                                         
@@ -777,7 +703,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -788,7 +714,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/mount@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -799,7 +725,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                         
@@ -808,7 +734,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/bsdutils@1:2.41-4ubuntu4.2
                                         
@@ -817,7 +743,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                         
@@ -826,7 +752,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/mount@2.41-4ubuntu4.2
                                         
@@ -872,7 +798,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -885,7 +811,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc2 and tar@1.35+dfsg-3.1build1
+                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc3 and tar@1.35+dfsg-3.1build1
         
                     </li>
                 </ul>
@@ -898,7 +824,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         tar@1.35+dfsg-3.1build1
                                         
@@ -907,7 +833,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         dpkg@1.22.21ubuntu3.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -963,7 +889,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -976,7 +902,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc2 and pam/libpam0g@1.7.0-5ubuntu2
+                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc3 and pam/libpam0g@1.7.0-5ubuntu2
         
                     </li>
                 </ul>
@@ -989,7 +915,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam0g@1.7.0-5ubuntu2
                                         
@@ -998,7 +924,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1009,7 +935,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1020,7 +946,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1035,7 +961,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1052,7 +978,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1071,7 +997,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam-modules-bin@1.7.0-5ubuntu2
                                         
@@ -1080,7 +1006,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1097,7 +1023,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam-modules@1.7.0-5ubuntu2
                                         
@@ -1106,7 +1032,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam-runtime@1.7.0-5ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1117,7 +1043,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1128,7 +1054,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1139,7 +1065,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1154,7 +1080,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         pam/libpam-runtime@1.7.0-5ubuntu2
                                         
@@ -1163,7 +1089,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux@2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1174,7 +1100,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1243,7 +1169,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -1256,7 +1182,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc2 and gnupg2/gpgv@2.4.8-2ubuntu2.1
+                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc3 and gnupg2/gpgv@2.4.8-2ubuntu2.1
         
                     </li>
                 </ul>
@@ -1269,7 +1195,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpgv@2.4.8-2ubuntu2.1
                                         
@@ -1278,7 +1204,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1289,7 +1215,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1300,7 +1226,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1311,7 +1237,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                         
@@ -1320,7 +1246,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                         
@@ -1371,7 +1297,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1441,7 +1367,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1503,7 +1429,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1565,7 +1491,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/git-lfs
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/git-lfs
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1627,7 +1553,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1689,7 +1615,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1751,7 +1677,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1813,7 +1739,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1878,7 +1804,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
                     </li>
                     <li class="card__meta__item">
                         Package Manager: golang
@@ -1953,7 +1879,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -1967,7 +1893,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    docker-image|quay.io/argoproj/argocd@v3.4.0-rc2, git@1:2.51.0-1ubuntu1 and others
+                                    docker-image|quay.io/argoproj/argocd@v3.4.0-rc3, git@1:2.51.0-1ubuntu1 and others
                     </li>
                 </ul>
         
@@ -1979,7 +1905,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         git@1:2.51.0-1ubuntu1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1990,7 +1916,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         git@1:2.51.0-1ubuntu1
                                         
@@ -2040,7 +1966,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2054,7 +1980,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    docker-image|quay.io/argoproj/argocd@v3.4.0-rc2, git@1:2.51.0-1ubuntu1 and others
+                                    docker-image|quay.io/argoproj/argocd@v3.4.0-rc3, git@1:2.51.0-1ubuntu1 and others
                     </li>
                 </ul>
         
@@ -2066,7 +1992,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         git@1:2.51.0-1ubuntu1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2118,7 +2044,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2131,7 +2057,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc2 and shadow/login.defs@1:4.17.4-2ubuntu2
+                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc3 and shadow/login.defs@1:4.17.4-2ubuntu2
         
                     </li>
                 </ul>
@@ -2144,7 +2070,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/login.defs@1:4.17.4-2ubuntu2
                                         
@@ -2153,7 +2079,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2164,7 +2090,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2179,7 +2105,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/passwd@1:4.17.4-2ubuntu2
                                         
@@ -2188,7 +2114,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         openssh/openssh-client@1:10.0p1-5ubuntu5.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2199,7 +2125,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2254,7 +2180,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2267,7 +2193,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc2 and libgcrypt20@1.11.0-7build1
+                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc3 and libgcrypt20@1.11.0-7build1
         
                     </li>
                 </ul>
@@ -2280,7 +2206,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         libgcrypt20@1.11.0-7build1
                                         
@@ -2289,7 +2215,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2300,7 +2226,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2311,7 +2237,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2324,7 +2250,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2382,7 +2308,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2395,7 +2321,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc2 and gnupg2/gpgv@2.4.8-2ubuntu2.1
+                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc3 and gnupg2/gpgv@2.4.8-2ubuntu2.1
         
                     </li>
                 </ul>
@@ -2408,7 +2334,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpgv@2.4.8-2ubuntu2.1
                                         
@@ -2417,7 +2343,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         apt@3.1.6ubuntu2
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2428,7 +2354,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2439,7 +2365,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2450,7 +2376,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg@2.4.8-2ubuntu2.1
                                         
@@ -2459,7 +2385,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         gnupg2/gpg-agent@2.4.8-2ubuntu2.1
                                         
@@ -2513,7 +2439,7 @@
         
                 <ul class="card__meta">
                     <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc2/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                        Manifest file: quay.io/argoproj/argocd:v3.4.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
                     </li>
                     <li class="card__meta__item">
                         Package Manager: ubuntu:25.10
@@ -2526,7 +2452,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc2 and coreutils/gnu-coreutils@9.5-1ubuntu4.1
+                                docker-image|quay.io/argoproj/argocd@v3.4.0-rc3 and coreutils/gnu-coreutils@9.5-1ubuntu4.1
         
                     </li>
                 </ul>
@@ -2539,7 +2465,7 @@
                     <ul class="card__meta__paths">
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         coreutils/gnu-coreutils@9.5-1ubuntu4.1
                                         
@@ -2548,7 +2474,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         tzdata@2025b-3ubuntu1.1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -2559,7 +2485,7 @@
                             </li>
                                 <li>
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc2
+                                        docker-image|quay.io/argoproj/argocd@v3.4.0-rc3
                                          <span class="list-paths__item__arrow">›</span> 
                                         coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu24
                                          <span class="list-paths__item__arrow">›</span> 

docs/user-guide/annotations-and-labels.md

@@ -6,7 +6,7 @@
 |--------------------------------------------|---------------------|---------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | argocd.argoproj.io/application-set-refresh | ApplicationSet      | `"true"`                                                                                          | Added when an ApplicationSet is requested to be refreshed by a webhook. The ApplicationSet controller will remove this annotation at the end of reconciliation.                                              |
 | argocd.argoproj.io/compare-options         | any                 | [see compare options docs](compare-options.md)                                                    | Configures how an app's current state is compared to its desired state.                                                                                                                                      |
-| argocd.argoproj.io/hook                    | any                 | [see resource hooks docs](resource_hooks.md)                                                      | Used to configure [resource hooks](resource_hooks.md).                                                                                                                                                       |
+| argocd.argoproj.io/hook                    | any                 | [see hooks docs](sync-waves.md)                                                                   | Used to configure [resource hooks](sync-waves.md).                                                                                                                                                           |
 | argocd.argoproj.io/hook-delete-policy      | any                 | [see sync waves docs](sync-waves.md#hook-lifecycle-and-cleanup)                               | Used to set a [resource hook's deletion policy](sync-waves.md#hook-lifecycle-and-cleanup).                                                                                                                   |
 | argocd.argoproj.io/manifest-generate-paths | Application         | [see scaling docs](../operator-manual/high_availability.md#manifest-paths-annotation) | Used to avoid unnecessary Application refreshes, especially in mono-repos.                                                                                                                                   |
 | argocd.argoproj.io/managed-by-url          | Application         | A valid http(s) URL                                                                               | Specifies the URL of the Argo CD instance managing the application. Used to correctly link to applications managed by a different Argo CD instance. See [managed-by-url docs](../operator-manual/managed-by-url.md) for details. |

docs/user-guide/auto_sync.md

@@ -94,6 +94,26 @@ spec:
 > [!NOTE]
 > Disabling self-heal does not guarantee that live cluster changes in multi-source applications will persist. Although one of the resource's sources remains unchanged, changes in another can trigger `autosync`. To handle such cases, consider disabling `autosync`.
 
+## Automatic Retry with a limit
+
+Argo CD can automatically retry a failed sync operation using exponential backoff. To enable, configure the `retry` field in the sync policy:
+
+```yaml
+spec:
+  syncPolicy:
+    retry:
+      limit: 5 # number of retries (-1 for unlimited retries)
+      backoff:
+        duration: 5s # base duration between retries
+        factor: 2 # exponential backoff factor
+        maxDuration: 3m # maximum duration between retries
+```
+
+- `limit`: number of retry attempts. Set to `-1` for unlimited retries.
+- `backoff.duration`: base wait time before the first retry.
+- `backoff.factor`: multiplier applied after each failed attempt.
+- `backoff.maxDuration`: maximum wait time between retries, regardless of the number of attempts.
+
 ## Automatic Retry Refresh on new revisions
 
 This feature allows users to configure their applications to refresh on new revisions when the current sync is retrying. To enable automatic refresh during sync retries, run:

docs/user-guide/commands/argocd_appset.md

@@ -22,6 +22,10 @@ argocd appset [flags]
   
   # Delete an ApplicationSet
   argocd appset delete APPSETNAME (APPSETNAME...)
+  
+  # Namespace precedence for --appset-namespace (-N):
+  # - get/delete: if the argument is namespace/name, that namespace wins; -N is ignored.
+  # - create/generate: metadata.namespace in the YAML wins when set; -N applies only when the manifest omits namespace.
 ```
 
 ### Options

docs/user-guide/commands/argocd_appset_create.md

@@ -14,6 +14,9 @@ argocd appset create [flags]
   # Create ApplicationSets
   argocd appset create <filename or URL> (<filename or URL>...)
   
+  # Create ApplicationSet in a specific namespace using
+  argocd appset create --appset-namespace=APPSET_NAMESPACE <filename or URL> (<filename or URL>...)
+  
   # Dry-run AppSet creation to see what applications would be managed
   argocd appset create --dry-run <filename or URL> -o json | jq -r '.status.resources[].name'
 ```
@@ -21,11 +24,12 @@ argocd appset create [flags]
 ### Options
 
 ```
-      --dry-run         Allows to evaluate the ApplicationSet template on the server to get a preview of the applications that would be created
-  -h, --help            help for create
-  -o, --output string   Output format. One of: json|yaml|wide (default "wide")
-      --upsert          Allows to override ApplicationSet with the same name even if supplied ApplicationSet spec is different from existing spec
-      --wait            Wait until the ApplicationSet's resources are up to date. Will block indefinitely if the ApplicationSet has errors
+  -N, --appset-namespace string   Namespace where the ApplicationSet will be created in (ignored when provided YAML file has namespace set in metadata)
+      --dry-run                   Allows to evaluate the ApplicationSet template on the server to get a preview of the applications that would be created
+  -h, --help                      help for create
+  -o, --output string             Output format. One of: json|yaml|wide (default "wide")
+      --upsert                    Allows to override ApplicationSet with the same name even if supplied ApplicationSet spec is different from existing spec
+      --wait                      Wait until the ApplicationSet's resources are up to date. Will block indefinitely if the ApplicationSet has errors
 ```
 
 ### Options inherited from parent commands

docs/user-guide/commands/argocd_appset_delete.md

@@ -13,14 +13,21 @@ argocd appset delete [flags]
 ```
   # Delete an applicationset
   argocd appset delete APPSETNAME (APPSETNAME...)
+  
+  # Delete ApplicationSet in a specific namespace using qualified name (namespace/name)
+  argocd appset delete APPSET_NAMESPACE/APPSETNAME
+  
+  # Delete ApplicationSet in a specific namespace using --appset-namespace flag
+  argocd appset delete --appset-namespace=APPSET_NAMESPACE APPSETNAME
 ```
 
 ### Options
 
 ```
-  -h, --help   help for delete
-      --wait   Wait until deletion of the applicationset(s) completes
-  -y, --yes    Turn off prompting to confirm cascaded deletion of Application resources
+  -N, --appset-namespace string   Namespace where the ApplicationSet will be deleted from (ignored when qualified name is provided)
+  -h, --help                      help for delete
+      --wait                      Wait until deletion of the applicationset(s) completes
+  -y, --yes                       Turn off prompting to confirm cascaded deletion of Application resources
 ```
 
 ### Options inherited from parent commands

docs/user-guide/commands/argocd_appset_generate.md

@@ -13,13 +13,17 @@ argocd appset generate [flags]
 ```
   # Generate apps of ApplicationSet rendered templates
   argocd appset generate <filename or URL> (<filename or URL>...)
+  
+  # Generate apps of ApplicationSet rendered templates in a specific namespace
+  argocd appset generate --appset-namespace=APPSET_NAMESPACE <filename or URL> (<filename or URL>...)
 ```
 
 ### Options
 
 ```
-  -h, --help            help for generate
-  -o, --output string   Output format. One of: json|yaml|wide (default "wide")
+  -N, --appset-namespace string   Namespace used for generating Applications (ignored when provided YAML file has namespace set in metadata)
+  -h, --help                      help for generate
+  -o, --output string             Output format. One of: json|yaml|wide (default "wide")
 ```
 
 ### Options inherited from parent commands

docs/user-guide/commands/argocd_appset_get.md

@@ -13,14 +13,21 @@ argocd appset get APPSETNAME [flags]
 ```
   # Get ApplicationSets
   argocd appset get APPSETNAME
+  
+  # Get ApplicationSet in a specific namespace using qualified name (namespace/name)
+  argocd appset get APPSET_NAMESPACE/APPSETNAME
+  
+  # Get ApplicationSet in a specific namespace using --appset-namespace flag
+  argocd appset get --appset-namespace=APPSET_NAMESPACE APPSETNAME
 ```
 
 ### Options
 
 ```
-  -h, --help            help for get
-  -o, --output string   Output format. One of: json|yaml|wide (default "wide")
-      --show-params     Show ApplicationSet parameters and overrides
+  -N, --appset-namespace string   Only get ApplicationSet from a namespace (ignored when qualified name is provided)
+  -h, --help                      help for get
+  -o, --output string             Output format. One of: json|yaml|wide (default "wide")
+      --show-params               Show ApplicationSet parameters and overrides
 ```
 
 ### Options inherited from parent commands

docs/user-guide/helm.md

@@ -500,7 +500,7 @@ source:
 
 ## Helm Hooks
 
-Helm hooks are similar to [Argo CD hooks](resource_hooks.md). In Helm, a hook
+Helm hooks are similar to [Argo CD hooks](sync-waves.md). In Helm, a hook
 is any normal Kubernetes resource annotated with the `helm.sh/hook` annotation.
 
 Argo CD supports many (most?) Helm hooks by mapping the Helm annotations onto Argo CD's own hook annotations:
@@ -541,7 +541,7 @@ Unsupported hooks are ignored. In Argo CD, hooks are created by using `kubectl a
 * Annotate  `pre-install` and `post-install` with `hook-weight: "-1"`. This will make sure it runs to success before any upgrade hooks.
 * Annotate `pre-upgrade` and `post-upgrade` with `hook-delete-policy: before-hook-creation` to make sure it runs on every sync.
 
-Read more about [Argo hooks](resource_hooks.md) and [Helm hooks](https://helm.sh/docs/topics/charts_hooks/).
+Read more about [Argo hooks](sync-waves.md) and [Helm hooks](https://helm.sh/docs/topics/charts_hooks/).
 
 ## Random Data
 

docs/user-guide/selective_sync.md

@@ -7,7 +7,7 @@ A *selective sync* is one where only some resources are sync'd. You can choose w
 When doing so, bear in mind that:
 
 * Your sync is not recorded in the history, and so rollback is not possible.
-* [Hooks](resource_hooks.md) are not run.
+* [Hooks](sync-waves.md) are not run.
 
 ## Selective Sync Option
 

gitops-engine/pkg/cache/cluster.go

@@ -220,7 +220,7 @@ func NewClusterCache(config *rest.Config, opts ...UpdateSettingsFunc) *clusterCa
 		listRetryLimit:          1,
 		listRetryUseBackoff:     false,
 		listRetryFunc:           ListRetryFuncNever,
-		parentUIDToChildren:     make(map[types.UID][]kube.ResourceKey),
+		parentUIDToChildren:     make(map[types.UID]map[kube.ResourceKey]struct{}),
 	}
 	for i := range opts {
 		opts[i](cache)
@@ -280,10 +280,11 @@ type clusterCache struct {
 
 	respectRBAC int
 
-	// Parent-to-children index for O(1) hierarchy traversal
-	// Maps any resource's UID to its direct children's ResourceKeys
-	// Eliminates need for O(n) graph building during hierarchy traversal
-	parentUIDToChildren map[types.UID][]kube.ResourceKey
+	// Parent-to-children index for O(1) child lookup during hierarchy traversal
+	// Maps any resource's UID to a set of its direct children's ResourceKeys
+	// Using a set eliminates O(k) duplicate checking on insertions
+	// Used for cross-namespace hierarchy traversal; namespaced traversal still builds a graph
+	parentUIDToChildren map[types.UID]map[kube.ResourceKey]struct{}
 }
 
 type clusterCacheSync struct {
@@ -504,27 +505,35 @@ func (c *clusterCache) setNode(n *Resource) {
 		for k, v := range ns {
 			// update child resource owner references
 			if n.isInferredParentOf != nil && mightHaveInferredOwner(v) {
-				v.setOwnerRef(n.toOwnerRef(), n.isInferredParentOf(k))
+				shouldBeParent := n.isInferredParentOf(k)
+				v.setOwnerRef(n.toOwnerRef(), shouldBeParent)
+				// Update index inline for inferred ref changes.
+				// Note: The removal case (shouldBeParent=false) is currently unreachable for
+				// StatefulSet→PVC relationships because Kubernetes makes volumeClaimTemplates
+				// immutable. We include it for defensive correctness and future-proofing.
+				if n.Ref.UID != "" {
+					if shouldBeParent {
+						c.addToParentUIDToChildren(n.Ref.UID, k)
+					} else {
+						c.removeFromParentUIDToChildren(n.Ref.UID, k)
+					}
+				}
 			}
 			if mightHaveInferredOwner(n) && v.isInferredParentOf != nil {
-				n.setOwnerRef(v.toOwnerRef(), v.isInferredParentOf(n.ResourceKey()))
-			}
-		}
-	}
-}
-
-// rebuildParentToChildrenIndex rebuilds the parent-to-children index after a full sync
-// This is called after initial sync to ensure all parent-child relationships are tracked
-func (c *clusterCache) rebuildParentToChildrenIndex() {
-	// Clear existing index
-	c.parentUIDToChildren = make(map[types.UID][]kube.ResourceKey)
-
-	// Rebuild parent-to-children index from all resources with owner refs
-	for _, resource := range c.resources {
-		key := resource.ResourceKey()
-		for _, ownerRef := range resource.OwnerRefs {
-			if ownerRef.UID != "" {
-				c.addToParentUIDToChildren(ownerRef.UID, key)
+				childKey := n.ResourceKey()
+				shouldBeParent := v.isInferredParentOf(childKey)
+				n.setOwnerRef(v.toOwnerRef(), shouldBeParent)
+				// Update index inline for inferred ref changes.
+				// Note: The removal case (shouldBeParent=false) is currently unreachable for
+				// StatefulSet→PVC relationships because Kubernetes makes volumeClaimTemplates
+				// immutable. We include it for defensive correctness and future-proofing.
+				if v.Ref.UID != "" {
+					if shouldBeParent {
+						c.addToParentUIDToChildren(v.Ref.UID, childKey)
+					} else {
+						c.removeFromParentUIDToChildren(v.Ref.UID, childKey)
+					}
+				}
 			}
 		}
 	}
@@ -532,31 +541,29 @@ func (c *clusterCache) rebuildParentToChildrenIndex() {
 
 // addToParentUIDToChildren adds a child to the parent-to-children index
 func (c *clusterCache) addToParentUIDToChildren(parentUID types.UID, childKey kube.ResourceKey) {
-	// Check if child is already in the list to avoid duplicates
-	children := c.parentUIDToChildren[parentUID]
-	for _, existing := range children {
-		if existing == childKey {
-			return // Already exists, no need to add
-		}
+	// Get or create the set for this parent
+	childrenSet := c.parentUIDToChildren[parentUID]
+	if childrenSet == nil {
+		childrenSet = make(map[kube.ResourceKey]struct{})
+		c.parentUIDToChildren[parentUID] = childrenSet
 	}
-	c.parentUIDToChildren[parentUID] = append(children, childKey)
+	// Add child to set (O(1) operation, automatically handles duplicates)
+	childrenSet[childKey] = struct{}{}
 }
 
 // removeFromParentUIDToChildren removes a child from the parent-to-children index
 func (c *clusterCache) removeFromParentUIDToChildren(parentUID types.UID, childKey kube.ResourceKey) {
-	children := c.parentUIDToChildren[parentUID]
-	for i, existing := range children {
-		if existing == childKey {
-			// Remove by swapping with last element and truncating
-			children[i] = children[len(children)-1]
-			c.parentUIDToChildren[parentUID] = children[:len(children)-1]
+	childrenSet := c.parentUIDToChildren[parentUID]
+	if childrenSet == nil {
+		return
+	}
 
-			// Clean up empty entries
-			if len(c.parentUIDToChildren[parentUID]) == 0 {
-				delete(c.parentUIDToChildren, parentUID)
-			}
-			return
-		}
+	// Remove child from set (O(1) operation)
+	delete(childrenSet, childKey)
+
+	// Clean up empty sets to avoid memory leaks
+	if len(childrenSet) == 0 {
+		delete(c.parentUIDToChildren, parentUID)
 	}
 }
 
@@ -1013,7 +1020,7 @@ func (c *clusterCache) sync() error {
 	c.apisMeta = make(map[schema.GroupKind]*apiMeta)
 	c.resources = make(map[kube.ResourceKey]*Resource)
 	c.namespacedResources = make(map[schema.GroupKind]bool)
-	c.parentUIDToChildren = make(map[types.UID][]kube.ResourceKey)
+	c.parentUIDToChildren = make(map[types.UID]map[kube.ResourceKey]struct{})
 	config := c.config
 	version, err := c.kubectl.GetServerVersion(config)
 	if err != nil {
@@ -1112,9 +1119,6 @@ func (c *clusterCache) sync() error {
 		return fmt.Errorf("failed to sync cluster %s: %w", c.config.Host, err)
 	}
 
-	// Rebuild orphaned children index after all resources are loaded
-	c.rebuildParentToChildrenIndex()
-
 	c.log.Info("Cluster successfully synced")
 	return nil
 }
@@ -1255,8 +1259,8 @@ func (c *clusterCache) processCrossNamespaceChildren(
 		}
 
 		// Use parent-to-children index for O(1) lookup of direct children
-		childKeys := c.parentUIDToChildren[clusterResource.Ref.UID]
-		for _, childKey := range childKeys {
+		childrenSet := c.parentUIDToChildren[clusterResource.Ref.UID]
+		for childKey := range childrenSet {
 			child := c.resources[childKey]
 			if child == nil {
 				continue
@@ -1309,8 +1313,8 @@ func (c *clusterCache) iterateChildrenUsingIndex(
 	action func(resource *Resource, namespaceResources map[kube.ResourceKey]*Resource) bool,
 ) {
 	// Look up direct children of this parent using the index
-	childKeys := c.parentUIDToChildren[parent.Ref.UID]
-	for _, childKey := range childKeys {
+	childrenSet := c.parentUIDToChildren[parent.Ref.UID]
+	for childKey := range childrenSet {
 		if actionCallState[childKey] != notCalled {
 			continue // action() already called or in progress
 		}
@@ -1630,6 +1634,10 @@ func (c *clusterCache) onNodeRemoved(key kube.ResourceKey) {
 				for k, v := range ns {
 					if mightHaveInferredOwner(v) && existing.isInferredParentOf(k) {
 						v.setOwnerRef(existing.toOwnerRef(), false)
+						// Update index inline when removing inferred ref
+						if existing.Ref.UID != "" {
+							c.removeFromParentUIDToChildren(existing.Ref.UID, k)
+						}
 					}
 				}
 			}

gitops-engine/pkg/cache/cluster_test.go

@@ -416,6 +416,128 @@ func TestStatefulSetOwnershipInferred(t *testing.T) {
 	}
 }
 
+// TestStatefulSetPVC_ParentToChildrenIndex verifies that inferred StatefulSet → PVC
+// relationships are correctly captured in the parentUIDToChildren index during initial sync.
+//
+// The index is updated inline when inferred owner refs are added in setNode()
+// (see the inferred parent handling section in clusterCache.setNode).
+func TestStatefulSetPVC_ParentToChildrenIndex(t *testing.T) {
+	stsUID := types.UID("sts-uid-123")
+
+	// StatefulSet with volumeClaimTemplate named "data"
+	sts := &appsv1.StatefulSet{
+		TypeMeta:   metav1.TypeMeta{APIVersion: "apps/v1", Kind: kube.StatefulSetKind},
+		ObjectMeta: metav1.ObjectMeta{UID: stsUID, Name: "web", Namespace: "default"},
+		Spec: appsv1.StatefulSetSpec{
+			VolumeClaimTemplates: []corev1.PersistentVolumeClaim{{
+				ObjectMeta: metav1.ObjectMeta{Name: "data"},
+			}},
+		},
+	}
+
+	// PVCs that match the StatefulSet's volumeClaimTemplate pattern: <template>-<sts>-<ordinal>
+	// These have NO explicit owner references - the relationship is INFERRED
+	pvc0 := &corev1.PersistentVolumeClaim{
+		TypeMeta:   metav1.TypeMeta{APIVersion: "v1", Kind: kube.PersistentVolumeClaimKind},
+		ObjectMeta: metav1.ObjectMeta{UID: "pvc-0-uid", Name: "data-web-0", Namespace: "default"},
+	}
+	pvc1 := &corev1.PersistentVolumeClaim{
+		TypeMeta:   metav1.TypeMeta{APIVersion: "v1", Kind: kube.PersistentVolumeClaimKind},
+		ObjectMeta: metav1.ObjectMeta{UID: "pvc-1-uid", Name: "data-web-1", Namespace: "default"},
+	}
+
+	// Create cluster with all resources
+	// Must add PersistentVolumeClaim to API resources since it's not in the default set
+	cluster := newCluster(t, sts, pvc0, pvc1).WithAPIResources([]kube.APIResourceInfo{{
+		GroupKind:            schema.GroupKind{Group: "", Kind: kube.PersistentVolumeClaimKind},
+		GroupVersionResource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "persistentvolumeclaims"},
+		Meta:                 metav1.APIResource{Namespaced: true},
+	}})
+	err := cluster.EnsureSynced()
+	require.NoError(t, err)
+
+	// Verify the parentUIDToChildren index contains the inferred relationships
+	cluster.lock.RLock()
+	defer cluster.lock.RUnlock()
+
+	pvc0Key := kube.ResourceKey{Group: "", Kind: kube.PersistentVolumeClaimKind, Namespace: "default", Name: "data-web-0"}
+	pvc1Key := kube.ResourceKey{Group: "", Kind: kube.PersistentVolumeClaimKind, Namespace: "default", Name: "data-web-1"}
+
+	children, ok := cluster.parentUIDToChildren[stsUID]
+	require.True(t, ok, "StatefulSet should have entry in parentUIDToChildren index")
+	require.Contains(t, children, pvc0Key, "PVC data-web-0 should be in StatefulSet's children (inferred relationship)")
+	require.Contains(t, children, pvc1Key, "PVC data-web-1 should be in StatefulSet's children (inferred relationship)")
+
+	// Also verify the OwnerRefs were set correctly on the PVCs
+	pvc0Resource := cluster.resources[pvc0Key]
+	require.NotNil(t, pvc0Resource)
+	require.Len(t, pvc0Resource.OwnerRefs, 1, "PVC0 should have inferred owner ref")
+	require.Equal(t, stsUID, pvc0Resource.OwnerRefs[0].UID, "PVC0 owner should be the StatefulSet")
+
+	pvc1Resource := cluster.resources[pvc1Key]
+	require.NotNil(t, pvc1Resource)
+	require.Len(t, pvc1Resource.OwnerRefs, 1, "PVC1 should have inferred owner ref")
+	require.Equal(t, stsUID, pvc1Resource.OwnerRefs[0].UID, "PVC1 owner should be the StatefulSet")
+}
+
+// TestStatefulSetPVC_WatchEvent_IndexUpdated verifies that when a PVC is added
+// via watch event (after initial sync), both the inferred owner reference AND
+// the parentUIDToChildren index are updated correctly.
+//
+// This tests the inline index update logic in setNode() which updates the index
+// immediately when inferred owner refs are added.
+func TestStatefulSetPVC_WatchEvent_IndexUpdated(t *testing.T) {
+	stsUID := types.UID("sts-uid-456")
+
+	// StatefulSet with volumeClaimTemplate
+	sts := &appsv1.StatefulSet{
+		TypeMeta:   metav1.TypeMeta{APIVersion: "apps/v1", Kind: kube.StatefulSetKind},
+		ObjectMeta: metav1.ObjectMeta{UID: stsUID, Name: "db", Namespace: "default"},
+		Spec: appsv1.StatefulSetSpec{
+			VolumeClaimTemplates: []corev1.PersistentVolumeClaim{{
+				ObjectMeta: metav1.ObjectMeta{Name: "storage"},
+			}},
+		},
+	}
+
+	// Create cluster with ONLY the StatefulSet - PVC will be added via watch event
+	cluster := newCluster(t, sts).WithAPIResources([]kube.APIResourceInfo{{
+		GroupKind:            schema.GroupKind{Group: "", Kind: kube.PersistentVolumeClaimKind},
+		GroupVersionResource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "persistentvolumeclaims"},
+		Meta:                 metav1.APIResource{Namespaced: true},
+	}})
+	err := cluster.EnsureSynced()
+	require.NoError(t, err)
+
+	// PVC that matches the StatefulSet's volumeClaimTemplate pattern
+	// Added via watch event AFTER initial sync
+	pvc := &corev1.PersistentVolumeClaim{
+		TypeMeta:   metav1.TypeMeta{APIVersion: "v1", Kind: kube.PersistentVolumeClaimKind},
+		ObjectMeta: metav1.ObjectMeta{UID: "pvc-watch-uid", Name: "storage-db-0", Namespace: "default"},
+	}
+
+	// Simulate watch event adding the PVC
+	cluster.lock.Lock()
+	cluster.setNode(cluster.newResource(mustToUnstructured(pvc)))
+	cluster.lock.Unlock()
+
+	cluster.lock.RLock()
+	defer cluster.lock.RUnlock()
+
+	pvcKey := kube.ResourceKey{Group: "", Kind: kube.PersistentVolumeClaimKind, Namespace: "default", Name: "storage-db-0"}
+
+	// Verify the OwnerRef IS correctly set
+	pvcResource := cluster.resources[pvcKey]
+	require.NotNil(t, pvcResource, "PVC should exist in cache")
+	require.Len(t, pvcResource.OwnerRefs, 1, "PVC should have inferred owner ref from StatefulSet")
+	require.Equal(t, stsUID, pvcResource.OwnerRefs[0].UID, "Owner should be the StatefulSet")
+
+	// Verify the index IS updated for inferred refs via watch events
+	children, indexUpdated := cluster.parentUIDToChildren[stsUID]
+	require.True(t, indexUpdated, "Index should be updated when inferred refs are added via watch events")
+	require.Contains(t, children, pvcKey, "PVC should be in StatefulSet's children (inferred relationship)")
+}
+
 func TestEnsureSyncedSingleNamespace(t *testing.T) {
 	obj1 := &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{
@@ -2298,3 +2420,226 @@ func TestIterateHierarchyV2_CircularOwnerChain_NoStackOverflow(t *testing.T) {
 	assert.Equal(t, 1, visitCount["resource-a"], "resource-a should be visited exactly once")
 	assert.Equal(t, 1, visitCount["resource-b"], "resource-b should be visited exactly once")
 }
+
+// BenchmarkSync_ParentToChildrenIndex measures the overhead of parent-to-children index
+// operations during sync. This benchmark was created to investigate performance regression
+// reported in https://github.com/argoproj/argo-cd/issues/26863
+//
+// The index is now maintained with O(1) operations (set-based) and updated inline
+// in setNode() for both explicit and inferred owner refs. No rebuild is needed.
+//
+// This benchmark measures sync performance with resources that have owner references
+// to quantify the index-building overhead at different scales.
+func BenchmarkSync_ParentToChildrenIndex(b *testing.B) {
+	testCases := []struct {
+		name             string
+		totalResources   int
+		pctWithOwnerRefs int // Percentage of resources with owner references
+	}{
+		// Baseline: no owner refs (index operations are no-ops)
+		{"1000res_0pctOwnerRefs", 1000, 0},
+		{"5000res_0pctOwnerRefs", 5000, 0},
+		{"10000res_0pctOwnerRefs", 10000, 0},
+
+		// Typical case: ~80% of resources have owner refs (pods owned by RS, RS owned by Deployment)
+		{"1000res_80pctOwnerRefs", 1000, 80},
+		{"5000res_80pctOwnerRefs", 5000, 80},
+		{"10000res_80pctOwnerRefs", 10000, 80},
+
+		// Heavy case: all resources have owner refs
+		{"1000res_100pctOwnerRefs", 1000, 100},
+		{"5000res_100pctOwnerRefs", 5000, 100},
+		{"10000res_100pctOwnerRefs", 10000, 100},
+
+		// Stress test: larger scale
+		{"20000res_80pctOwnerRefs", 20000, 80},
+	}
+
+	for _, tc := range testCases {
+		b.Run(tc.name, func(b *testing.B) {
+			resources := make([]runtime.Object, 0, tc.totalResources)
+
+			// Create parent resources (deployments) - these won't have owner refs
+			numParents := tc.totalResources / 10 // 10% are parents
+			if numParents < 1 {
+				numParents = 1
+			}
+			parentUIDs := make([]types.UID, numParents)
+			for i := 0; i < numParents; i++ {
+				uid := types.UID(fmt.Sprintf("deploy-uid-%d", i))
+				parentUIDs[i] = uid
+				resources = append(resources, &appsv1.Deployment{
+					TypeMeta: metav1.TypeMeta{APIVersion: "apps/v1", Kind: "Deployment"},
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      fmt.Sprintf("deploy-%d", i),
+						Namespace: "default",
+						UID:       uid,
+					},
+				})
+			}
+
+			// Create child resources (pods) - some with owner refs
+			numChildren := tc.totalResources - numParents
+			numWithOwnerRefs := (numChildren * tc.pctWithOwnerRefs) / 100
+
+			for i := 0; i < numChildren; i++ {
+				pod := &corev1.Pod{
+					TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Pod"},
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      fmt.Sprintf("pod-%d", i),
+						Namespace: "default",
+						UID:       types.UID(fmt.Sprintf("pod-uid-%d", i)),
+					},
+				}
+
+				// Add owner refs to the first numWithOwnerRefs pods
+				if i < numWithOwnerRefs {
+					parentIdx := i % numParents
+					pod.OwnerReferences = []metav1.OwnerReference{{
+						APIVersion: "apps/v1",
+						Kind:       "Deployment",
+						Name:       fmt.Sprintf("deploy-%d", parentIdx),
+						UID:        parentUIDs[parentIdx],
+					}}
+				}
+
+				resources = append(resources, pod)
+			}
+
+			cluster := newCluster(b, resources...)
+
+			b.ResetTimer()
+			b.ReportAllocs()
+
+			for n := 0; n < b.N; n++ {
+				// sync() reinitializes resources, parentUIDToChildren, etc. at the start,
+				// so no manual reset is needed here.
+				err := cluster.sync()
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
+
+// BenchmarkUpdateParentUIDToChildren measures the cost of incremental index updates
+// during setNode. This is called for EVERY resource during sync. The index uses
+// set-based storage so add/remove operations are O(1) regardless of children count.
+func BenchmarkUpdateParentUIDToChildren(b *testing.B) {
+	testCases := []struct {
+		name            string
+		childrenPerParent int
+	}{
+		{"10children", 10},
+		{"50children", 50},
+		{"100children", 100},
+		{"500children", 500},
+		{"1000children", 1000},
+	}
+
+	for _, tc := range testCases {
+		b.Run(tc.name, func(b *testing.B) {
+			cluster := newCluster(b)
+			err := cluster.EnsureSynced()
+			if err != nil {
+				b.Fatal(err)
+			}
+
+			parentUID := types.UID("parent-uid")
+
+			// Pre-populate with existing children
+			childrenSet := make(map[kube.ResourceKey]struct{})
+			for i := 0; i < tc.childrenPerParent; i++ {
+				childKey := kube.ResourceKey{
+					Group:     "",
+					Kind:      "Pod",
+					Namespace: "default",
+					Name:      fmt.Sprintf("existing-child-%d", i),
+				}
+				childrenSet[childKey] = struct{}{}
+			}
+			cluster.parentUIDToChildren[parentUID] = childrenSet
+
+			// Create a new child key to add
+			newChildKey := kube.ResourceKey{
+				Group:     "",
+				Kind:      "Pod",
+				Namespace: "default",
+				Name:      "new-child",
+			}
+
+			b.ResetTimer()
+			b.ReportAllocs()
+
+			for n := 0; n < b.N; n++ {
+				// Simulate adding a new child - O(1) set insertion
+				cluster.addToParentUIDToChildren(parentUID, newChildKey)
+				// Remove it so we can add it again in the next iteration
+				cluster.removeFromParentUIDToChildren(parentUID, newChildKey)
+			}
+		})
+	}
+}
+
+// BenchmarkIncrementalIndexBuild measures the cost of incremental index updates
+// via addToParentUIDToChildren during sync. The index uses O(1) set-based operations.
+//
+// This benchmark was created to investigate issue #26863 and verify the fix.
+func BenchmarkIncrementalIndexBuild(b *testing.B) {
+	testCases := []struct {
+		name              string
+		numParents        int
+		childrenPerParent int
+	}{
+		{"100parents_10children", 100, 10},
+		{"100parents_50children", 100, 50},
+		{"100parents_100children", 100, 100},
+		{"1000parents_10children", 1000, 10},
+		{"1000parents_100children", 1000, 100},
+	}
+
+	for _, tc := range testCases {
+		// Benchmark incremental approach (what happens during setNode)
+		b.Run(tc.name+"_incremental", func(b *testing.B) {
+			cluster := newCluster(b)
+			err := cluster.EnsureSynced()
+			if err != nil {
+				b.Fatal(err)
+			}
+
+			// Prepare parent UIDs and child keys
+			type childInfo struct {
+				parentUID types.UID
+				childKey  kube.ResourceKey
+			}
+			children := make([]childInfo, 0, tc.numParents*tc.childrenPerParent)
+			for p := 0; p < tc.numParents; p++ {
+				parentUID := types.UID(fmt.Sprintf("parent-%d", p))
+				for c := 0; c < tc.childrenPerParent; c++ {
+					children = append(children, childInfo{
+						parentUID: parentUID,
+						childKey: kube.ResourceKey{
+							Kind:      "Pod",
+							Namespace: "default",
+							Name:      fmt.Sprintf("child-%d-%d", p, c),
+						},
+					})
+				}
+			}
+
+			b.ResetTimer()
+			b.ReportAllocs()
+
+			for n := 0; n < b.N; n++ {
+				// Clear the index
+				cluster.parentUIDToChildren = make(map[types.UID]map[kube.ResourceKey]struct{})
+
+				// Simulate incremental adds (O(1) set insertions)
+				for _, child := range children {
+					cluster.addToParentUIDToChildren(child.parentUID, child.childKey)
+				}
+			}
+		})
+	}
+}

go.mod

@@ -35,7 +35,7 @@ require (
 	github.com/gfleury/go-bitbucket-v1 v0.0.0-20240917142304-df385efaac68
 	// DO NOT BUMP UNTIL go-git/go-git#1551 is fixed
 	github.com/go-git/go-git/v5 v5.14.0
-	github.com/go-jose/go-jose/v4 v4.1.3
+	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/go-logr/logr v1.4.3
 	github.com/go-openapi/loads v0.23.3
 	github.com/go-openapi/runtime v0.29.3
@@ -88,7 +88,7 @@ require (
 	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
 	github.com/valyala/fasttemplate v1.2.2
-	github.com/yuin/gopher-lua v1.1.1
+	github.com/yuin/gopher-lua v1.1.2
 	gitlab.com/gitlab-org/api/client-go v1.46.0
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0
@@ -96,6 +96,7 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0
 	go.opentelemetry.io/otel/sdk v1.42.0
 	go.opentelemetry.io/otel/trace v1.42.0
+	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.49.0
 	golang.org/x/net v0.52.0
 	golang.org/x/oauth2 v0.36.0
@@ -106,13 +107,12 @@ require (
 	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.34.0
 	k8s.io/apiextensions-apiserver v0.34.0
 	k8s.io/apimachinery v0.34.0
 	k8s.io/client-go v0.34.0
 	k8s.io/code-generator v0.34.0
-	k8s.io/klog/v2 v2.130.1
+	k8s.io/klog/v2 v2.140.0
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
 	k8s.io/kubectl v0.34.0
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
@@ -147,20 +147,20 @@ require (
 	github.com/PagerDuty/go-pagerduty v1.8.0 // indirect
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20240116134246-a8cbe886bab0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.41.4
-	github.com/aws/aws-sdk-go-v2/config v1.32.11
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.12
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.41.5
+	github.com/aws/aws-sdk-go-v2/config v1.32.13
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.13
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.10
 	github.com/aws/smithy-go v1.24.2
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
@@ -280,7 +280,6 @@ require (
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.33.0 // indirect
 	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.35.0 // indirect
@@ -314,12 +313,15 @@ require (
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/service/codecommit v1.33.11
+	github.com/aws/aws-sdk-go-v2/service/codecommit v1.33.12
 	github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.8
 	github.com/oklog/ulid/v2 v2.1.1 // indirect
 )
 
-require github.com/google/go-github/v84 v84.0.0 // indirect
+require (
+	github.com/google/go-github/v84 v84.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
 
 replace (
 	github.com/golang/protobuf => github.com/golang/protobuf v1.5.4
@@ -329,9 +331,6 @@ replace (
 	// Avoid CVE-2022-3064
 	gopkg.in/yaml.v2 => gopkg.in/yaml.v2 v2.4.0
 
-	// Avoid CVE-2022-28948
-	gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
-
 	k8s.io/api => k8s.io/api v0.34.0
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.34.0
 	k8s.io/apimachinery => k8s.io/apimachinery v0.34.0

go.sum

@@ -124,38 +124,38 @@ github.com/argoproj/pkg/v2 v2.0.1/go.mod h1:sdifF6sUTx9ifs38ZaiNMRJuMpSCBB9GulHf
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.44.39/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go-v2 v1.41.4 h1:10f50G7WyU02T56ox1wWXq+zTX9I1zxG46HYuG1hH/k=
-github.com/aws/aws-sdk-go-v2 v1.41.4/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
-github.com/aws/aws-sdk-go-v2/config v1.32.11 h1:ftxI5sgz8jZkckuUHXfC/wMUc8u3fG1vQS0plr2F2Zs=
-github.com/aws/aws-sdk-go-v2/config v1.32.11/go.mod h1:twF11+6ps9aNRKEDimksp923o44w/Thk9+8YIlzWMmo=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.12 h1:oqtA6v+y5fZg//tcTWahyN9PEn5eDU/Wpvc2+kJ4aY8=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.12/go.mod h1:U3R1RtSHx6NB0DvEQFGyf/0sbrpJrluENHdPy1j/3TE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 h1:zOgq3uezl5nznfoK3ODuqbhVg1JzAGDUhXOsU0IDCAo=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20/go.mod h1:z/MVwUARehy6GAg/yQ1GO2IMl0k++cu1ohP9zo887wE=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 h1:CNXO7mvgThFGqOFgbNAP2nol2qAWBOGfqR/7tQlvLmc=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20/go.mod h1:oydPDJKcfMhgfcgBUZaG+toBbwy8yPWubJXBVERtI4o=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 h1:tN6W/hg+pkM+tf9XDkWUbDEjGLb+raoBMFsTodcoYKw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20/go.mod h1:YJ898MhD067hSHA6xYCx5ts/jEd8BSOLtQDL3iZsvbc=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5 h1:clHU5fm//kWS1C2HgtgWxfQbFbx4b6rx+5jzhgX9HrI=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
-github.com/aws/aws-sdk-go-v2/service/codecommit v1.33.11 h1:R3S5odXTsflG7xUp9S2AsewSXtQi1LBd+stJ5OpCIog=
-github.com/aws/aws-sdk-go-v2/service/codecommit v1.33.11/go.mod h1:OekzWXyZi3ptl+YoKmm+G5ODIa4BDEArvZv8gHrQb5s=
+github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV/yY=
+github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
+github.com/aws/aws-sdk-go-v2/config v1.32.13 h1:5KgbxMaS2coSWRrx9TX/QtWbqzgQkOdEa3sZPhBhCSg=
+github.com/aws/aws-sdk-go-v2/config v1.32.13/go.mod h1:8zz7wedqtCbw5e9Mi2doEwDyEgHcEE9YOJp6a8jdSMY=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.13 h1:mA59E3fokBvyEGHKFdnpNNrvaR351cqiHgRg+JzOSRI=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.13/go.mod h1:yoTXOQKea18nrM69wGF9jBdG4WocSZA1h38A+t/MAsk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 h1:NUS3K4BTDArQqNu2ih7yeDLaS3bmHD0YndtA6UP884g=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21/go.mod h1:YWNWJQNjKigKY1RHVJCuupeWDrrHjRqHm0N9rdrWzYI=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
+github.com/aws/aws-sdk-go-v2/service/codecommit v1.33.12 h1:yv3mfWt/eiDTTry6fkN5hh8wHJfU5ygnw+DJp10C0/c=
+github.com/aws/aws-sdk-go-v2/service/codecommit v1.33.12/go.mod h1:voO3LP/dZ4CTERiNWCz3DFLbK/8hbfeC1OJkLW+sang=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3xgIJMSC8S6hEVq+38DcvUlgFY0FM6mSI5oto=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA=
 github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.8 h1:mGgiunl7ZwOwhpJwJNF4JfsZFYJp08wjyS3NqFQe3ws=
 github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.8/go.mod h1:KdM2EhXeHfeBQz5keOvv/FM7kbesjCWm7HEEyJe3frs=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1KxLgHBKKY/CLqwP8lg=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.9/go.mod h1:7yuQJoT+OoH8aqIxw9vwF+8KpvLZ8AWmvmUWHsGQZvI=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 h1:ZtgZeMPJH8+/vNs9vJFFLI0QEzYbcN0p7x1/FFwyROc=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1/go.mod h1:Bar4MrRxeqdn6XIh8JGfiXuFRmyrrsZNTJotxEJmWW0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17/go.mod h1:Al9fFsXjv4KfbzQHGe6V4NZSZQXecFcvaIF4e70FoRA=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 h1:Cng+OOwCHmFljXIxpEVXAGMnBia8MSU6Ch5i9PgBkcU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.9/go.mod h1:LrlIndBDdjA/EeXeyNBle+gyCwTlizzW5ycgWnvIxkk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 h1:GcLE9ba5ehAQma6wlopUesYg/hbcOhFNWTjELkiWkh4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.14/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 h1:mP49nTpfKtpXLt5SLn8Uv8z6W+03jYVoOSAl/c02nog=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 h1:p8ogvvLugcR/zLBXTXrTkj0RYBUdErbMnAFFp12Lm/U=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.10/go.mod h1:60dv0eZJfeVXfbT1tFJinbHrDfSJ2GZl4Q//OSSNAVw=
 github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
 github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
@@ -313,8 +313,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
 github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -947,8 +947,8 @@ github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
-github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
+github.com/yuin/gopher-lua v1.1.2 h1:yF/FjE3hD65tBbt0VXLE13HWS9h34fdzJmrWRXwobGA=
+github.com/yuin/gopher-lua v1.1.2/go.mod h1:7aRmXIWl37SqRf0koeyylBEzJ+aPt8A+mmkQ4f1ntR8=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 gitlab.com/gitlab-org/api/client-go v1.46.0 h1:YxBWFZIFYKcGESCb9fpkwzouo+apyB9pr/XTWzNoL24=
@@ -1445,6 +1445,8 @@ gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1479,8 +1481,9 @@ k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJez
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.5.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
 k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
+k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-aggregator v0.34.0 h1:XE4u+HOYkj0g44sblhTtPv+QyIIK7sJxrIlia0731kE=
 k8s.io/kube-aggregator v0.34.0/go.mod h1:GIUqdChXVC448Vp2Wgxf0m6fir7Xt3A2TAZcs2JNG1Y=
 k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=

mkdocs.yml

@@ -136,6 +136,7 @@ nav:
     - operator-manual/server-commands/additional-configuration-method.md
   - Upgrading:
     - operator-manual/upgrading/overview.md
+    - operator-manual/upgrading/3.4-3.5.md
     - operator-manual/upgrading/3.3-3.4.md
     - operator-manual/upgrading/3.2-3.3.md
     - operator-manual/upgrading/3.1-3.2.md

reposerver/repository/repository.go

@@ -1333,7 +1333,7 @@ func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclie
 		return nil, "", fmt.Errorf("error getting helm repos: %w", err)
 	}
 
-	h, err := helm.NewHelmApp(appPath, helmRepos, isLocal, version, proxy, q.Repo.NoProxy, passCredentials)
+	h, err := helm.NewHelmApp(appPath, helmRepos, isLocal, version, proxy, q.Repo.NoProxy, passCredentials, q.Repo.Insecure)
 	if err != nil {
 		return nil, "", fmt.Errorf("error initializing helm app object: %w", err)
 	}
@@ -2443,7 +2443,7 @@ func (s *Service) populateHelmAppDetails(res *apiclient.RepoAppDetailsResponse,
 	if err != nil {
 		return err
 	}
-	h, err := helm.NewHelmApp(appPath, helmRepos, false, version, q.Repo.Proxy, q.Repo.NoProxy, passCredentials)
+	h, err := helm.NewHelmApp(appPath, helmRepos, false, version, q.Repo.Proxy, q.Repo.NoProxy, passCredentials, q.Repo.Insecure)
 	if err != nil {
 		return err
 	}

resource_customizations/karpenter.sh/NodeClaim/health.lua

@@ -0,0 +1,60 @@
+local hs = {}
+if obj.metadata.generation ~= nil and obj.status ~= nil and obj.status.observedGeneration ~= nil then
+  if obj.metadata.generation ~= obj.status.observedGeneration then
+    hs.status = "Progressing"
+    hs.message = "Waiting for NodeClaim spec to be reconciled"
+    return hs
+  end
+end
+if obj.status ~= nil and obj.status.conditions ~= nil then
+
+  -- Disrupting takes priority: node is being terminated/consolidated/expired
+  for i, condition in ipairs(obj.status.conditions) do
+    if condition.type == "Disrupting" and condition.status == "True" then
+      hs.status = "Suspended"
+      hs.message = condition.message
+      return hs
+    end
+  end
+
+  for i, condition in ipairs(obj.status.conditions) do
+    if condition.type == "Ready" then
+      if condition.status == "True" then
+        hs.status = "Healthy"
+        hs.message = condition.message
+        return hs
+      elseif condition.status == "False" then
+        hs.status = "Degraded"
+        hs.message = condition.message
+        return hs
+      end
+    end
+  end
+
+  -- Ready condition is Unknown or absent: report the furthest phase reached
+  for i, condition in ipairs(obj.status.conditions) do
+    if condition.type == "Initialized" and condition.status == "True" then
+      hs.status = "Progressing"
+      hs.message = "Node initialized, waiting for Ready"
+      return hs
+    end
+  end
+  for i, condition in ipairs(obj.status.conditions) do
+    if condition.type == "Registered" and condition.status == "True" then
+      hs.status = "Progressing"
+      hs.message = "Node registered, waiting for initialization"
+      return hs
+    end
+  end
+  for i, condition in ipairs(obj.status.conditions) do
+    if condition.type == "Launched" and condition.status == "True" then
+      hs.status = "Progressing"
+      hs.message = "Node launched, waiting for registration"
+      return hs
+    end
+  end
+
+end
+hs.status = "Progressing"
+hs.message = "Waiting for NodeClaim to be launched"
+return hs

resource_customizations/karpenter.sh/NodeClaim/health_test.yaml

@@ -0,0 +1,33 @@
+tests:
+  - healthStatus:
+      status: Progressing
+      message: "Waiting for NodeClaim to be launched"
+    inputPath: testdata/progressing_noStatus.yaml
+  - healthStatus:
+      status: Progressing
+      message: "Node launched, waiting for registration"
+    inputPath: testdata/progressing_launched.yaml
+  - healthStatus:
+      status: Progressing
+      message: "Node registered, waiting for initialization"
+    inputPath: testdata/progressing_registered.yaml
+  - healthStatus:
+      status: Healthy
+      message: ""
+    inputPath: testdata/healthy.yaml
+  - healthStatus:
+      status: Degraded
+      message: "Instance i-0abc123def456789 terminated unexpectedly"
+    inputPath: testdata/degraded.yaml
+  - healthStatus:
+      status: Suspended
+      message: "TTL expired"
+    inputPath: testdata/suspended_disrupting.yaml
+  - healthStatus:
+      status: Progressing
+      message: "Node initialized, waiting for Ready"
+    inputPath: testdata/progressing_initialized.yaml
+  - healthStatus:
+      status: Progressing
+      message: "Waiting for NodeClaim to be launched"
+    inputPath: testdata/progressing_readyUnknown.yaml

resource_customizations/karpenter.sh/NodeClaim/testdata/degraded.yaml

@@ -0,0 +1,32 @@
+apiVersion: karpenter.sh/v1
+kind: NodeClaim
+metadata:
+  name: default-xxxx
+spec:
+  nodeClassRef:
+    group: karpenter.k8s.aws
+    kind: EC2NodeClass
+    name: default
+  requirements:
+    - key: karpenter.k8s.aws/instance-family
+      operator: In
+      values:
+        - m5
+status:
+  conditions:
+    - message: ""
+      reason: Launched
+      status: "True"
+      type: Launched
+    - message: ""
+      reason: Registered
+      status: "True"
+      type: Registered
+    - message: ""
+      reason: Initialized
+      status: "True"
+      type: Initialized
+    - message: "Instance i-0abc123def456789 terminated unexpectedly"
+      reason: NotReady
+      status: "False"
+      type: Ready

resource_customizations/karpenter.sh/NodeClaim/testdata/healthy.yaml

@@ -0,0 +1,34 @@
+apiVersion: karpenter.sh/v1
+kind: NodeClaim
+metadata:
+  name: default-xxxx
+spec:
+  nodeClassRef:
+    group: karpenter.k8s.aws
+    kind: EC2NodeClass
+    name: default
+  requirements:
+    - key: karpenter.k8s.aws/instance-family
+      operator: In
+      values:
+        - m5
+status:
+  nodeName: ip-10-0-1-100.ec2.internal
+  providerID: aws:///us-east-1a/i-0abc123def456789
+  conditions:
+    - message: ""
+      reason: Launched
+      status: "True"
+      type: Launched
+    - message: ""
+      reason: Registered
+      status: "True"
+      type: Registered
+    - message: ""
+      reason: Initialized
+      status: "True"
+      type: Initialized
+    - message: ""
+      reason: Ready
+      status: "True"
+      type: Ready

resource_customizations/karpenter.sh/NodeClaim/testdata/progressing_initialized.yaml

@@ -0,0 +1,36 @@
+apiVersion: karpenter.sh/v1
+kind: NodeClaim
+metadata:
+  name: default-xxxx
+  generation: 1
+spec:
+  nodeClassRef:
+    group: karpenter.k8s.aws
+    kind: EC2NodeClass
+    name: default
+  requirements:
+    - key: karpenter.k8s.aws/instance-family
+      operator: In
+      values:
+        - m5
+status:
+  observedGeneration: 1
+  nodeName: ip-10-0-1-100.ec2.internal
+  providerID: aws:///us-east-1a/i-0abc123def456789
+  conditions:
+    - message: ""
+      reason: Launched
+      status: "True"
+      type: Launched
+    - message: ""
+      reason: Registered
+      status: "True"
+      type: Registered
+    - message: ""
+      reason: Initialized
+      status: "True"
+      type: Initialized
+    - message: ""
+      reason: Ready
+      status: "Unknown"
+      type: Ready

resource_customizations/karpenter.sh/NodeClaim/testdata/progressing_launched.yaml

@@ -0,0 +1,21 @@
+apiVersion: karpenter.sh/v1
+kind: NodeClaim
+metadata:
+  name: default-xxxx
+spec:
+  nodeClassRef:
+    group: karpenter.k8s.aws
+    kind: EC2NodeClass
+    name: default
+  requirements:
+    - key: karpenter.k8s.aws/instance-family
+      operator: In
+      values:
+        - m5
+status:
+  providerID: aws:///us-east-1a/i-0abc123def456789
+  conditions:
+    - message: ""
+      reason: Launched
+      status: "True"
+      type: Launched

resource_customizations/karpenter.sh/NodeClaim/testdata/progressing_noStatus.yaml

@@ -0,0 +1,14 @@
+apiVersion: karpenter.sh/v1
+kind: NodeClaim
+metadata:
+  name: default-xxxx
+spec:
+  nodeClassRef:
+    group: karpenter.k8s.aws
+    kind: EC2NodeClass
+    name: default
+  requirements:
+    - key: karpenter.k8s.aws/instance-family
+      operator: In
+      values:
+        - m5

resource_customizations/karpenter.sh/NodeClaim/testdata/progressing_readyUnknown.yaml

@@ -0,0 +1,22 @@
+apiVersion: karpenter.sh/v1
+kind: NodeClaim
+metadata:
+  name: default-xxxx
+  generation: 1
+spec:
+  nodeClassRef:
+    group: karpenter.k8s.aws
+    kind: EC2NodeClass
+    name: default
+  requirements:
+    - key: karpenter.k8s.aws/instance-family
+      operator: In
+      values:
+        - m5
+status:
+  observedGeneration: 1
+  conditions:
+    - message: ""
+      reason: Unknown
+      status: "Unknown"
+      type: Ready

resource_customizations/karpenter.sh/NodeClaim/testdata/progressing_registered.yaml

@@ -0,0 +1,26 @@
+apiVersion: karpenter.sh/v1
+kind: NodeClaim
+metadata:
+  name: default-xxxx
+spec:
+  nodeClassRef:
+    group: karpenter.k8s.aws
+    kind: EC2NodeClass
+    name: default
+  requirements:
+    - key: karpenter.k8s.aws/instance-family
+      operator: In
+      values:
+        - m5
+status:
+  nodeName: ip-10-0-1-100.ec2.internal
+  providerID: aws:///us-east-1a/i-0abc123def456789
+  conditions:
+    - message: ""
+      reason: Launched
+      status: "True"
+      type: Launched
+    - message: ""
+      reason: Registered
+      status: "True"
+      type: Registered

resource_customizations/karpenter.sh/NodeClaim/testdata/suspended_disrupting.yaml

@@ -0,0 +1,38 @@
+apiVersion: karpenter.sh/v1
+kind: NodeClaim
+metadata:
+  name: default-xxxx
+spec:
+  nodeClassRef:
+    group: karpenter.k8s.aws
+    kind: EC2NodeClass
+    name: default
+  requirements:
+    - key: karpenter.k8s.aws/instance-family
+      operator: In
+      values:
+        - m5
+status:
+  nodeName: ip-10-0-1-100.ec2.internal
+  providerID: aws:///us-east-1a/i-0abc123def456789
+  conditions:
+    - message: ""
+      reason: Launched
+      status: "True"
+      type: Launched
+    - message: ""
+      reason: Registered
+      status: "True"
+      type: Registered
+    - message: ""
+      reason: Initialized
+      status: "True"
+      type: Initialized
+    - message: ""
+      reason: Ready
+      status: "True"
+      type: Ready
+    - message: "TTL expired"
+      reason: Expired
+      status: "True"
+      type: Disrupting

server/application/application.go

@@ -508,7 +508,7 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 			return fmt.Errorf("error getting app instance label key from settings: %w", err)
 		}
 
-		config, err := s.getApplicationClusterConfig(ctx, a)
+		config, err := s.getApplicationClusterConfig(ctx, a, proj)
 		if err != nil {
 			return fmt.Errorf("error getting application cluster config: %w", err)
 		}
@@ -670,7 +670,7 @@ func (s *Server) GetManifestsWithFiles(stream application.ApplicationService_Get
 			return fmt.Errorf("error getting trackingMethod from settings: %w", err)
 		}
 
-		config, err := s.getApplicationClusterConfig(ctx, a)
+		config, err := s.getApplicationClusterConfig(ctx, a, proj)
 		if err != nil {
 			return fmt.Errorf("error getting application cluster config: %w", err)
 		}
@@ -879,7 +879,7 @@ func (s *Server) Get(ctx context.Context, q *application.ApplicationQuery) (*v1a
 
 // ListResourceEvents returns a list of event resources
 func (s *Server) ListResourceEvents(ctx context.Context, q *application.ApplicationResourceEventsQuery) (*corev1.EventList, error) {
-	a, _, err := s.getApplicationEnforceRBACInformer(ctx, rbac.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName())
+	a, p, err := s.getApplicationEnforceRBACInformer(ctx, rbac.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName())
 	if err != nil {
 		return nil, err
 	}
@@ -918,7 +918,7 @@ func (s *Server) ListResourceEvents(ctx context.Context, q *application.Applicat
 
 		namespace = q.GetResourceNamespace()
 		var config *rest.Config
-		config, err = s.getApplicationClusterConfig(ctx, a)
+		config, err = s.getApplicationClusterConfig(ctx, a, p)
 		if err != nil {
 			return nil, fmt.Errorf("error getting application cluster config: %w", err)
 		}
@@ -1377,7 +1377,7 @@ func (s *Server) validateAndNormalizeApp(ctx context.Context, app *v1alpha1.Appl
 	return nil
 }
 
-func (s *Server) getApplicationClusterConfig(ctx context.Context, a *v1alpha1.Application) (*rest.Config, error) {
+func (s *Server) getApplicationClusterConfig(ctx context.Context, a *v1alpha1.Application, p *v1alpha1.AppProject) (*rest.Config, error) {
 	cluster, err := argo.GetDestinationCluster(ctx, a.Spec.Destination, s.db)
 	if err != nil {
 		return nil, fmt.Errorf("error validating destination: %w", err)
@@ -1387,6 +1387,24 @@ func (s *Server) getApplicationClusterConfig(ctx context.Context, a *v1alpha1.Ap
 		return nil, fmt.Errorf("error getting cluster REST config: %w", err)
 	}
 
+	impersonationEnabled, err := s.settingsMgr.IsImpersonationEnabled()
+	if err != nil {
+		return nil, fmt.Errorf("error getting impersonation setting: %w", err)
+	}
+
+	if !impersonationEnabled {
+		return config, nil
+	}
+
+	user, err := settings.DeriveServiceAccountToImpersonate(p, a, cluster)
+	if err != nil {
+		return nil, fmt.Errorf("error deriving service account to impersonate: %w", err)
+	}
+
+	config.Impersonate = rest.ImpersonationConfig{
+		UserName: user,
+	}
+
 	return config, err
 }
 
@@ -1437,7 +1455,7 @@ func (s *Server) getAppLiveResource(ctx context.Context, action string, q *appli
 	if fineGrainedInheritanceDisabled && (action == rbac.ActionDelete || action == rbac.ActionUpdate) {
 		action = fmt.Sprintf("%s/%s/%s/%s/%s", action, q.GetGroup(), q.GetKind(), q.GetNamespace(), q.GetResourceName())
 	}
-	a, _, err := s.getApplicationEnforceRBACInformer(ctx, action, q.GetProject(), q.GetAppNamespace(), q.GetName())
+	a, p, err := s.getApplicationEnforceRBACInformer(ctx, action, q.GetProject(), q.GetAppNamespace(), q.GetName())
 	if !fineGrainedInheritanceDisabled && err != nil && errors.Is(err, argocommon.PermissionDeniedAPIError) && (action == rbac.ActionDelete || action == rbac.ActionUpdate) {
 		action = fmt.Sprintf("%s/%s/%s/%s/%s", action, q.GetGroup(), q.GetKind(), q.GetNamespace(), q.GetResourceName())
 		a, _, err = s.getApplicationEnforceRBACInformer(ctx, action, q.GetProject(), q.GetAppNamespace(), q.GetName())
@@ -1455,10 +1473,11 @@ func (s *Server) getAppLiveResource(ctx context.Context, action string, q *appli
 	if found == nil || found.UID == "" {
 		return nil, nil, nil, status.Errorf(codes.InvalidArgument, "%s %s %s not found as part of application %s", q.GetKind(), q.GetGroup(), q.GetResourceName(), q.GetName())
 	}
-	config, err := s.getApplicationClusterConfig(ctx, a)
+	config, err := s.getApplicationClusterConfig(ctx, a, p)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("error getting application cluster config: %w", err)
 	}
+
 	return found, config, a, nil
 }
 
@@ -1571,6 +1590,7 @@ func (s *Server) DeleteResource(ctx context.Context, q *application.ApplicationR
 		propagationPolicy := metav1.DeletePropagationForeground
 		deleteOption = metav1.DeleteOptions{PropagationPolicy: &propagationPolicy}
 	}
+
 	err = s.kubectl.DeleteResource(ctx, config, res.GroupKindVersion(), res.Name, res.Namespace, deleteOption)
 	if err != nil {
 		return nil, fmt.Errorf("error deleting resource: %w", err)
@@ -1826,7 +1846,7 @@ func (s *Server) PodLogs(q *application.ApplicationPodLogsQuery, ws application.
 		}
 	}
 
-	a, _, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbac.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName())
+	a, p, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbac.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName())
 	if err != nil {
 		return err
 	}
@@ -1840,7 +1860,7 @@ func (s *Server) PodLogs(q *application.ApplicationPodLogsQuery, ws application.
 		return fmt.Errorf("error getting app resource tree: %w", err)
 	}
 
-	config, err := s.getApplicationClusterConfig(ws.Context(), a)
+	config, err := s.getApplicationClusterConfig(ws.Context(), a, p)
 	if err != nil {
 		return fmt.Errorf("error getting application cluster config: %w", err)
 	}
@@ -2515,7 +2535,8 @@ func (s *Server) ListResourceActions(ctx context.Context, q *application.Applica
 
 func (s *Server) getUnstructuredLiveResourceOrApp(ctx context.Context, rbacRequest string, q *application.ApplicationResourceRequest) (obj *unstructured.Unstructured, res *v1alpha1.ResourceNode, app *v1alpha1.Application, config *rest.Config, err error) {
 	if q.GetKind() == applicationType.ApplicationKind && q.GetGroup() == applicationType.Group && q.GetName() == q.GetResourceName() {
-		app, _, err = s.getApplicationEnforceRBACInformer(ctx, rbacRequest, q.GetProject(), q.GetAppNamespace(), q.GetName())
+		var p *v1alpha1.AppProject
+		app, p, err = s.getApplicationEnforceRBACInformer(ctx, rbacRequest, q.GetProject(), q.GetAppNamespace(), q.GetName())
 		if err != nil {
 			return nil, nil, nil, nil, err
 		}
@@ -2523,7 +2544,7 @@ func (s *Server) getUnstructuredLiveResourceOrApp(ctx context.Context, rbacReque
 		if err != nil {
 			return nil, nil, nil, nil, err
 		}
-		config, err = s.getApplicationClusterConfig(ctx, app)
+		config, err = s.getApplicationClusterConfig(ctx, app, p)
 		if err != nil {
 			return nil, nil, nil, nil, fmt.Errorf("error getting application cluster config: %w", err)
 		}

server/application/application_test.go

@@ -4644,3 +4644,129 @@ func TestTerminateOperationWithConflicts(t *testing.T) {
 	require.NoError(t, err)
 	assert.GreaterOrEqual(t, updateCallCount, 2, "Update should be called at least twice (once with conflict, once with success)")
 }
+
+func TestGetApplicationClusterConfig(t *testing.T) {
+	t.Run("ImpersonationDisabled", func(t *testing.T) {
+		app := newTestApp()
+		appServer := newTestAppServer(t, app)
+
+		project := &v1alpha1.AppProject{
+			ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "default"},
+			Spec: v1alpha1.AppProjectSpec{
+				SourceRepos:  []string{"*"},
+				Destinations: []v1alpha1.ApplicationDestination{{Server: "*", Namespace: "*"}},
+			},
+		}
+
+		config, err := appServer.getApplicationClusterConfig(t.Context(), app, project)
+		require.NoError(t, err)
+		assert.Empty(t, config.Impersonate.UserName)
+	})
+
+	t.Run("ImpersonationEnabledWithMatch", func(t *testing.T) {
+		f := func(enf *rbac.Enforcer) {
+			_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
+			enf.SetDefaultRole("role:admin")
+		}
+
+		projWithSA := &v1alpha1.AppProject{
+			ObjectMeta: metav1.ObjectMeta{Name: "proj-impersonate", Namespace: "default"},
+			Spec: v1alpha1.AppProjectSpec{
+				SourceRepos:  []string{"*"},
+				Destinations: []v1alpha1.ApplicationDestination{{Server: "*", Namespace: "*"}},
+				DestinationServiceAccounts: []v1alpha1.ApplicationDestinationServiceAccount{
+					{
+						Server:                "https://cluster-api.example.com",
+						Namespace:             test.FakeDestNamespace,
+						DefaultServiceAccount: "test-sa",
+					},
+				},
+			},
+		}
+
+		app := newTestApp(func(a *v1alpha1.Application) {
+			a.Spec.Project = "proj-impersonate"
+		})
+
+		appServer := newTestAppServerWithEnforcerConfigure(t, f,
+			map[string]string{"application.sync.impersonation.enabled": "true"},
+			app, projWithSA,
+		)
+
+		config, err := appServer.getApplicationClusterConfig(t.Context(), app, projWithSA)
+		require.NoError(t, err)
+		assert.Equal(t, "system:serviceaccount:"+test.FakeDestNamespace+":test-sa", config.Impersonate.UserName)
+	})
+
+	t.Run("ImpersonationEnabledWithNoMatch", func(t *testing.T) {
+		f := func(enf *rbac.Enforcer) {
+			_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
+			enf.SetDefaultRole("role:admin")
+		}
+
+		app := newTestApp()
+		appServer := newTestAppServerWithEnforcerConfigure(t, f,
+			map[string]string{"application.sync.impersonation.enabled": "true"},
+			app,
+		)
+
+		// "default" project has no DestinationServiceAccounts
+		project := &v1alpha1.AppProject{
+			ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "default"},
+			Spec: v1alpha1.AppProjectSpec{
+				SourceRepos:  []string{"*"},
+				Destinations: []v1alpha1.ApplicationDestination{{Server: "*", Namespace: "*"}},
+			},
+		}
+
+		config, err := appServer.getApplicationClusterConfig(t.Context(), app, project)
+		assert.Nil(t, config)
+		assert.ErrorContains(t, err, "no matching service account found")
+	})
+}
+
+func TestGetUnstructuredLiveResourceOrAppWithImpersonation(t *testing.T) {
+	f := func(enf *rbac.Enforcer) {
+		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
+		enf.SetDefaultRole("role:admin")
+	}
+
+	projWithSA := &v1alpha1.AppProject{
+		ObjectMeta: metav1.ObjectMeta{Name: "proj-impersonate", Namespace: "default"},
+		Spec: v1alpha1.AppProjectSpec{
+			SourceRepos:  []string{"*"},
+			Destinations: []v1alpha1.ApplicationDestination{{Server: "*", Namespace: "*"}},
+			DestinationServiceAccounts: []v1alpha1.ApplicationDestinationServiceAccount{
+				{
+					Server:                "https://cluster-api.example.com",
+					Namespace:             test.FakeDestNamespace,
+					DefaultServiceAccount: "test-sa",
+				},
+			},
+		},
+	}
+
+	app := newTestApp(func(a *v1alpha1.Application) {
+		a.Spec.Project = "proj-impersonate"
+	})
+
+	appServer := newTestAppServerWithEnforcerConfigure(t, f,
+		map[string]string{"application.sync.impersonation.enabled": "true"},
+		app, projWithSA,
+	)
+
+	appName := app.Name
+	group := "argoproj.io"
+	kind := "Application"
+	project := "proj-impersonate"
+
+	_, _, _, config, err := appServer.getUnstructuredLiveResourceOrApp(t.Context(), rbac.ActionGet, &application.ApplicationResourceRequest{
+		Name:         &appName,
+		ResourceName: &appName,
+		Group:        &group,
+		Kind:         &kind,
+		Project:      &project,
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "system:serviceaccount:"+test.FakeDestNamespace+":test-sa", config.Impersonate.UserName)
+}

server/deeplinks/deeplinks.go

@@ -62,6 +62,17 @@ func SanitizeCluster(cluster *v1alpha1.Cluster) (*unstructured.Unstructured, err
 	})
 }
 
+func managedByURLFromAnnotations(annotations map[string]any) (string, bool) {
+	managedByURL, ok := annotations[v1alpha1.AnnotationKeyManagedByURL].(string)
+	if !ok {
+		return "", false
+	}
+	if err := settings.ValidateExternalURL(managedByURL); err != nil {
+		return "", false
+	}
+	return managedByURL, true
+}
+
 func CreateDeepLinksObject(resourceObj *unstructured.Unstructured, app *unstructured.Unstructured, cluster *unstructured.Unstructured, project *unstructured.Unstructured) map[string]any {
 	deeplinkObj := map[string]any{}
 	if resourceObj != nil {
@@ -72,12 +83,10 @@ func CreateDeepLinksObject(resourceObj *unstructured.Unstructured, app *unstruct
 		deeplinkObj[AppDeepLinkShortKey] = app.Object
 
 		// Add managed-by URL if present in annotations
-		if app.Object["metadata"] != nil {
-			if metadata, ok := app.Object["metadata"].(map[string]any); ok {
-				if annotations, ok := metadata["annotations"].(map[string]any); ok {
-					if managedByURL, ok := annotations[v1alpha1.AnnotationKeyManagedByURL].(string); ok {
-						deeplinkObj[ManagedByURLKey] = managedByURL
-					}
+		if metadata, ok := app.Object["metadata"].(map[string]any); ok {
+			if annotations, ok := metadata["annotations"].(map[string]any); ok {
+				if managedByURL, ok := managedByURLFromAnnotations(annotations); ok {
+					deeplinkObj[ManagedByURLKey] = managedByURL
 				}
 			}
 		}

server/deeplinks/deeplinks_test.go

@@ -237,6 +237,29 @@ func TestManagedByURLAnnotation(t *testing.T) {
 		assert.Equal(t, managedByURL, deeplinksObj[ManagedByURLKey])
 	})
 
+	t.Run("application with invalid managed-by-url annotation is omitted", func(t *testing.T) {
+		// Non http(s) protocols are invalid and should not be used in deep link generation.
+		managedByURL := "ftp://localhost:8081"
+
+		app := &v1alpha1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test-app",
+				Annotations: map[string]string{
+					v1alpha1.AnnotationKeyManagedByURL: managedByURL,
+				},
+			},
+		}
+
+		obj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(app)
+		require.NoError(t, err)
+		unstructuredObj := &unstructured.Unstructured{Object: obj}
+
+		deeplinksObj := CreateDeepLinksObject(nil, unstructuredObj, nil, nil)
+
+		_, exists := deeplinksObj[ManagedByURLKey]
+		assert.False(t, exists)
+	})
+
 	t.Run("application without managed-by-url annotation", func(t *testing.T) {
 		// Create an application without managed-by-url annotation
 		app := &v1alpha1.Application{

server/extension/extension.go

@@ -14,7 +14,7 @@ import (
 
 	"github.com/felixge/httpsnoop"
 	log "github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 
 	"github.com/argoproj/argo-cd/v3/util/rbac"
 

server/server.go

@@ -334,8 +334,6 @@ func NewServer(ctx context.Context, opts ArgoCDServerOpts, appsetOpts Applicatio
 	appsetLister := appFactory.Argoproj().V1alpha1().ApplicationSets().Lister()
 
 	userStateStorage := util_session.NewUserStateStorage(opts.RedisClient)
-	ssoClientApp, err := oidc.NewClientApp(settings, opts.DexServerAddr, opts.DexTLSConfig, opts.BaseHRef, cacheutil.NewRedisCache(opts.RedisClient, settings.UserInfoCacheExpiration(), cacheutil.RedisCompressionNone))
-	errorsutil.CheckError(err)
 	sessionMgr := util_session.NewSessionManager(settingsMgr, projLister, opts.DexServerAddr, opts.DexTLSConfig, userStateStorage)
 	enf := rbac.NewEnforcer(opts.KubeClientset, opts.Namespace, common.ArgoCDRBACConfigMapName, nil)
 	enf.EnableEnforce(!opts.DisableAuth)
@@ -383,7 +381,6 @@ func NewServer(ctx context.Context, opts ArgoCDServerOpts, appsetOpts Applicatio
 	a := &ArgoCDServer{
 		ArgoCDServerOpts:   opts,
 		ApplicationSetOpts: appsetOpts,
-		ssoClientApp:       ssoClientApp,
 		log:                logger,
 		settings:           settings,
 		sessionMgr:         sessionMgr,
@@ -494,11 +491,11 @@ func (server *ArgoCDServer) logInClusterWarnings() error {
 	}
 	if len(inClusterSecrets) > 0 {
 		// Don't make this call unless we actually have in-cluster secrets, to save time.
-		dbSettings, err := server.settingsMgr.GetSettings()
+		inClusterEnabled, err := server.settingsMgr.IsInClusterEnabled()
 		if err != nil {
-			return fmt.Errorf("could not get DB settings: %w", err)
+			return fmt.Errorf("could not check if in-cluster is enabled: %w", err)
 		}
-		if !dbSettings.InClusterEnabled {
+		if !inClusterEnabled {
 			for _, clusterName := range inClusterSecrets {
 				log.Warnf("cluster %q uses in-cluster server address but it's disabled in Argo CD settings", clusterName)
 			}
@@ -586,6 +583,10 @@ func (server *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) {
 	if server.RedisClient != nil {
 		cacheutil.CollectMetrics(server.RedisClient, metricsServ, server.userStateStorage.GetLockObject())
 	}
+	// OIDC config needs to be refreshed at each server restart
+	ssoClientApp, err := oidc.NewClientApp(server.settings, server.DexServerAddr, server.DexTLSConfig, server.BaseHRef, cacheutil.NewRedisCache(server.RedisClient, server.settings.UserInfoCacheExpiration(), cacheutil.RedisCompressionNone))
+	errorsutil.CheckError(err)
+	server.ssoClientApp = ssoClientApp
 
 	// Don't init storage until after CollectMetrics. CollectMetrics adds hooks to the Redis client, and Init
 	// reads those hooks. If this is called first, there may be a data race.

server/server_test.go

@@ -488,6 +488,100 @@ func TestGracefulShutdown(t *testing.T) {
 	assert.True(t, shutdown)
 }
 
+func TestOIDCRefresh(t *testing.T) {
+	port, err := test.GetFreePort()
+	require.NoError(t, err)
+	mockRepoClient := &mocks.Clientset{RepoServerServiceClient: &mocks.RepoServerServiceClient{}}
+	cm := test.NewFakeConfigMap()
+	cm.Data["oidc.config"] = `
+name: Test OIDC
+issuer: $oidc.myoidc.issuer
+clientID: $oidc.myoidc.clientId
+clientSecret: $oidc.myoidc.clientSecret
+`
+	secret := test.NewFakeSecret()
+	issuerURL := "http://oidc.127.0.0.1.nip.io"
+	updatedIssuerURL := "http://newoidc.127.0.0.1.nip.io"
+	secret.Data["oidc.myoidc.issuer"] = []byte(issuerURL)
+	secret.Data["oidc.myoidc.clientId"] = []byte("myClientId")
+	secret.Data["oidc.myoidc.clientSecret"] = []byte("myClientSecret")
+
+	kubeclientset := fake.NewSimpleClientset(cm, secret)
+	redis, redisCloser := test.NewInMemoryRedis()
+	defer redisCloser()
+	s := NewServer(
+		t.Context(),
+		ArgoCDServerOpts{
+			ListenPort:    port,
+			Namespace:     test.FakeArgoCDNamespace,
+			KubeClientset: kubeclientset,
+			AppClientset:  apps.NewSimpleClientset(),
+			RepoClientset: mockRepoClient,
+			RedisClient:   redis,
+		},
+		ApplicationSetOpts{},
+	)
+	projInformerCancel := test.StartInformer(s.projInformer)
+	defer projInformerCancel()
+	appInformerCancel := test.StartInformer(s.appInformer)
+	defer appInformerCancel()
+	appsetInformerCancel := test.StartInformer(s.appsetInformer)
+	defer appsetInformerCancel()
+	clusterInformerCancel := test.StartInformer(s.clusterInformer)
+	defer clusterInformerCancel()
+
+	shutdown := false
+
+	lns, err := s.Listen()
+	require.NoError(t, err)
+	runCtx := t.Context()
+
+	var wg gosync.WaitGroup
+	wg.Add(1)
+	go func(shutdown *bool) {
+		defer wg.Done()
+		s.Run(runCtx, lns)
+		*shutdown = true
+	}(&shutdown)
+
+	for !s.available.Load() {
+		time.Sleep(10 * time.Millisecond)
+	}
+	assert.True(t, s.available.Load())
+	assert.Equal(t, issuerURL, s.ssoClientApp.IssuerURL())
+
+	// Update oidc config
+	secret.Data["oidc.myoidc.issuer"] = []byte(updatedIssuerURL)
+	secret.ResourceVersion = "12345"
+	_, err = kubeclientset.CoreV1().Secrets(test.FakeArgoCDNamespace).Update(runCtx, secret, metav1.UpdateOptions{})
+	require.NoError(t, err)
+
+	// Wait for graceful shutdown
+	wg.Wait()
+	for s.available.Load() {
+		time.Sleep(10 * time.Millisecond)
+	}
+
+	assert.False(t, s.available.Load())
+
+	shutdown = false
+	wg.Add(1)
+	go func(shutdown *bool) {
+		defer wg.Done()
+		s.Run(runCtx, lns)
+		*shutdown = true
+	}(&shutdown)
+
+	for !s.available.Load() {
+		time.Sleep(10 * time.Millisecond)
+	}
+	assert.True(t, s.available.Load())
+	assert.Equal(t, updatedIssuerURL, s.ssoClientApp.IssuerURL())
+
+	s.stopCh <- syscall.SIGINT
+	wg.Wait()
+}
+
 func TestAuthenticate(t *testing.T) {
 	type testData struct {
 		test             string

test/container/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/redis:8.6.1@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0 AS redis
+FROM docker.io/library/redis:8.6.2@sha256:009cc37796fbdbe1b631b4cc0582bed167e5e403ed8bcd06f77eb6cb5aeb6f93 AS redis
 
 # There are libraries we will want to copy from here in the final stage of the
 # build, but the COPY directive does not have a way to determine system
@@ -14,7 +14,7 @@ FROM docker.io/library/registry:3.0@sha256:6c5666b861f3505b116bb9aa9b25175e71210
 
 FROM docker.io/bitnamilegacy/kubectl:1.32@sha256:9524faf8e3cefb47fa28244a5d15f95ec21a73d963273798e593e61f80712333 AS kubectl
 
-FROM docker.io/library/ubuntu:26.04@sha256:91832dcd7bc5e44c098ecefc0a251a5c5d596dae494b33fb248e01b6840f8ce0
+FROM docker.io/library/ubuntu:26.04@sha256:730382b4a53a3c4a1498b7a36f11a62117f133fe6e73b01bb91303ed2ad87cdd
 
 ENV DEBIAN_FRONTEND=noninteractive
 

test/e2e/applicationset_git_generator_test.go

@@ -133,7 +133,7 @@ func TestSimpleGitDirectoryGenerator(t *testing.T) {
 
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestSimpleGitDirectoryGeneratorGoTemplate(t *testing.T) {
@@ -240,7 +240,7 @@ func TestSimpleGitDirectoryGeneratorGoTemplate(t *testing.T) {
 
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestSimpleGitDirectoryGeneratorGPGEnabledUnsignedCommits(t *testing.T) {
@@ -335,7 +335,7 @@ func TestSimpleGitDirectoryGeneratorGPGEnabledUnsignedCommits(t *testing.T) {
 		// verify the ApplicationSet error status conditions were set correctly
 		Expect(ApplicationSetHasConditions(expectedConditionsParamsError)).
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedApps))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedApps))
 }
 
 func TestSimpleGitDirectoryGeneratorGPGEnabledWithoutKnownKeys(t *testing.T) {
@@ -438,7 +438,7 @@ func TestSimpleGitDirectoryGeneratorGPGEnabledWithoutKnownKeys(t *testing.T) {
 		Expect(ApplicationSetHasConditions(expectedConditionsParamsError)).
 		Expect(ApplicationsDoNotExist(expectedApps)).
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedApps))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedApps))
 }
 
 func TestSimpleGitFilesGenerator(t *testing.T) {
@@ -544,7 +544,7 @@ func TestSimpleGitFilesGenerator(t *testing.T) {
 
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestSimpleGitFilesGeneratorGPGEnabledUnsignedCommits(t *testing.T) {
@@ -639,7 +639,7 @@ func TestSimpleGitFilesGeneratorGPGEnabledUnsignedCommits(t *testing.T) {
 		// verify the ApplicationSet error status conditions were set correctly
 		Expect(ApplicationSetHasConditions(expectedConditionsParamsError)).
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedApps))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedApps))
 }
 
 func TestSimpleGitFilesGeneratorGPGEnabledWithoutKnownKeys(t *testing.T) {
@@ -738,7 +738,7 @@ func TestSimpleGitFilesGeneratorGPGEnabledWithoutKnownKeys(t *testing.T) {
 		Expect(ApplicationSetHasConditions(expectedConditionsParamsError)).
 		Expect(ApplicationsDoNotExist(expectedApps)).
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedApps))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedApps))
 }
 
 func TestSimpleGitFilesGeneratorGoTemplate(t *testing.T) {
@@ -845,7 +845,7 @@ func TestSimpleGitFilesGeneratorGoTemplate(t *testing.T) {
 
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestSimpleGitFilesPreserveResourcesOnDeletion(t *testing.T) {
@@ -894,7 +894,7 @@ func TestSimpleGitFilesPreserveResourcesOnDeletion(t *testing.T) {
 			// We use an extra-long duration here, as we might need to wait for image pull.
 		}).Then().ExpectWithDuration(Pod(t, func(p corev1.Pod) bool { return strings.Contains(p.Name, "guestbook-ui") }), 6*time.Minute).
 		When().
-		Delete().
+		Delete(metav1.DeletePropagationForeground).
 		And(func() {
 			t.Log("Waiting 15 seconds to give the cluster a chance to delete the pods.")
 			// Wait 15 seconds to give the cluster a chance to deletes the pods, if it is going to do so.
@@ -952,7 +952,7 @@ func TestSimpleGitFilesPreserveResourcesOnDeletionGoTemplate(t *testing.T) {
 			// We use an extra-long duration here, as we might need to wait for image pull.
 		}).Then().ExpectWithDuration(Pod(t, func(p corev1.Pod) bool { return strings.Contains(p.Name, "guestbook-ui") }), 6*time.Minute).
 		When().
-		Delete().
+		Delete(metav1.DeletePropagationForeground).
 		And(func() {
 			t.Log("Waiting 15 seconds to give the cluster a chance to delete the pods.")
 			// Wait 15 seconds to give the cluster a chance to deletes the pods, if it is going to do so.
@@ -1034,7 +1034,7 @@ func TestGitGeneratorPrivateRepo(t *testing.T) {
 		}).Then().Expect(ApplicationsExist(expectedApps)).
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestGitGeneratorPrivateRepoGoTemplate(t *testing.T) {
@@ -1108,7 +1108,7 @@ func TestGitGeneratorPrivateRepoGoTemplate(t *testing.T) {
 		}).Then().Expect(ApplicationsExist(expectedApps)).
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestSimpleGitGeneratorPrivateRepoWithNoRepo(t *testing.T) {
@@ -1180,7 +1180,7 @@ func TestSimpleGitGeneratorPrivateRepoWithNoRepo(t *testing.T) {
 		}).Then().Expect(ApplicationsDoNotExist(expectedApps)).
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestSimpleGitGeneratorPrivateRepoWithMatchingProject(t *testing.T) {
@@ -1251,7 +1251,7 @@ func TestSimpleGitGeneratorPrivateRepoWithMatchingProject(t *testing.T) {
 		}).Then().Expect(ApplicationsExist(expectedApps)).
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedApps))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedApps))
 }
 
 func TestSimpleGitGeneratorPrivateRepoWithMismatchingProject(t *testing.T) {
@@ -1324,7 +1324,7 @@ func TestSimpleGitGeneratorPrivateRepoWithMismatchingProject(t *testing.T) {
 		}).Then().Expect(ApplicationsDoNotExist(expectedApps)).
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestGitGeneratorPrivateRepoWithTemplatedProject(t *testing.T) {
@@ -1400,7 +1400,7 @@ func TestGitGeneratorPrivateRepoWithTemplatedProject(t *testing.T) {
 		}).Then().Expect(ApplicationsExist(expectedApps)).
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }
 
 func TestGitGeneratorPrivateRepoWithTemplatedProjectAndProjectScopedRepo(t *testing.T) {
@@ -1484,5 +1484,5 @@ func TestGitGeneratorPrivateRepoWithTemplatedProjectAndProjectScopedRepo(t *test
 		}).Then().Expect(ApplicationsDoNotExist(expectedApps)).
 		// Delete the ApplicationSet, and verify it deletes the Applications
 		When().
-		Delete().Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
+		Delete(metav1.DeletePropagationForeground).Then().Expect(ApplicationsDoNotExist(expectedAppsNewNamespace))
 }