Bump version to 2.5.12

fix: traverse generator tree when getting requeue time (#12407 ) (#12409 ) (#12611 )
2026-02-21 18:18:48 +01:00 · 2023-02-27 14:28:40 +00:00 · 2023-02-27 14:28:36 +00:00 · 2023-02-24 16:29:14 -05:00 · 2023-02-17 15:13:45 -05:00 · 2023-02-17 14:40:03 -05:00
310 changed files with 11041 additions and 19409 deletions
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -27,9 +27,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@@ -45,13 +45,13 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -69,13 +69,13 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 # v3.3.1
        with:
          version: v1.46.2
          args: --timeout 10m --exclude SA5011 --verbose
@@ -92,11 +92,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -116,13 +116,17 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Setup git username and email
        run: |
          git config --global user.name "John Doe"
@@ -133,12 +137,12 @@ jobs:
      - name: Run all unit tests
        run: make test-local
      - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: code-coverage
          path: coverage.out
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: test-results
          path: test-results/
@@ -155,11 +159,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -179,13 +183,17 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Setup git username and email
        run: |
          git config --global user.name "John Doe"
@@ -196,7 +204,7 @@ jobs:
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: race-results
          path: test-results/
@@ -206,9 +214,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
@@ -232,6 +240,10 @@ jobs:
          make install-codegen-tools-local
          make install-go-tools-local
        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Run codegen
        run: |
          set -x
@@ -250,14 +262,14 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup NodeJS
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          node-version: '12.18.4'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -287,12 +299,12 @@ jobs:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -303,16 +315,16 @@ jobs:
        run: |
          mkdir -p test-results
      - name: Get code coverage artifiact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: code-coverage
      - name: Get test result artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: test-results
          path: test-results
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
        with:
          file: coverage.out
      - name: Perform static code analysis using SonarCloud
@@ -366,9 +378,9 @@ jobs:
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: GH actions workaround - Kill XSP4 process
@@ -386,7 +398,7 @@ jobs:
          sudo chown runner $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -412,9 +424,9 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.35.3-distroless
+          docker pull ghcr.io/dexidp/dex:v2.35.3
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.5-alpine
+          docker pull redis:7.0.7-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
@@ -442,7 +454,7 @@ jobs:
          set -x
          make test-e2e-local
      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: e2e-server-k8s${{ matrix.k3s-version }}.log
          path: /tmp/e2e-server.log
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,11 +29,11 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
@@ -41,7 +41,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -55,4 +55,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -28,22 +28,22 @@ jobs:
    env:
      GOPATH: /home/runner/work/argo-cd/argo-cd
    steps:
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@master
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          path: src/github.com/argoproj/argo-cd

      # get image tag
-      - run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
+      - run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
        working-directory: ./src/github.com/argoproj/argo-cd
        id: image

      # login
      - run: |
-          docker login ghcr.io --username $USERNAME --password $PASSWORD
-          docker login quay.io --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login ghcr.io --username $USERNAME --password-stdin <<< "$PASSWORD"
+          docker login quay.io --username "$DOCKER_USERNAME" --password-stdin <<< "$DOCKER_TOKEN"
        if: github.event_name == 'push'
        env:
          USERNAME: ${{ secrets.USERNAME }}
@@ -52,8 +52,8 @@ jobs:
          DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}

      # build
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
      - run: |
          IMAGE_PLATFORMS=linux/amd64
          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
@@ -61,20 +61,27 @@ jobs:
            IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
          fi
          echo "Building image for platforms: $IMAGE_PLATFORMS"
-          docker buildx build --platform $IMAGE_PLATFORMS --push="${{ github.event_name == 'push' }}" \
+          docker buildx build --platform $IMAGE_PLATFORMS --sbom=false --provenance=false --push="${{ github.event_name == 'push' }}" \
            -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} \
            -t quay.io/argoproj/argocd:latest .
        working-directory: ./src/github.com/argoproj/argo-cd

      # sign container images
      - name: Install cosign
-        uses: sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
        with:
-          cosign-release: 'v1.13.0'
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
+
+      - name: Get digest of image
+        run: |
+          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:latest)" >> $GITHUB_ENV

      - name: Sign Argo CD latest image
        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd@${{ env.IMAGE_DIGEST }}
          # Displays the public key to share.
          cosign public-key --key env://COSIGN_PRIVATE_KEY
        env:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,7 +12,7 @@ on:
      - "!release-v0*"

 env:
-    GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.18'

 permissions:
  contents: read
@@ -43,7 +43,7 @@ jobs:
      GIT_EMAIL: argoproj@gmail.com
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -147,7 +147,7 @@ jobs:
          echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV

      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}

@@ -177,6 +177,10 @@ jobs:
        run: |
          set -ue
          make install-codegen-tools-local
+          
+          # We install kustomize in the dist directory
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
+          
          make manifests-local VERSION=${TARGET_VERSION}
          git diff
          git commit manifests/ -m "Bump version to ${TARGET_VERSION}"
@@ -195,19 +199,19 @@ jobs:
          QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
        run: |
          set -ue
-          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
+          docker login quay.io --username "${QUAY_USERNAME}" --password-stdin <<< "${QUAY_TOKEN}"
          # Remove the following when Docker Hub is gone
-          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login --username "${DOCKER_USERNAME}" --password-stdin <<< "${DOCKER_TOKEN}"
        if: ${{ env.DRY_RUN != 'true' }}

-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
      - name: Build and push Docker image for release
        run: |
          set -ue
          git clean -fd
          mkdir -p dist/
-          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
+          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --sbom=false --provenance=false --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
          make release-cli
          make checksums
          chmod +x ./dist/argocd-linux-amd64
@@ -215,13 +219,20 @@ jobs:
        if: ${{ env.DRY_RUN != 'true' }}

      - name: Install cosign
-        uses: sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
        with:
-          cosign-release: 'v1.13.0'
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
+
+      - name: Get digest of image
+        run: |
+          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:v${TARGET_VERSION})" >> $GITHUB_ENV

      - name: Sign Argo CD container images and assets
        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd@${{ env.IMAGE_DIGEST }}
          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
          # Retrieves the public key to release as an asset
          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
@@ -232,7 +243,7 @@ jobs:

      - name: Read release notes file
        id: release-notes
-        uses: juliangruber/read-file-action@v1
+        uses: juliangruber/read-file-action@02bbba9876a8f870efd4ad64e3b9088d3fb94d4b # v1.1.6
        with:
          path: ${{ env.RELEASE_NOTES }}

@@ -243,7 +254,7 @@ jobs:
          git push origin ${RELEASE_TAG}

      - name: Dry run GitHub release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        id: create_release
@@ -264,7 +275,7 @@ jobs:
          SIGS_BOM_VERSION: v0.2.1
          # comma delimited list of project relative folders to inspect for package
          # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: ".,./ui" 
+          PROJECT_FOLDERS: ".,./ui"
          # full qualified name of the docker image to be inspected
          DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
        run: |
@@ -295,7 +306,7 @@ jobs:
        if: ${{ env.DRY_RUN != 'true' }}

      - name: Create GitHub release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -303,7 +314,6 @@ jobs:
          tag_name: ${{ env.RELEASE_TAG }}
          draft: ${{ env.DRAFT_RELEASE }}
          prerelease: ${{ env.PRE_RELEASE }}
-          generate_release_notes: true
          body: ${{ steps.release-notes.outputs.content }}  # Pre-pended to the generated notes
          files: |
            dist/argocd-*
@@ -314,7 +324,7 @@ jobs:
      - name: Update homebrew formula
        env:
          HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}
-        uses: dawidd6/action-homebrew-bump-formula@v3
+        uses: dawidd6/action-homebrew-bump-formula@02e79d9da43d79efa846d73695b6052cbbdbf48a # v3.8.3
        with:
          token: ${{env.HOMEBREW_TOKEN}}
          formula: argocd
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@@ -1,6 +1,5 @@
 name: Snyk report update
 on:
-  workflow_dispatch: {}
  schedule:
    - cron: '0 0 * * 0' # midnight every Sunday

@@ -10,27 +9,23 @@ permissions:
 jobs:
  snyk-report:
    permissions:
-      contents: write
-      pull-requests: write
+      contents: write  # To push snyk reports
    if: github.repository == 'argoproj/argo-cd'
    name: Update Snyk report in the docs directory
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          make snyk-report
-          pr_branch="snyk-update-$(echo $RANDOM | md5sum | head -c 20)"
-          git checkout -b "$pr_branch"
          git config --global user.email 'ci@argoproj.com'
          git config --global user.name 'CI'
-          git add docs/snyk
-          git commit -m "[Bot] Update Snyk reports" --signoff
-          git push --set-upstream origin "$pr_branch"
-          gh pr create -B master -H "$pr_branch" --title '[Bot] docs: Update Snyk report' --body ''
+          git add docs/snyk/index.md
+          git add docs/snyk/*/*.html
+          git commit -m "[Bot] Update Snyk reports"
+          git push
--- a/.gitignore
+++ b/.gitignore
@@ -17,7 +17,6 @@ test-results
 node_modules/
 .kube/
 ./test/cmp/*.sock
-.envrc.remote

 # ignore built binaries
 cmd/argocd/argocd
--- a/4
+++ b/4
@@ -512,7 +512,7 @@ build-docs-local:

 .PHONY: build-docs
 build-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'

 .PHONY: serve-docs-local
 serve-docs-local:
@@ -520,7 +520,7 @@ serve-docs-local:

 .PHONY: serve-docs
 serve-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}/site:/site -w /site --entrypoint "" ${MKDOCS_DOCKER_IMAGE} python3 -m http.server --bind 0.0.0.0 8000


 # Verify that kubectl can connect to your K8s cluster from Docker
--- a/README.md
+++ b/README.md
@@ -1,5 +1,4 @@
 [![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22) [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack) [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd) [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486) [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
-[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo-cd)](https://artifacthub.io/packages/helm/argo/argo-cd)

 # Argo CD - Declarative Continuous Delivery for Kubernetes

--- a/USERS.md
+++ b/USERS.md
@@ -53,7 +53,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [D2iQ](https://www.d2iq.com)
 1. [Datarisk](https://www.datarisk.io/)
 1. [Deloitte](https://www.deloitte.com/)
-1. [Deutsche Telekom AG](https://telekom.com)
 1. [Devopsi - Poland Software/DevOps Consulting](https://devopsi.pl/)
 1. [Devtron Labs](https://github.com/devtron-labs/devtron)
 1. [EDF Renewables](https://www.edf-re.com/)
@@ -75,7 +74,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
 1. [Garner](https://www.garnercorp.com)
 1. [Generali Deutschland AG](https://www.generali.de/)
-2. [Gepardec](https://gepardec.com/)
 1. [Gitpod](https://www.gitpod.io)
 1. [Gllue](https://gllue.com)
 1. [gloat](https://gloat.com/)
@@ -157,11 +155,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Packlink](https://www.packlink.com/)
 1. [Pandosearch](https://www.pandosearch.com/en/home)
 1. [PagerDuty](https://www.pagerduty.com/)
+1. [Patreon](https://www.patreon.com/)
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
 1. [Polarpoint.io](https://polarpoint.io)
+1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.5.0
+2.5.12
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -484,7 +484,7 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		// ...and if so, return it
 		return []string{owner.Name}
 	}); err != nil {
-		return fmt.Errorf("error setting up with manager: %w", err)
+		return err
 	}

 	return ctrl.NewControllerManagedBy(mgr).
@@ -567,7 +567,7 @@ func (r *ApplicationSetReconciler) createInCluster(ctx context.Context, applicat
 	var createApps []argov1alpha1.Application
 	current, err := r.getCurrentApplications(ctx, applicationSet)
 	if err != nil {
-		return fmt.Errorf("error getting current applications: %w", err)
+		return err
 	}

 	m := make(map[string]bool) // Will holds the app names that are current in the cluster
@@ -608,13 +608,13 @@ func (r *ApplicationSetReconciler) deleteInCluster(ctx context.Context, applicat
 	// clusterList, err := argoDB.ListClusters(ctx)
 	clusterList, err := utils.ListClusters(ctx, r.KubeClientset, applicationSet.Namespace)
 	if err != nil {
-		return fmt.Errorf("error listing clusters: %w", err)
+		return err
 	}

 	// Save current applications to be able to delete the ones that are not in appList
 	current, err := r.getCurrentApplications(ctx, applicationSet)
 	if err != nil {
-		return fmt.Errorf("error getting current applications: %w", err)
+		return err
 	}

 	m := make(map[string]bool) // Will holds the app names in appList for the deletion process
@@ -718,7 +718,7 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte

 			err := r.Client.Update(ctx, app, &client.UpdateOptions{})
 			if err != nil {
-				return fmt.Errorf("error updating finalizers: %w", err)
+				return err
 			}
 		}
 	}
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@@ -0,0 +1,179 @@
+package controllers
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/generators"
+	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	dynfake "k8s.io/client-go/dynamic/fake"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func TestRequeueAfter(t *testing.T) {
+	mockServer := argoCDServiceMock{}
+	ctx := context.Background()
+	scheme := runtime.NewScheme()
+	err := argov1alpha1.AddToScheme(scheme)
+	assert.Nil(t, err)
+	gvrToListKind := map[schema.GroupVersionResource]string{{
+		Group:    "mallard.io",
+		Version:  "v1",
+		Resource: "ducks",
+	}: "DuckList"}
+	appClientset := kubefake.NewSimpleClientset()
+	k8sClient := fake.NewClientBuilder().Build()
+	duckType := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": "v2quack",
+			"kind":       "Duck",
+			"metadata": map[string]interface{}{
+				"name":      "mightyduck",
+				"namespace": "namespace",
+				"labels":    map[string]interface{}{"duck": "all-species"},
+			},
+			"status": map[string]interface{}{
+				"decisions": []interface{}{
+					map[string]interface{}{
+						"clusterName": "staging-01",
+					},
+					map[string]interface{}{
+						"clusterName": "production-01",
+					},
+				},
+			},
+		},
+	}
+	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
+
+	terminalGenerators := map[string]generators.Generator{
+		"List":                    generators.NewListGenerator(),
+		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
+		"Git":                     generators.NewGitGenerator(mockServer),
+		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}),
+		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
+		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}),
+	}
+
+	nestedGenerators := map[string]generators.Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Matrix":                  generators.NewMatrixGenerator(terminalGenerators),
+		"Merge":                   generators.NewMergeGenerator(terminalGenerators),
+	}
+
+	topLevelGenerators := map[string]generators.Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Matrix":                  generators.NewMatrixGenerator(nestedGenerators),
+		"Merge":                   generators.NewMergeGenerator(nestedGenerators),
+	}
+
+	client := fake.NewClientBuilder().WithScheme(scheme).Build()
+	r := ApplicationSetReconciler{
+		Client:     client,
+		Scheme:     scheme,
+		Recorder:   record.NewFakeRecorder(0),
+		Generators: topLevelGenerators,
+	}
+
+	type args struct {
+		appset *argov1alpha1.ApplicationSet
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    time.Duration
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{name: "Cluster", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
+			},
+		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+		{name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Merge: &argov1alpha1.MergeGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		{name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Matrix: &argov1alpha1.MatrixGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		{name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}},
+			},
+		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset)
+		})
+	}
+}
+
+type argoCDServiceMock struct {
+	mock *mock.Mock
+}
+
+func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+
+	return args.Get(0).([]string), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, pattern)
+
+	return args.Get(0).(map[string][]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, path)
+
+	return args.Get(0).([]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+	return args.Get(0).([]string), args.Error(1)
+}
--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@@ -51,6 +51,8 @@ func NewClusterGenerator(c client.Client, ctx context.Context, clientset kuberne
 	return g
 }

+// GetRequeueAfter never requeue the cluster generator because the `clusterSecretEventHandler` will requeue the appsets
+// when the cluster secrets change
 func (g *ClusterGenerator) GetRequeueAfter(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) time.Duration {
 	return NoRequeueAfter
 }
@@ -170,7 +172,7 @@ func appendTemplatedValues(clusterValues map[string]string, params map[string]in
 		result, err := replaceTemplatedString(value, params, appSet)

 		if err != nil {
-			return fmt.Errorf("error replacing templated String: %w", err)
+			return err
 		}

 		if appSet.Spec.GoTemplate {
--- a/applicationset/generators/generator_spec_processor.go
+++ b/applicationset/generators/generator_spec_processor.go
@@ -1,7 +1,6 @@
 package generators

 import (
-	"fmt"
 	"encoding/json"
 	"reflect"

@@ -29,7 +28,7 @@ type TransformResult struct {
 func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}) ([]TransformResult, error) {
 	selector, err := metav1.LabelSelectorAsSelector(requestedGenerator.Selector)
 	if err != nil {
-		return nil, fmt.Errorf("error parsing label selector: %w", err)
+		return nil, err
 	}

 	res := []TransformResult{}
--- a/applicationset/generators/matrix.go
+++ b/applicationset/generators/matrix.go
@@ -80,28 +80,13 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 }

 func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]interface{}) ([]map[string]interface{}, error) {
-	var matrix *argoprojiov1alpha1.MatrixGenerator
-	if appSetBaseGenerator.Matrix != nil {
-		// Since nested matrix generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
-		if err != nil {
-			return nil, fmt.Errorf("unable to unmarshall nested matrix generator: %v", err)
-		}
-		if nestedMatrix != nil {
-			matrix = nestedMatrix.ToMatrixGenerator()
-		}
+	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
-
-	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
-	if appSetBaseGenerator.Merge != nil {
-		// Since nested merge generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
-		if err != nil {
-			return nil, fmt.Errorf("unable to unmarshall nested merge generator: %v", err)
-		}
-		if nestedMerge != nil {
-			mergeGenerator = nestedMerge.ToMergeGenerator()
-		}
+	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}

 	t, err := Transform(
@@ -112,8 +97,8 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrix,
-			Merge:                   mergeGenerator,
+			Matrix:                  matrixGen,
+			Merge:                   mergeGen,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -143,10 +128,15 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 	var found bool

 	for _, r := range appSetGenerator.Matrix.Generators {
+		matrixGen, _ := getMatrixGenerator(r)
+		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
+			Matrix:      matrixGen,
+			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)

@@ -167,6 +157,17 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap

 }

+func getMatrixGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MatrixGenerator, error) {
+	if r.Matrix == nil {
+		return nil, nil
+	}
+	matrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(r.Matrix)
+	if err != nil {
+		return nil, err
+	}
+	return matrix.ToMatrixGenerator(), nil
+}
+
 func (m *MatrixGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Matrix.Template
 }
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@@ -399,6 +399,8 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "Cluster","url": "Url"}`)}},
 	}

+	pullRequestGenerator := &argoprojiov1alpha1.PullRequestGenerator{}
+
 	testCases := []struct {
 		name               string
 		baseGenerators     []argoprojiov1alpha1.ApplicationSetNestedGenerator
@@ -431,6 +433,31 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 			gitGetRequeueAfter: time.Duration(1),
 			expected:           time.Duration(1),
 		},
+		{
+			name: "returns the minimal time for pull request",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			gitGetRequeueAfter: time.Duration(15 * time.Second),
+			expected:           time.Duration(15 * time.Second),
+		},
+		{
+			name: "returns the default time if no requeueAfterSeconds is provided",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			expected: time.Duration(30 * time.Minute),
+		},
 	}

 	for _, testCase := range testCases {
@@ -441,16 +468,18 @@ func TestMatrixGetRequeueAfter(t *testing.T) {

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
-					Git:  g.Git,
-					List: g.List,
+					Git:         g.Git,
+					List:        g.List,
+					PullRequest: g.PullRequest,
 				}
 				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
 			}

 			var matrixGenerator = NewMatrixGenerator(
 				map[string]Generator{
-					"Git":  mock,
-					"List": &ListGenerator{},
+					"Git":         mock,
+					"List":        &ListGenerator{},
+					"PullRequest": &PullRequestGenerator{},
 				},
 			)

--- a/applicationset/generators/merge.go
+++ b/applicationset/generators/merge.go
@@ -137,27 +137,13 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface

 // getParams get the parameters generated by this generator.
 func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
-	var matrix *argoprojiov1alpha1.MatrixGenerator
-	if appSetBaseGenerator.Matrix != nil {
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
-		if err != nil {
-			return nil, err
-		}
-		if nestedMatrix != nil {
-			matrix = nestedMatrix.ToMatrixGenerator()
-		}
+	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
-
-	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
-	if appSetBaseGenerator.Merge != nil {
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
-		if err != nil {
-			return nil, err
-		}
-		if nestedMerge != nil {
-			mergeGenerator = nestedMerge.ToMergeGenerator()
-		}
+	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}

 	t, err := Transform(
@@ -168,8 +154,8 @@ func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Applic
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrix,
-			Merge:                   mergeGenerator,
+			Matrix:                  matrixGen,
+			Merge:                   mergeGen,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -197,10 +183,15 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 	var found bool

 	for _, r := range appSetGenerator.Merge.Generators {
+		matrixGen, _ := getMatrixGenerator(r)
+		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
+			Matrix:      matrixGen,
+			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)

@@ -221,6 +212,17 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App

 }

+func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MergeGenerator, error) {
+	if r.Merge == nil {
+		return nil, nil
+	}
+	merge, err := argoprojiov1alpha1.ToNestedMergeGenerator(r.Merge)
+	if err != nil {
+		return nil, err
+	}
+	return merge.ToMergeGenerator(), nil
+}
+
 // GetTemplate gets the Template field for the MergeGenerator.
 func (m *MergeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Merge.Template
--- a/applicationset/generators/scm_provider.go
+++ b/applicationset/generators/scm_provider.go
@@ -122,6 +122,15 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Azure Devops service: %v", err)
 		}
+	} else if providerConfig.Bitbucket != nil {
+		appPassword, err := g.getSecretRef(ctx, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %v", err)
+		}
+		provider, err = scm_provider.NewBitBucketCloudProvider(ctx, providerConfig.Bitbucket.Owner, providerConfig.Bitbucket.User, appPassword, providerConfig.Bitbucket.AllBranches)
+		if err != nil {
+			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %v", err)
+		}
 	} else {
 		return nil, fmt.Errorf("no SCM provider implementation configured")
 	}
--- a/applicationset/services/repo_service.go
+++ b/applicationset/services/repo_service.go
@@ -85,12 +85,12 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi

 	gitRepoClient, err := git.NewClient(repo.Repo, repo.GetGitCreds(a.storecreds), repo.IsInsecure(), repo.IsLFSEnabled(), repo.Proxy)
 	if err != nil {
-		return nil, fmt.Errorf("error creating a new git client: %w", err)
+		return nil, err
 	}

 	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
 	if err != nil {
-		return nil, fmt.Errorf("error while checking out repo: %w", err)
+		return nil, err
 	}

 	filteredPaths := []string{}
@@ -99,7 +99,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi

 	if err := filepath.Walk(repoRoot, func(path string, info os.FileInfo, fnErr error) error {
 		if fnErr != nil {
-			return fmt.Errorf("error walking the file tree: %w", fnErr)
+			return fnErr
 		}
 		if !info.IsDir() { // Skip files: directories only
 			return nil
@@ -112,7 +112,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi

 		relativePath, err := filepath.Rel(repoRoot, path)
 		if err != nil {
-			return fmt.Errorf("error constructing relative repo path: %w", err)
+			return err
 		}

 		if relativePath == "." { // Exclude '.' from results
--- a/applicationset/services/scm_provider/gitea.go
+++ b/applicationset/services/scm_provider/gitea.go
@@ -35,7 +35,7 @@ func NewGiteaProvider(ctx context.Context, owner, token, url string, allBranches
 	}
 	client, err := gitea.NewClient(url, gitea.SetToken(token), gitea.SetHTTPClient(httpClient))
 	if err != nil {
-		return nil, fmt.Errorf("error creating a new gitea client: %w", err)
+		return nil, err
 	}
 	return &GiteaProvider{
 		client:      client,
--- a/applicationset/utils/createOrUpdate.go
+++ b/applicationset/utils/createOrUpdate.go
@@ -88,7 +88,7 @@ func CreateOrUpdate(ctx context.Context, c client.Client, obj client.Object, f c
 // mutate wraps a MutateFn and applies validation to its result
 func mutate(f controllerutil.MutateFn, key client.ObjectKey, obj client.Object) error {
 	if err := f(); err != nil {
-		return fmt.Errorf("error while wrapping using MutateFn: %w", err)
+		return err
 	}
 	if newKey := client.ObjectKeyFromObject(obj); key != newKey {
 		return fmt.Errorf("MutateFn cannot mutate object name and/or object namespace")
--- a/applicationset/utils/utils.go
+++ b/applicationset/utils/utils.go
@@ -133,6 +133,16 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri
 			if err := r.deeplyReplace(copyValue, originalValue, replaceMap, useGoTemplate); err != nil {
 				return err
 			}
+
+			// Keys can be templated as well as values (e.g. to template something into an annotation).
+			if key.Kind() == reflect.String {
+				templatedKey, err := r.Replace(key.String(), replaceMap, useGoTemplate)
+				if err != nil {
+					return err
+				}
+				key = reflect.ValueOf(templatedKey)
+			}
+
 			copy.SetMapIndex(key, copyValue)
 		}

--- a/applicationset/utils/utils_test.go
+++ b/applicationset/utils/utils_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/sirupsen/logrus"
 	logtest "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -461,7 +462,49 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			}
 		})
 	}
+}

+func TestRenderTemplateKeys(t *testing.T) {
+	t.Run("fasttemplate", func(t *testing.T) {
+		application := &argoappsv1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"annotation-{{key}}": "annotation-{{value}}",
+				},
+			},
+		}
+
+		params := map[string]interface{}{
+			"key":   "some-key",
+			"value": "some-value",
+		}
+
+		render := Render{}
+		newApplication, err := render.RenderTemplateParams(application, nil, params, false)
+		require.NoError(t, err)
+		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
+		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
+	})
+	t.Run("gotemplate", func(t *testing.T) {
+		application := &argoappsv1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"annotation-{{ .key }}": "annotation-{{ .value }}",
+				},
+			},
+		}
+
+		params := map[string]interface{}{
+			"key":   "some-key",
+			"value": "some-value",
+		}
+
+		render := Render{}
+		newApplication, err := render.RenderTemplateParams(application, nil, params, true)
+		require.NoError(t, err)
+		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
+		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
+	})
 }

 func TestRenderTemplateParamsFinalizers(t *testing.T) {
--- a/argocd-cosign.pub
+++ b/argocd-cosign.pub
@@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
-JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
-----END PUBLIC KEY-----
--- a/assets/swagger.json
+++ b/assets/swagger.json
@@ -4097,6 +4097,9 @@
        "appLabelKey": {
          "type": "string"
        },
+        "appsInAnyNamespaceEnabled": {
+          "type": "boolean"
+        },
        "configManagementPlugins": {
          "type": "array",
          "items": {
@@ -7482,8 +7485,8 @@
          "$ref": "#/definitions/v1Time"
        },
        "message": {
-          "description": "Message contains the message associated with the revision, most likely the commit message.",
-          "type": "string"
+          "type": "string",
+          "title": "Message contains the message associated with the revision, most likely the commit message.\nThe message is truncated to the first newline or 64 characters (which ever comes first)"
        },
        "signatureInfo": {
          "description": "SignatureInfo contains a hint on the signer if the revision was signed with GPG, and signature verification is enabled.",
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
@@ -39,7 +39,7 @@ import (
 	argosettings "github.com/argoproj/argo-cd/v2/util/settings"
 )

-// TODO: load this using Cobra.
+// TODO: load this using Cobra. https://github.com/argoproj/argo-cd/issues/10157
 func getSubmoduleEnabled() bool {
 	return env.ParseBoolFromEnv(common.EnvGitSubmoduleEnabled, true)
 }
@@ -195,16 +195,16 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	command.Flags().StringVar(&probeBindAddr, "probe-addr", ":8081", "The address the probe endpoint binds to.")
 	command.Flags().StringVar(&webhookAddr, "webhook-addr", ":7000", "The address the webhook endpoint binds to.")
-	command.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION", false),
+	command.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
-	command.Flags().StringVar(&namespace, "namespace", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACE", ""), "Argo CD repo namespace (default: argocd)")
-	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Argo CD repo server address")
-	command.Flags().StringVar(&policy, "policy", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_POLICY", "sync"), "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion)")
-	command.Flags().BoolVar(&debugLog, "debug", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG", false), "Print debug logs. Takes precedence over loglevel")
-	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
-	command.Flags().BoolVar(&dryRun, "dry-run", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN", false), "Enable dry run mode")
+	command.Flags().StringVar(&namespace, "namespace", "", "Argo CD repo namespace (default: argocd)")
+	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
+	command.Flags().StringVar(&policy, "policy", "sync", "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion)")
+	command.Flags().BoolVar(&debugLog, "debug", false, "Print debug logs. Takes precedence over loglevel")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().BoolVar(&dryRun, "dry-run", false, "Enable dry run mode")
 	return &command
 }

--- a/cmd/argocd/commands/account.go
+++ b/cmd/argocd/commands/account.go
@@ -44,7 +44,6 @@ func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command.AddCommand(NewAccountGenerateTokenCommand(clientOpts))
 	command.AddCommand(NewAccountGetCommand(clientOpts))
 	command.AddCommand(NewAccountDeleteTokenCommand(clientOpts))
-	command.AddCommand(NewBcryptCmd())
 	return command
 }

--- a/cmd/argocd/commands/admin/app.go
+++ b/cmd/argocd/commands/admin/app.go
@@ -292,11 +292,11 @@ func saveToFile(err error, outputFormat string, result reconcileResults, outputP
 	switch outputFormat {
 	case "yaml":
 		if data, err = yaml.Marshal(result); err != nil {
-			return fmt.Errorf("error marshalling yaml: %w", err)
+			return err
 		}
 	case "json":
 		if data, err = json.Marshal(result); err != nil {
-			return fmt.Errorf("error marshalling json: %w", err)
+			return err
 		}
 	default:
 		return fmt.Errorf("format %s is not supported", outputFormat)
--- a/cmd/argocd/commands/admin/cluster.go
+++ b/cmd/argocd/commands/admin/cluster.go
@@ -221,11 +221,11 @@ func printStatsSummary(clusters []ClusterWithInfo) {
 func runClusterNamespacesCommand(ctx context.Context, clientConfig clientcmd.ClientConfig, action func(appClient *versioned.Clientset, argoDB db.ArgoDB, clusters map[string][]string) error) error {
 	clientCfg, err := clientConfig.ClientConfig()
 	if err != nil {
-		return fmt.Errorf("error while creating client config: %w", err)
+		return err
 	}
 	namespace, _, err := clientConfig.Namespace()
 	if err != nil {
-		return fmt.Errorf("error while getting namespace from client config: %w", err)
+		return err
 	}

 	kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
@@ -235,16 +235,17 @@ func runClusterNamespacesCommand(ctx context.Context, clientConfig clientcmd.Cli
 	argoDB := db.NewDB(namespace, settingsMgr, kubeClient)
 	clustersList, err := argoDB.ListClusters(ctx)
 	if err != nil {
-		return fmt.Errorf("error listing clusters: %w", err)
+		return err
 	}
 	appItems, err := appClient.ArgoprojV1alpha1().Applications(namespace).List(ctx, v1.ListOptions{})
 	if err != nil {
-		return fmt.Errorf("error listing application: %w", err)
+		return err
 	}
 	apps := appItems.Items
 	for i, app := range apps {
-		if err := argo.ValidateDestination(ctx, &app.Spec.Destination, argoDB); err != nil {
-			return fmt.Errorf("error validating application destination: %w", err)
+		err := argo.ValidateDestination(ctx, &app.Spec.Destination, argoDB)
+		if err != nil {
+			return err
 		}
 		apps[i] = app
 	}
@@ -348,14 +349,15 @@ func NewClusterEnableNamespacedMode() *cobra.Command {

 					cluster, err := argoDB.GetCluster(ctx, server)
 					if err != nil {
-						return fmt.Errorf("error getting cluster from server: %w", err)
+						return err
 					}
 					cluster.Namespaces = namespaces
 					cluster.ClusterResources = clusterResources
 					fmt.Printf("Setting cluster %s namespaces to %v...", server, namespaces)
 					if !dryRun {
-						if _, err = argoDB.UpdateCluster(ctx, cluster); err != nil {
-							return fmt.Errorf("error updating cluster: %w", err)
+						_, err = argoDB.UpdateCluster(ctx, cluster)
+						if err != nil {
+							return err
 						}
 						fmt.Println("done")
 					} else {
@@ -403,7 +405,7 @@ func NewClusterDisableNamespacedMode() *cobra.Command {

 					cluster, err := argoDB.GetCluster(ctx, server)
 					if err != nil {
-						return fmt.Errorf("error getting cluster from server: %w", err)
+						return err
 					}

 					if len(cluster.Namespaces) == 0 {
@@ -413,8 +415,9 @@ func NewClusterDisableNamespacedMode() *cobra.Command {
 					cluster.Namespaces = nil
 					fmt.Printf("Disabling namespaced mode for cluster %s...", server)
 					if !dryRun {
-						if _, err = argoDB.UpdateCluster(ctx, cluster); err != nil {
-							return fmt.Errorf("error updating cluster: %w", err)
+						_, err = argoDB.UpdateCluster(ctx, cluster)
+						if err != nil {
+							return err
 						}
 						fmt.Println("done")
 					} else {
--- a/cmd/argocd/commands/admin/generatespec_utils.go
+++ b/cmd/argocd/commands/admin/generatespec_utils.go
@@ -43,7 +43,7 @@ func PrintResources(output string, out io.Writer, resources ...interface{}) erro
 		}
 		filteredResource, err := omitFields(resource)
 		if err != nil {
-			return fmt.Errorf("error omitting filtered fields from the resource: %w", err)
+			return err
 		}
 		resources[i] = filteredResource
 	}
@@ -56,14 +56,14 @@ func PrintResources(output string, out io.Writer, resources ...interface{}) erro
 	case "json":
 		jsonBytes, err := json.MarshalIndent(obj, "", "  ")
 		if err != nil {
-			return fmt.Errorf("error marshaling json: %w", err)
+			return err
 		}

 		_, _ = fmt.Fprintln(out, string(jsonBytes))
 	case "yaml":
 		yamlBytes, err := yaml.Marshal(obj)
 		if err != nil {
-			return fmt.Errorf("error marshaling yaml: %w", err)
+			return err
 		}
 		// marshaled YAML already ends with the new line character
 		_, _ = fmt.Fprint(out, string(yamlBytes))
--- a/cmd/argocd/commands/admin/notifications.go
+++ b/cmd/argocd/commands/admin/notifications.go
@@ -33,7 +33,7 @@ func NewNotificationsCommand() *cobra.Command {
 	var argocdService service.Service
 	toolsCommand := cmd.NewToolsCommand(
 		"notifications",
-		"notifications",
+		"argocd admin notifications",
 		applications,
 		settings.GetFactorySettings(argocdService, "argocd-notifications-secret", "argocd-notifications-cm"), func(clientConfig clientcmd.ClientConfig) {
 			k8sCfg, err := clientConfig.ClientConfig()
--- a/cmd/argocd/commands/admin/project.go
+++ b/cmd/argocd/commands/admin/project.go
@@ -106,13 +106,13 @@ func saveProject(ctx context.Context, updated v1alpha1.AppProject, orig v1alpha1
 	errors.CheckError(err)
 	live, err := kube.ToUnstructured(&orig)
 	if err != nil {
-		return fmt.Errorf("error converting project to unstructured: %w", err)
+		return err
 	}
 	_ = cli.PrintDiff(updated.Name, target, live)
 	if !dryRun {
 		_, err = projectsIf.Update(ctx, &updated, v1.UpdateOptions{})
 		if err != nil {
-			return fmt.Errorf("error while updating project:  %w", err)
+			return err
 		}
 	}
 	return nil
@@ -188,7 +188,7 @@ func NewUpdatePolicyRuleCommand() *cobra.Command {
 func updateProjects(ctx context.Context, projIf appclient.AppProjectInterface, projectGlob string, rolePattern string, action string, modification func(string, string) string, dryRun bool) error {
 	projects, err := projIf.List(ctx, v1.ListOptions{})
 	if err != nil {
-		return fmt.Errorf("error listing the projects: %w", err)
+		return err
 	}
 	for _, proj := range projects.Items {
 		if !globMatch(projectGlob, proj.Name) {
@@ -225,7 +225,7 @@ func updateProjects(ctx context.Context, projIf appclient.AppProjectInterface, p
 		if updated {
 			err = saveProject(ctx, proj, *origProj, projIf, dryRun)
 			if err != nil {
-				return fmt.Errorf("error saving the project: %w", err)
+				return err
 			}
 		}
 	}
--- a/cmd/argocd/commands/admin/settings.go
+++ b/cmd/argocd/commands/admin/settings.go
@@ -206,7 +206,7 @@ var validatorsByGroup = map[string]settingValidator{
 			}
 			ssoProvider = "Dex"
 		} else if general.OIDCConfigRAW != "" {
-			if _, err := settings.UnmarshalOIDCConfig(general.OIDCConfigRAW); err != nil {
+			if err := settings.ValidateOIDCConfig(general.OIDCConfigRAW); err != nil {
 				return "", fmt.Errorf("invalid oidc.config: %v", err)
 			}
 			ssoProvider = "OIDC"
--- a/cmd/argocd/commands/app.go
+++ b/cmd/argocd/commands/app.go
@@ -964,7 +964,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co

 					diffOption.serversideRes = res
 				} else {
-					fmt.Fprintf(os.Stderr, "Warning: local diff without --server-side-generate is deprecated and does not work with plugins. Server-side generation will be the default in v2.6.")
+					fmt.Fprintf(os.Stderr, "Warning: local diff without --server-side-generate is deprecated and does not work with plugins. Server-side generation will be the default in v2.7.")
 					conn, clusterIf := clientset.NewClusterClientOrDie()
 					defer argoio.Close(conn)
 					cluster, err := clusterIf.Get(ctx, &clusterpkg.ClusterQuery{Name: app.Spec.Destination.Name, Server: app.Spec.Destination.Server})
@@ -2427,12 +2427,12 @@ func NewApplicationEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			cli.InteractiveEdit(fmt.Sprintf("%s-*-edit.yaml", appName), appData, func(input []byte) error {
 				input, err = yaml.YAMLToJSON(input)
 				if err != nil {
-					return fmt.Errorf("error converting YAML to JSON: %w", err)
+					return err
 				}
 				updatedSpec := argoappv1.ApplicationSpec{}
 				err = json.Unmarshal(input, &updatedSpec)
 				if err != nil {
-					return fmt.Errorf("error unmarshaling input into application spec: %w", err)
+					return err
 				}

 				var appOpts cmdutil.AppOptions
@@ -2444,9 +2444,9 @@ func NewApplicationEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					AppNamespace: &appNs,
 				})
 				if err != nil {
-					return fmt.Errorf("failed to update application spec: %w", err)
+					return fmt.Errorf("Failed to update application spec:\n%v", err)
 				}
-				return nil
+				return err
 			})
 		},
 	}
--- a/cmd/argocd/commands/applicationset.go
+++ b/cmd/argocd/commands/applicationset.go
@@ -342,16 +342,19 @@ func printAppSetSummaryTable(appSet *arogappsetv1.ApplicationSet) {
 	fmt.Printf(printOpFmtStr, "Path:", appSet.Spec.Template.Spec.Source.Path)
 	printAppSourceDetails(&appSet.Spec.Template.Spec.Source)

-	var syncPolicy string
-	if appSet.Spec.SyncPolicy != nil && appSet.Spec.Template.Spec.SyncPolicy.Automated != nil {
-		syncPolicy = "Automated"
-		if appSet.Spec.Template.Spec.SyncPolicy.Automated.Prune {
-			syncPolicy += " (Prune)"
+	var (
+		syncPolicyStr string
+		syncPolicy = appSet.Spec.Template.Spec.SyncPolicy
+	)
+	if syncPolicy != nil && syncPolicy.Automated != nil {
+		syncPolicyStr = "Automated"
+		if syncPolicy.Automated.Prune {
+			syncPolicyStr += " (Prune)"
 		}
 	} else {
-		syncPolicy = "<none>"
+		syncPolicyStr = "<none>"
 	}
-	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicy)
+	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicyStr)

 }

--- a/cmd/argocd/commands/applicationset_test.go
+++ b/cmd/argocd/commands/applicationset_test.go
@@ -1,6 +1,8 @@
 package commands

 import (
+	"io/ioutil"
+	"os"
 	"testing"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -68,3 +70,124 @@ func TestPrintApplicationSetTable(t *testing.T) {
 	expectation := "NAME      NAMESPACE  PROJECT  SYNCPOLICY  CONDITIONS\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\n"
 	assert.Equal(t, expectation, output)
 }
+
+func TestPrintAppSetSummaryTable(t *testing.T) {
+	baseAppSet := &arogappsetv1.ApplicationSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "app-name",
+		},
+		Spec: arogappsetv1.ApplicationSetSpec{
+			Generators: []arogappsetv1.ApplicationSetGenerator{
+				arogappsetv1.ApplicationSetGenerator{
+					Git: &arogappsetv1.GitGenerator{
+						RepoURL:  "https://github.com/argoproj/argo-cd.git",
+						Revision: "head",
+						Directories: []arogappsetv1.GitDirectoryGeneratorItem{
+							arogappsetv1.GitDirectoryGeneratorItem{
+								Path: "applicationset/examples/git-generator-directory/cluster-addons/*",
+							},
+						},
+					},
+				},
+			},
+			Template: arogappsetv1.ApplicationSetTemplate{
+				Spec: v1alpha1.ApplicationSpec{
+					Project: "default",
+				},
+			},
+		},
+		Status: arogappsetv1.ApplicationSetStatus{
+			Conditions: []arogappsetv1.ApplicationSetCondition{
+				arogappsetv1.ApplicationSetCondition{
+					Status: v1alpha1.ApplicationSetConditionStatusTrue,
+					Type:   arogappsetv1.ApplicationSetConditionResourcesUpToDate,
+				},
+			},
+		},
+	}
+
+	appsetSpecSyncPolicy := baseAppSet.DeepCopy()
+	appsetSpecSyncPolicy.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
+		PreserveResourcesOnDeletion: true,
+	}
+
+	appSetTemplateSpecSyncPolicy := baseAppSet.DeepCopy()
+	appSetTemplateSpecSyncPolicy.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
+		Automated: &arogappsetv1.SyncPolicyAutomated{
+			SelfHeal: true,
+		},
+	}
+
+	appSetBothSyncPolicies := baseAppSet.DeepCopy()
+	appSetBothSyncPolicies.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
+		PreserveResourcesOnDeletion: true,
+	}
+	appSetBothSyncPolicies.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
+		Automated: &arogappsetv1.SyncPolicyAutomated{
+			SelfHeal: true,
+		},
+	}
+
+	for _, tt := range []struct {
+		name           string
+		appSet         *arogappsetv1.ApplicationSet
+		expectedOutput string
+	}{
+		{
+			name:   "appset with only spec.syncPolicy set",
+			appSet: appsetSpecSyncPolicy,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         <none>
+`,
+		},
+		{
+			name:   "appset with only spec.template.spec.syncPolicy set",
+			appSet: appSetTemplateSpecSyncPolicy,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         Automated
+`,
+		},
+		{
+			name:   "appset with both spec.SyncPolicy and spec.template.spec.syncPolicy set",
+			appSet: appSetBothSyncPolicies,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         Automated
+`,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			oldStdout := os.Stdout
+			defer func() {
+				os.Stdout = oldStdout
+			}()
+
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			printAppSetSummaryTable(tt.appSet)
+			w.Close()
+
+			out, err := ioutil.ReadAll(r)
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expectedOutput, string(out))
+		})
+	}
+}
--- a/cmd/argocd/commands/bcrypt.go
+++ b/cmd/argocd/commands/bcrypt.go
@@ -1,36 +0,0 @@
-package commands
-
-import (
-	"fmt"
-	"log"
-
-	"github.com/spf13/cobra"
-	"golang.org/x/crypto/bcrypt"
-)
-
-// bcryptCmd represents the bcrypt command
-func NewBcryptCmd() *cobra.Command {
-	var (
-		password string
-	)
-	var bcryptCmd = &cobra.Command{
-		Use:   "bcrypt",
-		Short: "Generate bcrypt hash for the admin password",
-		Run: func(cmd *cobra.Command, args []string) {
-			bytePassword := []byte(password)
-			// Hashing the password
-			hash, err := bcrypt.GenerateFromPassword(bytePassword, bcrypt.DefaultCost)
-			if err != nil {
-				log.Fatalf("Failed to genarate bcrypt hash: %v", err)
-			}
-			fmt.Fprint(cmd.OutOrStdout(), string(hash))
-		},
-	}
-
-	bcryptCmd.Flags().StringVar(&password, "password", "", "Password for which bcrypt hash is generated")
-	err := bcryptCmd.MarkFlagRequired("password")
-	if err != nil {
-		return nil
-	}
-	return bcryptCmd
-}
--- a/cmd/argocd/commands/bcrypt_test.go
+++ b/cmd/argocd/commands/bcrypt_test.go
@@ -1,22 +0,0 @@
-package commands
-
-import (
-	"bytes"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"golang.org/x/crypto/bcrypt"
-)
-
-func TestGeneratePassword(t *testing.T) {
-	bcryptCmd := NewBcryptCmd()
-	bcryptCmd.SetArgs([]string{"--password", "abc"})
-	output := new(bytes.Buffer)
-	bcryptCmd.SetOutput(output)
-	err := bcryptCmd.Execute()
-	if err != nil {
-		return
-	}
-	err = bcrypt.CompareHashAndPassword(output.Bytes(), []byte("abc"))
-	assert.NoError(t, err)
-}
--- a/cmd/argocd/commands/common.go
+++ b/cmd/argocd/commands/common.go
@@ -22,13 +22,13 @@ func PrintResource(resource interface{}, output string) error {
 	case "json":
 		jsonBytes, err := json.MarshalIndent(resource, "", "  ")
 		if err != nil {
-			return fmt.Errorf("unable to marshal resource to json: %w", err)
+			return err
 		}
 		fmt.Println(string(jsonBytes))
 	case "yaml":
 		yamlBytes, err := yaml.Marshal(resource)
 		if err != nil {
-			return fmt.Errorf("unable to marshal resource to yaml: %w", err)
+			return err
 		}
 		fmt.Print(string(yamlBytes))
 	default:
@@ -56,13 +56,13 @@ func PrintResourceList(resources interface{}, output string, single bool) error
 	case "json":
 		jsonBytes, err := json.MarshalIndent(resources, "", "  ")
 		if err != nil {
-			return fmt.Errorf("unable to marshal resources to json: %w", err)
+			return err
 		}
 		fmt.Println(string(jsonBytes))
 	case "yaml":
 		yamlBytes, err := yaml.Marshal(resources)
 		if err != nil {
-			return fmt.Errorf("unable to marshal resources to yaml: %w", err)
+			return err
 		}
 		fmt.Print(string(yamlBytes))
 	default:
--- a/cmd/argocd/commands/project.go
+++ b/cmd/argocd/commands/project.go
@@ -863,23 +863,23 @@ func NewProjectEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 			cli.InteractiveEdit(fmt.Sprintf("%s-*-edit.yaml", projName), projData, func(input []byte) error {
 				input, err = yaml.YAMLToJSON(input)
 				if err != nil {
-					return fmt.Errorf("error converting YAML to JSON: %w", err)
+					return err
 				}
 				updatedSpec := v1alpha1.AppProjectSpec{}
 				err = json.Unmarshal(input, &updatedSpec)
 				if err != nil {
-					return fmt.Errorf("error unmarshaling input into application spec: %w", err)
+					return err
 				}
 				proj, err := projIf.Get(ctx, &projectpkg.ProjectQuery{Name: projName})
 				if err != nil {
-					return fmt.Errorf("could not get project by project name: %w", err)
+					return err
 				}
 				proj.Spec = updatedSpec
 				_, err = projIf.Update(ctx, &projectpkg.ProjectUpdateRequest{Project: proj})
 				if err != nil {
-					return fmt.Errorf("failed to update project:\n%w", err)
+					return fmt.Errorf("Failed to update project:\n%v", err)
 				}
-				return nil
+				return err
 			})
 		},
 	}
--- a/cmd/argocd/commands/root.go
+++ b/cmd/argocd/commands/root.go
@@ -41,7 +41,7 @@ func NewCommand() *cobra.Command {
 	}

 	command.AddCommand(NewCompletionCommand())
-	command.AddCommand(initialize.InitCommand(NewVersionCmd(&clientOpts, nil)))
+	command.AddCommand(initialize.InitCommand(NewVersionCmd(&clientOpts)))
 	command.AddCommand(initialize.InitCommand(NewClusterCommand(&clientOpts, pathOpts)))
 	command.AddCommand(initialize.InitCommand(NewApplicationCommand(&clientOpts)))
 	command.AddCommand(initialize.InitCommand(NewAppSetCommand(&clientOpts)))
--- a/cmd/argocd/commands/version.go
+++ b/cmd/argocd/commands/version.go
@@ -17,7 +17,7 @@ import (
 )

 // NewVersionCmd returns a new `version` command to be used as a sub-command to root
-func NewVersionCmd(clientOpts *argocdclient.ClientOptions, serverVersion *version.VersionMessage) *cobra.Command {
+func NewVersionCmd(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
 		short  bool
 		client bool
@@ -54,12 +54,7 @@ func NewVersionCmd(clientOpts *argocdclient.ClientOptions, serverVersion *versio
 				}

 				if !client {
-					var sv *version.VersionMessage
-					if serverVersion == nil {
-						sv = getServerVersion(ctx, clientOpts, cmd)
-					} else {
-						sv = serverVersion
-					}
+					sv := getServerVersion(ctx, clientOpts, cmd)

 					if short {
 						v["server"] = map[string]string{"argocd-server": sv.Version}
@@ -73,13 +68,8 @@ func NewVersionCmd(clientOpts *argocdclient.ClientOptions, serverVersion *versio
 			case "wide", "short", "":
 				fmt.Fprint(cmd.OutOrStdout(), printClientVersion(&cv, short || (output == "short")))
 				if !client {
-					var sv *version.VersionMessage
-					if serverVersion == nil {
-						sv = getServerVersion(ctx, clientOpts, cmd)
-					} else {
-						sv = serverVersion
-					}
-					fmt.Fprint(cmd.OutOrStdout(), printServerVersion(sv, short || (output == "short")))
+					sv := getServerVersion(ctx, clientOpts, cmd)
+					printServerVersion(sv, short || (output == "short"))
 				}
 			default:
 				log.Fatalf("unknown output format: %s", output)
@@ -119,45 +109,44 @@ func printClientVersion(version *common.Version, short bool) string {
 	return output
 }

-func printServerVersion(version *version.VersionMessage, short bool) string {
-	output := fmt.Sprintf("%s: %s\n", "argocd-server", version.Version)
+func printServerVersion(version *version.VersionMessage, short bool) {
+	fmt.Printf("%s: %s\n", "argocd-server", version.Version)

 	if short {
-		return output
+		return
 	}

 	if version.BuildDate != "" {
-		output += fmt.Sprintf("  BuildDate: %s\n", version.BuildDate)
+		fmt.Printf("  BuildDate: %s\n", version.BuildDate)
 	}
 	if version.GitCommit != "" {
-		output += fmt.Sprintf("  GitCommit: %s\n", version.GitCommit)
+		fmt.Printf("  GitCommit: %s\n", version.GitCommit)
 	}
 	if version.GitTreeState != "" {
-		output += fmt.Sprintf("  GitTreeState: %s\n", version.GitTreeState)
+		fmt.Printf("  GitTreeState: %s\n", version.GitTreeState)
 	}
 	if version.GitTag != "" {
-		output += fmt.Sprintf("  GitTag: %s\n", version.GitTag)
+		fmt.Printf("  GitTag: %s\n", version.GitTag)
 	}
 	if version.GoVersion != "" {
-		output += fmt.Sprintf("  GoVersion: %s\n", version.GoVersion)
+		fmt.Printf("  GoVersion: %s\n", version.GoVersion)
 	}
 	if version.Compiler != "" {
-		output += fmt.Sprintf("  Compiler: %s\n", version.Compiler)
+		fmt.Printf("  Compiler: %s\n", version.Compiler)
 	}
 	if version.Platform != "" {
-		output += fmt.Sprintf("  Platform: %s\n", version.Platform)
+		fmt.Printf("  Platform: %s\n", version.Platform)
 	}
 	if version.KustomizeVersion != "" {
-		output += fmt.Sprintf("  Kustomize Version: %s\n", version.KustomizeVersion)
+		fmt.Printf("  Kustomize Version: %s\n", version.KustomizeVersion)
 	}
 	if version.HelmVersion != "" {
-		output += fmt.Sprintf("  Helm Version: %s\n", version.HelmVersion)
+		fmt.Printf("  Helm Version: %s\n", version.HelmVersion)
 	}
 	if version.KubectlVersion != "" {
-		output += fmt.Sprintf("  Kubectl Version: %s\n", version.KubectlVersion)
+		fmt.Printf("  Kubectl Version: %s\n", version.KubectlVersion)
 	}
 	if version.JsonnetVersion != "" {
-		output += fmt.Sprintf("  Jsonnet Version: %s\n", version.JsonnetVersion)
+		fmt.Printf("  Jsonnet Version: %s\n", version.JsonnetVersion)
 	}
-	return output
 }
--- a/cmd/argocd/commands/version_test.go
+++ b/cmd/argocd/commands/version_test.go
@@ -5,13 +5,12 @@ import (
 	"testing"

 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
-	"github.com/argoproj/argo-cd/v2/pkg/apiclient/version"
 	"github.com/stretchr/testify/assert"
 )

-func TestShortVersionClient(t *testing.T) {
+func TestShortVersion(t *testing.T) {
 	buf := new(bytes.Buffer)
-	cmd := NewVersionCmd(&argocdclient.ClientOptions{}, nil)
+	cmd := NewVersionCmd(&argocdclient.ClientOptions{})
 	cmd.SetOutput(buf)
 	cmd.SetArgs([]string{"version", "--short", "--client"})
 	err := cmd.Execute()
@@ -21,17 +20,3 @@ func TestShortVersionClient(t *testing.T) {
 	output := buf.String()
 	assert.Equal(t, output, "argocd: v99.99.99+unknown\n")
 }
-
-func TestShortVersion(t *testing.T) {
-	serverVersion := &version.VersionMessage{Version: "v99.99.99+unknown"}
-	buf := new(bytes.Buffer)
-	cmd := NewVersionCmd(&argocdclient.ClientOptions{}, serverVersion)
-	cmd.SetOutput(buf)
-	cmd.SetArgs([]string{"argocd", "version", "--short"})
-	err := cmd.Execute()
-	if err != nil {
-		t.Fatal("Failed to execute short version command")
-	}
-	output := buf.String()
-	assert.Equal(t, output, "argocd: v99.99.99+unknown\nargocd-server: v99.99.99+unknown\n")
-}
--- a/cmd/util/applicationset.go
+++ b/cmd/util/applicationset.go
@@ -40,7 +40,7 @@ func readAppsetFromURI(fileURL string, appset *[]*argoprojiov1alpha1.Application

 	yml, err := readFilePayload()
 	if err != nil {
-		return fmt.Errorf("error reading file payload: %w", err)
+		return err
 	}

 	return readAppset(yml, appset)
@@ -49,18 +49,18 @@ func readAppsetFromURI(fileURL string, appset *[]*argoprojiov1alpha1.Application
 func readAppset(yml []byte, appsets *[]*argoprojiov1alpha1.ApplicationSet) error {
 	yamls, err := kube.SplitYAMLToString(yml)
 	if err != nil {
-		return fmt.Errorf("error splitting YAML to string: %w", err)
+		return err
 	}

 	for _, yml := range yamls {
 		var appset argoprojiov1alpha1.ApplicationSet
 		err = config.Unmarshal([]byte(yml), &appset)
 		if err != nil {
-			return fmt.Errorf("error unmarshalling appset: %w", err)
+			return err
 		}
 		*appsets = append(*appsets, &appset)

 	}
-
-	return fmt.Errorf("error reading app set: %w", err)
+	// we reach here if there is no error found while reading the Application Set
+	return nil
 }
--- a/cmd/util/project.go
+++ b/cmd/util/project.go
@@ -138,7 +138,7 @@ func readProjFromURI(fileURL string, proj *v1alpha1.AppProject) error {
 	} else {
 		err = config.UnmarshalRemoteFile(fileURL, &proj)
 	}
-	return fmt.Errorf("error reading proj from uri: %w", err)
+	return err
 }

 func SetProjSpecOptions(flags *pflag.FlagSet, spec *v1alpha1.AppProjectSpec, projOpts *ProjectOpts) int {
--- a/cmpserver/plugin/plugin.go
+++ b/cmpserver/plugin/plugin.go
@@ -203,6 +203,11 @@ func (s *Service) generateManifest(ctx context.Context, appDir string, envEntrie

 	manifests, err := kube.SplitYAMLToString([]byte(out))
 	if err != nil {
+		sanitizedManifests := manifests
+		if len(sanitizedManifests) > 1000 {
+			sanitizedManifests = manifests[:1000]
+		}
+		log.Debugf("Failed to split generated manifests. Beginning of generated manifests: %q", sanitizedManifests)
 		return &apiclient.ManifestResponse{}, err
 	}

--- a/common/common.go
+++ b/common/common.go
@@ -1,12 +1,15 @@
 package common

 import (
+	"errors"
 	"os"
 	"path/filepath"
 	"strconv"
 	"time"

 	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )

 // Default service addresses and URLS of Argo CD internal services
@@ -316,3 +319,10 @@ const (
 	SecurityMedium    = 2 // Could indicate malicious events, but has a high likelihood of being user/system error (i.e. access denied)
 	SecurityLow       = 1 // Unexceptional entries (i.e. successful access logs)
 )
+
+// Common error messages
+const TokenVerificationError = "failed to verify the token"
+
+var TokenVerificationErr = errors.New(TokenVerificationError)
+
+var PermissionDeniedAPIError = status.Error(codes.PermissionDenied, "permission denied")
--- a/controller/appcontroller.go
+++ b/controller/appcontroller.go
@@ -335,7 +335,7 @@ func (ctrl *ApplicationController) handleObjectUpdated(managedByApp map[string]b
 		}

 		if !ctrl.canProcessApp(obj) {
-			// Don't force refresh app if app belongs to a different controller shard
+			// Don't force refresh app if app belongs to a different controller shard or is outside the allowed namespaces.
 			continue
 		}

@@ -907,7 +907,7 @@ func (ctrl *ApplicationController) processProjectQueueItem() (processNext bool)
 func (ctrl *ApplicationController) finalizeProjectDeletion(proj *appv1.AppProject) error {
 	apps, err := ctrl.appLister.Applications(ctrl.namespace).List(labels.Everything())
 	if err != nil {
-		return fmt.Errorf("error listing applications: %w", err)
+		return err
 	}
 	appsCount := 0
 	for i := range apps {
@@ -1077,7 +1077,7 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 func (ctrl *ApplicationController) removeCascadeFinalizer(app *appv1.Application) error {
 	_, err := ctrl.getAppProj(app)
 	if err != nil {
-		return fmt.Errorf("error getting project: %w", err)
+		return err
 	}
 	app.UnSetCascadedDeletion()
 	var patch []byte
@@ -1256,12 +1256,12 @@ func (ctrl *ApplicationController) setOperationState(app *appv1.Application, sta
 		}
 		patchJSON, err := json.Marshal(patch)
 		if err != nil {
-			return fmt.Errorf("error marshaling json: %w", err)
+			return err
 		}
 		if app.Status.OperationState != nil && app.Status.OperationState.FinishedAt != nil && state.FinishedAt == nil {
 			patchJSON, err = jsonpatch.MergeMergePatches(patchJSON, []byte(`{"status": {"operationState": {"finishedAt": null}}}`))
 			if err != nil {
-				return fmt.Errorf("error merging operation state patch: %w", err)
+				return err
 			}
 		}

@@ -1272,7 +1272,7 @@ func (ctrl *ApplicationController) setOperationState(app *appv1.Application, sta
 			if apierr.IsNotFound(err) {
 				return nil
 			}
-			return fmt.Errorf("error patching application with operation state: %w", err)
+			return err
 		}
 		log.Infof("updated '%s' operation (phase: %s)", app.QualifiedName(), state.Phase)
 		if state.Phase.Completed() {
@@ -1497,17 +1497,7 @@ func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application)
 	errorConditions := make([]appv1.ApplicationCondition, 0)
 	proj, err := ctrl.getAppProj(app)
 	if err != nil {
-		if apierr.IsNotFound(err) {
-			errorConditions = append(errorConditions, appv1.ApplicationCondition{
-				Type:    appv1.ApplicationConditionInvalidSpecError,
-				Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
-			})
-		} else {
-			errorConditions = append(errorConditions, appv1.ApplicationCondition{
-				Type:    appv1.ApplicationConditionUnknownError,
-				Message: err.Error(),
-			})
-		}
+		errorConditions = append(errorConditions, ctrl.projectErrorToCondition(err, app))
 	} else {
 		specConditions, err := argo.ValidatePermissions(context.Background(), &app.Spec, proj, ctrl.db)
 		if err != nil {
@@ -1729,6 +1719,13 @@ func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {
 	if !ok {
 		return false
 	}
+
+	// Only process given app if it exists in a watched namespace, or in the
+	// control plane's namespace.
+	if app.Namespace != ctrl.namespace && !glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) {
+		return false
+	}
+
 	if ctrl.clusterFilter != nil {
 		cluster, err := ctrl.db.GetCluster(context.Background(), app.Spec.Destination.Server)
 		if err != nil {
@@ -1737,12 +1734,6 @@ func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {
 		return ctrl.clusterFilter(cluster)
 	}

-	// Only process given app if it exists in a watched namespace, or in the
-	// control plane's namespace.
-	if app.Namespace != ctrl.namespace && !glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) {
-		return false
-	}
-
 	return true
 }

@@ -1798,7 +1789,7 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 					// If the application is not allowed to use the project,
 					// log an error.
 					if _, err := ctrl.getAppProj(app); err != nil {
-						ctrl.setAppCondition(app, appv1.ApplicationCondition{Type: appv1.ApplicationConditionUnknownError, Message: err.Error()})
+						ctrl.setAppCondition(app, ctrl.projectErrorToCondition(err, app))
 					}
 				}

@@ -1869,6 +1860,19 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 	return informer, lister
 }

+func (ctrl *ApplicationController) projectErrorToCondition(err error, app *appv1.Application) appv1.ApplicationCondition {
+	var condition appv1.ApplicationCondition
+	if apierr.IsNotFound(err) {
+		condition = appv1.ApplicationCondition{
+			Type:    appv1.ApplicationConditionInvalidSpecError,
+			Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
+		}
+	} else {
+		condition = appv1.ApplicationCondition{Type: appv1.ApplicationConditionUnknownError, Message: err.Error()}
+	}
+	return condition
+}
+
 func (ctrl *ApplicationController) RegisterClusterSecretUpdater(ctx context.Context) {
 	updater := NewClusterInfoUpdater(ctrl.stateCache, ctrl.db, ctrl.appLister.Applications(""), ctrl.cache, ctrl.clusterFilter, ctrl.getAppProj, ctrl.namespace)
 	go updater.Run(ctx)
--- a/controller/appcontroller_test.go
+++ b/controller/appcontroller_test.go
@@ -1068,6 +1068,34 @@ func TestUpdateReconciledAt(t *testing.T) {

 }

+func TestProjectErrorToCondition(t *testing.T) {
+	app := newFakeApp()
+	app.Spec.Project = "wrong project"
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	})
+	key, _ := cache.MetaNamespaceKeyFunc(app)
+	ctrl.appRefreshQueue.Add(key)
+	ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+
+	ctrl.processAppRefreshQueueItem()
+
+	obj, ok, err := ctrl.appInformer.GetIndexer().GetByKey(key)
+	assert.True(t, ok)
+	assert.NoError(t, err)
+	updatedApp := obj.(*argoappv1.Application)
+	assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, updatedApp.Status.Conditions[0].Type)
+	assert.Equal(t, "Application referencing project wrong project which does not exist", updatedApp.Status.Conditions[0].Message)
+	assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, updatedApp.Status.Conditions[0].Type)
+}
+
 func TestFinalizeProjectDeletion_HasApplications(t *testing.T) {
 	app := newFakeApp()
 	proj := &argoappv1.AppProject{ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: test.FakeArgoCDNamespace}}
@@ -1345,3 +1373,31 @@ func TestToAppKey(t *testing.T) {
 		})
 	}
 }
+
+func Test_canProcessApp(t *testing.T) {
+	app := newFakeApp()
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+	ctrl.applicationNamespaces = []string{"good"}
+	t.Run("without cluster filter, good namespace", func(t *testing.T) {
+		app.Namespace = "good"
+		canProcess := ctrl.canProcessApp(app)
+		assert.True(t, canProcess)
+	})
+	t.Run("without cluster filter, bad namespace", func(t *testing.T) {
+		app.Namespace = "bad"
+		canProcess := ctrl.canProcessApp(app)
+		assert.False(t, canProcess)
+	})
+	t.Run("with cluster filter, good namespace", func(t *testing.T) {
+		app.Namespace = "good"
+		ctrl.clusterFilter = func(_ *argoappv1.Cluster) bool { return true }
+		canProcess := ctrl.canProcessApp(app)
+		assert.True(t, canProcess)
+	})
+	t.Run("with cluster filter, bad namespace", func(t *testing.T) {
+		app.Namespace = "bad"
+		ctrl.clusterFilter = func(_ *argoappv1.Cluster) bool { return true }
+		canProcess := ctrl.canProcessApp(app)
+		assert.False(t, canProcess)
+	})
+}
--- a/controller/cache/cache.go
+++ b/controller/cache/cache.go
@@ -382,7 +382,7 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e

 	cluster, err := c.db.GetCluster(context.Background(), server)
 	if err != nil {
-		return nil, fmt.Errorf("error getting cluster: %w", err)
+		return nil, err
 	}

 	if !c.canHandleCluster(cluster) {
@@ -456,11 +456,11 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 func (c *liveStateCache) getSyncedCluster(server string) (clustercache.ClusterCache, error) {
 	clusterCache, err := c.getCluster(server)
 	if err != nil {
-		return nil, fmt.Errorf("error getting cluster: %w", err)
+		return nil, err
 	}
 	err = clusterCache.EnsureSynced()
 	if err != nil {
-		return nil, fmt.Errorf("error synchronizing cache state : %w", err)
+		return nil, err
 	}
 	return clusterCache, nil
 }
@@ -594,7 +594,7 @@ func (c *liveStateCache) watchSettings(ctx context.Context) {
 func (c *liveStateCache) Init() error {
 	cacheSettings, err := c.loadCacheSettings()
 	if err != nil {
-		return fmt.Errorf("error loading cache settings: %w", err)
+		return err
 	}
 	c.cacheSettings = *cacheSettings
 	return nil
--- a/controller/clusterinfoupdater.go
+++ b/controller/clusterinfoupdater.go
@@ -3,7 +3,7 @@ package controller
 import (
 	"context"
 	"time"
-	"fmt"
+
 	"github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	log "github.com/sirupsen/logrus"
@@ -93,7 +93,7 @@ func (c *clusterInfoUpdater) updateClusters() {
 func (c *clusterInfoUpdater) updateClusterInfo(cluster appv1.Cluster, info *cache.ClusterInfo) error {
 	apps, err := c.appLister.List(labels.Everything())
 	if err != nil {
-		return fmt.Errorf("error while fetching the apps list: %w", err)
+		return err
 	}
 	var appCount int64
 	for _, a := range apps {
--- a/controller/health.go
+++ b/controller/health.go
@@ -41,30 +41,27 @@ func setApplicationHealth(resources []managedResource, statuses []appv1.Resource
 				savedErr = err
 			}
 		}
+		if healthStatus != nil {
+			if persistResourceHealth {
+				resHealth := appv1.HealthStatus{Status: healthStatus.Status, Message: healthStatus.Message}
+				statuses[i].Health = &resHealth
+			} else {
+				statuses[i].Health = nil
+			}

-		if healthStatus == nil {
-			continue
-		}
+			// Is health status is missing but resource has not built-in/custom health check then it should not affect parent app health
+			if _, hasOverride := healthOverrides[lua.GetConfigMapKey(gvk)]; healthStatus.Status == health.HealthStatusMissing && !hasOverride && health.GetHealthCheckFunc(gvk) == nil {
+				continue
+			}

-		if persistResourceHealth {
-			resHealth := appv1.HealthStatus{Status: healthStatus.Status, Message: healthStatus.Message}
-			statuses[i].Health = &resHealth
-		} else {
-			statuses[i].Health = nil
-		}
+			// Missing or Unknown health status of child Argo CD app should not affect parent
+			if res.Kind == application.ApplicationKind && res.Group == application.Group && (healthStatus.Status == health.HealthStatusMissing || healthStatus.Status == health.HealthStatusUnknown) {
+				continue
+			}

-		// Is health status is missing but resource has not built-in/custom health check then it should not affect parent app health
-		if _, hasOverride := healthOverrides[lua.GetConfigMapKey(gvk)]; healthStatus.Status == health.HealthStatusMissing && !hasOverride && health.GetHealthCheckFunc(gvk) == nil {
-			continue
-		}
-
-		// Missing or Unknown health status of child Argo CD app should not affect parent
-		if res.Kind == application.ApplicationKind && res.Group == application.Group && (healthStatus.Status == health.HealthStatusMissing || healthStatus.Status == health.HealthStatusUnknown) {
-			continue
-		}
-
-		if health.IsWorse(appHealth.Status, healthStatus.Status) {
-			appHealth.Status = healthStatus.Status
+			if health.IsWorse(appHealth.Status, healthStatus.Status) {
+				appHealth.Status = healthStatus.Status
+			}
 		}
 	}
 	if persistResourceHealth {
--- a/controller/metrics/metrics.go
+++ b/controller/metrics/metrics.go
@@ -13,7 +13,7 @@ import (
 	"github.com/argoproj/gitops-engine/pkg/health"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/robfig/cron/v3"
+	"github.com/robfig/cron"
 	log "github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/labels"

@@ -193,10 +193,7 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, appFil
 		redisRequestCounter:     redisRequestCounter,
 		redisRequestHistogram:   redisRequestHistogram,
 		hostname:                hostname,
-		// This cron is used to expire the metrics cache.
-		// Currently clearing the metrics cache is logging and deleting from the map
-		// so there is no possibility of panic, but we will add a chain to keep robfig/cron v1 behavior.
-		cron: cron.New(cron.WithChain(cron.Recover(cron.PrintfLogger(log.StandardLogger())))),
+		cron:                    cron.New(),
 	}, nil
 }

@@ -284,7 +281,7 @@ func (m *MetricsServer) SetExpiration(cacheExpiration time.Duration) error {
 		return errors.New("Expiration is already set")
 	}

-	_, err := m.cron.AddFunc(fmt.Sprintf("@every %s", cacheExpiration), func() {
+	err := m.cron.AddFunc(fmt.Sprintf("@every %s", cacheExpiration), func() {
 		log.Infof("Reset Prometheus metrics based on existing expiration '%v'", cacheExpiration)
 		m.syncCounter.Reset()
 		m.kubectlExecCounter.Reset()
--- a/controller/state.go
+++ b/controller/state.go
@@ -514,7 +514,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		}
 		gvk := obj.GroupVersionKind()

-		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, appLabelKey, trackingMethod)
+		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, targetObj, app.GetName(), appLabelKey, trackingMethod)

 		resState := v1alpha1.ResourceStatus{
 			Namespace:       obj.GetNamespace(),
@@ -659,7 +659,7 @@ func (m *appStateManager) persistRevisionHistory(app *v1alpha1.Application, revi
 		},
 	})
 	if err != nil {
-		return fmt.Errorf("error marshaling revision history patch: %w", err)
+		return err
 	}
 	_, err = m.appclientset.ArgoprojV1alpha1().Applications(app.Namespace).Patch(context.Background(), app.Name, types.MergePatchType, patch, metav1.PatchOptions{})
 	return err
@@ -699,12 +699,13 @@ func NewAppStateManager(
 }

 // isSelfReferencedObj returns whether the given obj is managed by the application
-// according to the values in the tracking annotation. It returns true when all
-// of the properties in the annotation (name, namespace, group and kind) match
-// the properties of the inspected object, or if the tracking method used does
-// not provide the required properties for matching.
-func (m *appStateManager) isSelfReferencedObj(obj *unstructured.Unstructured, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
-	if obj == nil {
+// according to the values of the tracking id (aka app instance value) annotation.
+// It returns true when all of the properties of the tracking id (app name, namespace,
+// group and kind) match the properties of the live object, or if the tracking method
+// used does not provide the required properties for matching.
+// Reference: https://github.com/argoproj/argo-cd/issues/8683
+func (m *appStateManager) isSelfReferencedObj(live, config *unstructured.Unstructured, appName, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
+	if live == nil {
 		return true
 	}

@@ -714,17 +715,42 @@ func (m *appStateManager) isSelfReferencedObj(obj *unstructured.Unstructured, ap
 		return true
 	}

-	// In order for us to assume obj to be managed by this application, the
-	// values from the annotation have to match the properties from the live
-	// object. Cluster scoped objects carry the app's destination namespace
-	// in the tracking annotation, but are unique in GVK + name combination.
-	appInstance := m.resourceTracking.GetAppInstance(obj, appLabelKey, trackingMethod)
-	if appInstance != nil {
-		return (obj.GetNamespace() == appInstance.Namespace || obj.GetNamespace() == "") &&
-			obj.GetName() == appInstance.Name &&
-			obj.GetObjectKind().GroupVersionKind().Group == appInstance.Group &&
-			obj.GetObjectKind().GroupVersionKind().Kind == appInstance.Kind
+	// config != nil is the best-case scenario for constructing an accurate
+	// Tracking ID. `config` is the "desired state" (from git/helm/etc.).
+	// Using the desired state is important when there is an ApiGroup upgrade.
+	// When upgrading, the comparison must be made with the new tracking ID.
+	// Example:
+	//     live resource annotation will be:
+	//        ingress-app:extensions/Ingress:default/some-ingress
+	//     when it should be:
+	//        ingress-app:networking.k8s.io/Ingress:default/some-ingress
+	// More details in: https://github.com/argoproj/argo-cd/pull/11012
+	var aiv argo.AppInstanceValue
+	if config != nil {
+		aiv = argo.UnstructuredToAppInstanceValue(config, appName, "")
+		return isSelfReferencedObj(live, aiv)
 	}

+	// If config is nil then compare the live resource with the value
+	// of the annotation. In this case, in order to validate if obj is
+	// managed by this application, the values from the annotation have
+	// to match the properties from the live object. Cluster scoped objects
+	// carry the app's destination namespace in the tracking annotation,
+	// but are unique in GVK + name combination.
+	appInstance := m.resourceTracking.GetAppInstance(live, appLabelKey, trackingMethod)
+	if appInstance != nil {
+		return isSelfReferencedObj(live, *appInstance)
+	}
 	return true
 }
+
+// isSelfReferencedObj returns true if the given Tracking ID (`aiv`) matches
+// the given object. It returns false when the ID doesn't match. This sometimes
+// happens when a tracking label or annotation gets accidentally copied to a
+// different resource.
+func isSelfReferencedObj(obj *unstructured.Unstructured, aiv argo.AppInstanceValue) bool {
+	return (obj.GetNamespace() == aiv.Namespace || obj.GetNamespace() == "") &&
+		obj.GetName() == aiv.Name &&
+		obj.GetObjectKind().GroupVersionKind().Group == aiv.Group &&
+		obj.GetObjectKind().GroupVersionKind().Kind == aiv.Kind
+}
--- a/controller/state_test.go
+++ b/controller/state_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -852,6 +853,19 @@ func TestIsLiveResourceManaged(t *testing.T) {
 			},
 		},
 	})
+	managedWrongAPIGroup := kube.MustToUnstructured(&networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "networking.k8s.io/v1",
+			Kind:       "Ingress",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "some-ingress",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:extensions/Ingress:default/some-ingress",
+			},
+		},
+	})
 	ctrl := newFakeController(&fakeData{
 		apps: []runtime.Object{app, &defaultProj},
 		manifestResponse: &apiclient.ManifestResponse{
@@ -870,30 +884,69 @@ func TestIsLiveResourceManaged(t *testing.T) {
 	})

 	manager := ctrl.appStateManager.(*appStateManager)
+	appName := "guestbook"

-	// Managed resource w/ annotations
-	assert.True(t, manager.isSelfReferencedObj(managedObj, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.True(t, manager.isSelfReferencedObj(managedObj, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	t.Run("will return true if trackingid matches the resource", func(t *testing.T) {
+		// given
+		t.Parallel()
+		configObj := managedObj.DeepCopy()

-	// Managed resource w/ label
-	assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will return true if tracked with label", func(t *testing.T) {
+		// given
+		t.Parallel()
+		configObj := managedObjWithLabel.DeepCopy()

-	// Wrong resource name
-	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	})
+	t.Run("will handle if trackingId has wrong resource name and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()

-	// Wrong resource group
-	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong resource group and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()

-	// Wrong resource kind
-	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong kind and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()

-	// Wrong resource namespace
-	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong namespace and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()

-	// Nil resource
-	assert.True(t, manager.isSelfReferencedObj(nil, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
+	})
+	t.Run("will return true if live is nil", func(t *testing.T) {
+		t.Parallel()
+		assert.True(t, manager.isSelfReferencedObj(nil, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+
+	t.Run("will handle upgrade in desired state APIGroup", func(t *testing.T) {
+		// given
+		t.Parallel()
+		config := managedWrongAPIGroup.DeepCopy()
+		delete(config.GetAnnotations(), common.AnnotationKeyAppInstance)
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedWrongAPIGroup, config, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
 }
--- a/controller/sync.go
+++ b/controller/sync.go
@@ -246,7 +246,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		sync.WithResourcesFilter(func(key kube.ResourceKey, target *unstructured.Unstructured, live *unstructured.Unstructured) bool {
 			return (len(syncOp.Resources) == 0 ||
 				argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)) &&
-				m.isSelfReferencedObj(live, appLabelKey, trackingMethod)
+				m.isSelfReferencedObj(live, target, app.GetName(), appLabelKey, trackingMethod)
 		}),
 		sync.WithManifestValidation(!syncOp.SyncOptions.HasOption(common.SyncOptionsDisableValidation)),
 		sync.WithNamespaceCreation(syncOp.SyncOptions.HasOption("CreateNamespace=true"), func(un *unstructured.Unstructured) bool {
--- a/docs/developer-guide/bug_bounty.md
+++ b/docs/developer-guide/bug_bounty.md
@@ -1,15 +0,0 @@
-Money given to the Argo CD project as part of the Internet Bug Bounty program is used in three ways:
-
-1. To reward CVE patch contributors
-2. To offer bounties on security enhancements (as announced by label/comment on Issues)
-3. To sponsor security-relevant dependencies
-
-If someone’s primary full-time job responsibility is to work on Argo CD, then their eligibility to receive this money is limited. (Determining this is up to the maintainers’ discretion. Someone who contributes an average of three commits per week during work hours probably meets the definition. A first-time contributor who uses Argo CD daily as an SRE does not.)
-
-A full-time Argo CD author is not eligible to receive rewards for CVE patch contributions. This avoids any risk of the appearance that a full-time Argo CD author is incentivized to introduce CVEs.
-
-A full-time Argo CD author is eligible to receive bounties for security enhancements if and only if the vast majority of the work is done in their free time (non-work hours). Busy work like resolving merge conflicts during work hours is acceptable (to avoid over-burdening the process).
-
-An Argo CD dependency is eligible to receive donations if it is listed in the Argo CD SBOM or if it is a binary invoked by Argo CD (like Helm). The dependency is not eligible for donations if a full-time Argo CD author is the primary author of the dependency.
-
-Offers and transfers of rewards, bounties, and donations will be made from time to time by the Argo CD maintainers, based on the current project needs and the amount of money available from IBB. The process should be lightweight and consensus-based for now. If necessary, a more structured system can be established based on experience gained from early rewards/bounties/donations
--- a/docs/developer-guide/contributors-quickstart.md
+++ b/docs/developer-guide/contributors-quickstart.md
@@ -0,0 +1,112 @@
+# Contributors Quick-Start 
+
+This guide is a starting point for first-time contributors running Argo CD locally for the first time.
+
+It skips advanced topics such as codegen, which are covered in the [running locally guide](running-locally.md)
+and the [toolchain guide](toolchain-guide.md).
+
+## Getting Started
+
+### Install Go
+
+- Install version 1.18 or newer (Verify version by running `go version`)
+
+- Get current value of `GOPATH` env:
+   ```shell
+   go env | grep path
+   ```
+- Change directory into that path
+   ```shell
+   cd <path>
+   ```
+
+### Clone the Argo CD repo
+
+```shell
+mkdir -p src/github.com/argoproj/ &&
+cd src/github.com/argoproj &&
+git clone https://github.com/argoproj/argo-cd.git
+```
+
+### Install Docker
+
+<https://docs.docker.com/engine/install/>
+
+### Install or Upgrade `kind` (Optional - Should work with any local cluster)
+
+<https://kind.sigs.k8s.io/docs/user/quick-start/>
+
+### Start Your Local Cluster
+
+```shell
+kind create cluster
+```
+
+### Install Argo CD
+
+```shell
+kubectl create namespace argocd &&
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml
+```
+
+Set kubectl config to avoid specifying the namespace in every kubectl command.  
+All following commands in this guide assume the namespace is already set.
+
+```shell
+kubectl config set-context --current --namespace=argocd
+```
+
+### Install `yarn`
+
+<https://classic.yarnpkg.com/lang/en/docs/install/>
+
+### Install `goreman`
+
+<https://github.com/mattn/goreman#getting-started>
+
+### Run Argo CD
+
+```shell
+cd argo-cd
+make start-local ARGOCD_GPG_ENABLED=false
+```
+
+- Navigate to <localhost:4000> to the ArgoCD UI on browser
+- It may take a few minutes for the UI to be responsive
+
+!!! note
+    If the UI is not working, check the logs from `make start-local`. The logs are `DEBUG` level by default. If the logs are
+    too noisy to find the problem, try editing log levels for the commands in the `Procfile` in the root of the Argo CD repo.
+
+## Making Changes
+
+### UI Changes
+
+Modifying the User-Interface (by editing .tsx or .scss files) auto-reloads the changes on port 4000.
+
+### Backend Changes
+
+Modifying the API server, repo server, or a controller requires restarting the current `make start-local` session to reflect the changes.
+
+### CLI Changes
+
+Modifying the CLI requires restarting the current `make start-local` session to reflect the changes.
+
+To test most CLI commands, you will need to log in.
+
+First, get the auto-generated secret:
+
+```shell
+kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
+```
+
+Then log in using that password and username `admin`:
+
+```shell
+dist/argocd login localhost:8080
+```
+
+---
+Congrats on making it to the end of this runbook! 🚀
+
+For more on Argo CD, find us in Slack - <https://slack.cncf.io/> [#argo-contributors](https://cloud-native.slack.com/archives/C020XM04CUW)
--- a/docs/developer-guide/debugging-remote-environment.md
+++ b/docs/developer-guide/debugging-remote-environment.md
@@ -20,34 +20,6 @@ curl -sSfL https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/i
 ## Connect
 Connect to one of the services, for example, to debug the main ArgoCD server run:
 ```shell
-telepresence helm install # Installs telepresence into your cluster
-telepresence connect # Starts the connection to your cluster
-telepresence intercept argocd-server --port 8083:8083 --port 8080:8080 --env-file .envrc.remote --namespace argocd # Starts the interception
-```
-* `--port` forwards traffic of remote ports 8080 and 8083 to the same ports locally
-* `--env-file` writes all the environment variables of the remote pod into a local file, the variables are also set on the subprocess of the `--run` command
-* `--namespace` specifies that the `argocd-server` is located in the `argocd` namespace
-
-List current status of Telepresence using:
-```shell
-telepresence status
-```
-
-Stop the intercept using:
-```shell
-telepresence leave argocd-server-argocd
-```
-
-And uninstall telepresence from your cluster:
-```shell
-telepresence helm uninstall
-```
-
-See [this quickstart](https://www.telepresence.io/docs/latest/howtos/intercepts/) for more information on how to intercept services using Telepresence.
-
-### Connect (telepresence v1)
-Use the following command instead:
-```shell
 telepresence --swap-deployment argocd-server --namespace argocd --env-file .envrc.remote --expose 8080:8080 --expose 8083:8083 --run bash
 ```
 * `--swap-deployment` changes the argocd-server deployment
@@ -55,6 +27,7 @@ telepresence --swap-deployment argocd-server --namespace argocd --env-file .envr
 * `--env-file` writes all the environment variables of the remote pod into a local file, the variables are also set on the subprocess of the `--run` command
 * `--run` defines which command to run once a connection is established, use `bash`, `zsh` or others

+
 ## Debug
 Once a connection is established, use your favorite tools to start the server locally.

@@ -71,14 +44,13 @@ Update the configuration file to point to kubeconfig file: `KUBECONFIG=` (requir
            "type": "go",
            "request": "launch",
            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/main.go",
+            "program": "${workspaceFolder}/cmd/argocd-server",
            "envFile": [
                "${workspaceFolder}/.envrc.remote",
            ],
            "env": {
-                "ARGOCD_BINARY_NAME": "argocd-server",
                "CGO_ENABLED": "0",
                "KUBECONFIG": "/path/to/kube/config"
            }
        }
-```
+```
--- a/docs/developer-guide/faq.md
+++ b/docs/developer-guide/faq.md
@@ -4,7 +4,7 @@

 ### Can I discuss my contribution ideas somewhere?

-Sure thing! You can either open an Enhancement Proposal in our GitHub issue tracker or you can [join us on Slack](https://argoproj.github.io/community/join-slack) in channel #argo-contributors to discuss your ideas and get guidance for submitting a PR.
+Sure thing! You can either open an Enhancement Proposal in our GitHub issue tracker or you can [join us on Slack](https://argoproj.github.io/community/join-slack) in channel #argo-dev to discuss your ideas and get guidance for submitting a PR.

 ### No one has looked at my PR yet. Why?

--- a/docs/faq.md
+++ b/docs/faq.md
@@ -45,9 +45,10 @@ a secret named `argocd-initial-admin-secret`.
 To change the password, edit the `argocd-secret` secret and update the `admin.password` field with a new bcrypt hash.

 !!! note "Generating a bcrypt hash"
-    Use the following command to generate a bcrypt hash for `admin.password`
+    Use a trustworthy, offline `bcrypt` implementation such as the [Python bcrypt library](https://pypi.org/project/bcrypt/) to generate the hash.

-        argocd account bcrypt --password <YOUR-PASSWORD-HERE>
+        pip3 install bcrypt
+        python3 -c "import bcrypt; print(bcrypt.hashpw(b'YOUR-PASSWORD-HERE', bcrypt.gensalt()).decode())"

 To apply the new password hash, use the following command (replacing the hash with your own):

@@ -122,9 +123,9 @@ To terminate the sync, click on the "synchronisation" then "terminate":

 ![Synchronization](assets/synchronization-button.png) ![Terminate](assets/terminate-button.png)

-## Why Is My App Out Of Sync Even After Syncing?
+## Why Is My App `Out Of Sync` Even After Syncing?

-Is some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
+In some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
 Kustomize common labels feature.

 Argo CD automatically sets the `app.kubernetes.io/instance` label and uses it to determine which resources form the app.
@@ -142,7 +143,7 @@ The default polling interval is 3 minutes (180 seconds).
 You can change the setting by updating the `timeout.reconciliation` value in the [argocd-cm](https://github.com/argoproj/argo-cd/blob/2d6ce088acd4fb29271ffb6f6023dbb27594d59b/docs/operator-manual/argocd-cm.yaml#L279-L282) config map. If there are any Git changes, ArgoCD will only update applications with the [auto-sync setting](user-guide/auto_sync.md) enabled. If you set it to `0` then Argo CD will stop polling Git repositories automatically and you can only use alternative methods such as [webhooks](operator-manual/webhook.md) and/or manual syncs for deploying applications.


-## Why Are My Resource Limits Out Of Sync?
+## Why Are My Resource Limits `Out Of Sync`?

 Kubernetes has normalized your resource limits when they are applied, and then Argo CD has then compared the version in
 your generated manifests to the normalized one is Kubernetes - they won't match.
@@ -157,7 +158,7 @@ E.g.
 To fix this use diffing
 customizations [settings](./user-guide/diffing.md#known-kubernetes-types-in-crds-resource-limits-volume-mounts-etc).

-## How Do I Fix "invalid cookie, longer than max length 4093"?
+## How Do I Fix `invalid cookie, longer than max length 4093`?

 Argo CD uses a JWT as the auth token. You likely are part of many groups and have gone over the 4KB limit which is set
 for cookies. You can get the list of groups by opening "developer tools -> network"
@@ -224,4 +225,38 @@ resource.customizations.health.bitnami.com_SealedSecret: |
  hs.status = "Healthy"
  hs.message = "Controller doesn't report resource status"
  return hs
-```
+```
+
+## How do I fix `The order in patch list … doesn't match $setElementOrder list: …`?
+
+An application may trigger a sync error labeled a `ComparisonError` with a message like:
+
+> The order in patch list: [map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]] doesn't match $setElementOrder list: [map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]]
+
+
+There are two parts to the message:
+
+1. `The order in patch list: [`
+
+    This identifies values for items, especially items that appear multiple times:
+
+    > map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]
+
+    You'll want to identify the keys that are duplicated -- you can focus on the first part, as each duplicated key will appear, once for each of its value with its value in the first list. The second list is really just 
+
+   `]`
+
+2. `doesn't match $setElementOrder list: [`
+
+    This includes all of the keys. It's included for debugging purposes -- you don't need to pay much attention to it. It will give you a hint about the precise location in the list for the duplicated keys:
+
+    > map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]
+   
+   `]`
+
+In this case, the duplicated keys have been **emphasized** to help you identify the problematic keys. Many editors have the ability to highlight all instances of a string, using such an editor can help with such problems.
+
+The most common instance of this error is with `env:` fields for `containers`.
+
+!!! note "Dynamic applications"
+    It's possible that your application is being generated by a tool in which case the duplication might not be evident within the scope of a single file. If you have trouble debugging this problem, consider filing a ticket to the owner of the generator tool asking them to improve its validation and error reporting.
--- a/docs/operator-manual/app-any-namespace.md
+++ b/docs/operator-manual/app-any-namespace.md
@@ -0,0 +1,220 @@
+# Applications in any namespace
+
+**Current feature state**: Beta
+
+!!! warning
+    Please read this documentation carefully before you enable this feature. Misconfiguration could lead to potential security issues.
+
+## Introduction
+
+As of version 2.5, Argo CD supports managing `Application` resources in namespaces other than the control plane's namespace (which is usually `argocd`), but this feature has to be explicitly enabled and configured appropriately.
+
+Argo CD administrators can define a certain set of namespaces where `Application` resources may be created, updated and reconciled in. However, applications in these additional namespaces will only be allowed to use certain `AppProjects`, as configured by the Argo CD administrators. This allows ordinary Argo CD users (e.g. application teams) to use patterns like declarative management of `Application` resources, implementing app-of-apps and others without the risk of a privilege escalation through usage of other `AppProjects` that would exceed the permissions granted to the application teams.
+
+Some manual steps will need to be performed by the Argo CD administrator in order to enable this feature. 
+
+!!! note
+    This feature is considered beta as of now. Some of the implementation details may change over the course of time until it is promoted to a stable status. We will be happy if early adopters use this feature and provide us with bug reports and feedback.
+    
+## Prerequisites
+
+### Cluster-scoped Argo CD installation
+
+This feature can only be enabled and used when your Argo CD is installed as a cluster-wide instance, so it has permissions to list and manipulate resources on a cluster scope. It will *not* work with an Argo CD installed in namespace-scoped mode.
+
+### Switch resource tracking method
+
+Also, while technically not necessary, it is strongly suggested that you switch the application tracking method from the default `label` setting to either `annotation` or `annotation+label`. The reasonsing for this is, that application names will be a composite of the namespace's name and the name of the `Application`, and this can easily exceed the 63 characters length limit imposed on label values. Annotations have a notably greater length limit.
+
+To enable annotation based resource tracking, refer to the documentation about [resource tracking methods](../../user-guide/resource_tracking/)
+
+## Implementation details
+
+### Overview
+
+In order for an application to be managed and reconciled outside the Argo CD's control plane namespace, two prerequisites must match:
+
+1. The `Application`'s namespace must be explicitly enabled using the `--application-namespaces` parameter for the `argocd-application-controller` and `argocd-server` workloads. This parameter controls the list of namespaces that Argo CD will be allowed to source `Application` resources from globally. Any namespace not configured here cannot be used from any `AppProject`.
+1. The `AppProject` referenced by the `.spec.project` field of the `Application` must have the namespace listed in its `.spec.sourceNamespaces` field. This setting will determine whether an `Application` may use a certain `AppProject`. If an `Application` specifies an `AppProject` that is not allowed, Argo CD refuses to process this `Application`. As stated above, any namespace configured in the `.spec.sourceNamespaces` field must also be enabled globally.
+
+`Applications` in different namespaces can be created and managed just like any other `Application` in the `argocd` namespace previously, either declaratively or through the Argo CD API (e.g. using the CLI, the web UI, the REST API, etc).
+
+### Reconfigure Argo CD to allow certain namespaces
+
+#### Change workload startup parameters
+
+In order to enable this feature, the Argo CD administrator must reconfigure the `argocd-server` and `argocd-application-controller` workloads to add the `--application-namespaces` parameter to the container's startup command.
+
+The `--application-namespaces` parameter takes a comma-separated list of namespaces where `Applications` are to be allowed in. Each entry of the list supports shell-style wildcards such as `*`, so for example the entry `app-team-*` would match `app-team-one` and `app-team-two`. To enable all namespaces on the cluster where Argo CD is running on, you can just specify `*`, i.e. `--application-namespaces=*`.
+
+The startup parameters for both, the `argocd-server` and the `argocd-application-controller` can also be conveniently set up and kept in sync by specifying the `application.namespaces` settings in the `argocd-cmd-params-cm` ConfigMap _instead_ of changing the manifests for the respective workloads. For example:
+
+```yaml
+data:
+  application.namespaces: app-team-one, app-team-two
+```
+
+would allow the `app-team-one` and `app-team-two` namespaces for managing `Application` resources. After a change to the `argocd-cmd-params-cm` namespace, the appropriate workloads need to be restarted:
+
+```bash
+kubectl rollout restart -n argocd deployment argocd-server
+kubectl rollout restart -n argocd statefulset argocd-application-controller
+```
+
+#### Adapt Kubernetes RBAC
+
+We decided to not extend the Kubernetes RBAC for the `argocd-server` workload by default for the time being. If you want `Applications` in other namespaces to be managed by the Argo CD API (i.e. the CLI and UI), you need to extend the Kubernetes permissions for the `argocd-server` ServiceAccount.
+
+We supply a `ClusterRole` and `ClusterRoleBinding` suitable for this purpose in the `examples/k8s-rbac/argocd-server-applications` directory. For a default Argo CD installation (i.e. installed to the `argocd` namespace), you can just apply them as-is:
+
+```shell
+kubectl apply -f examples/k8s-rbac/argocd-server-applications/
+```
+
+!!! note
+    At some later point in time, we may make this cluster role part of the default installation manifests.
+
+### Allowing additional namespaces in an AppProject
+
+Any user with Kubernetes access to the Argo CD control plane's namespace (`argocd`), especially those with permissions to create or update `Applications` in a declarative way, is to be considered an Argo CD admin.
+
+This prevented unprivileged Argo CD users from declaratively creating or managing `Applications` in the past. Those users were constrained to using the API instead, subject to Argo CD RBAC which ensures only `Applications` in allowed `AppProjects` were created.
+
+For an `Application` to be created outside the `argocd` namespace, the `AppProject` referred to in the `Application`'s `.spec.project` field must include the `Application`'s namespace in its `.spec.sourceNamespaces` field.
+
+For example, consider the two following (incomplete) `AppProject` specs:
+
+```yaml
+kind: AppProject
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: project-one
+  namespace: argocd
+spec:
+  sourceNamespaces:
+  - namespace-one
+```
+
+and
+
+```yaml
+kind: AppProject
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: project-two
+  namespace: argocd
+spec:
+  sourceNamespaces:
+  - namespace-two
+```
+
+In order for an Application to set `.spec.project` to `project-one`, it would have to be created in either namespace `namespace-one` or `argocd`. Likewise, in order for an Application to set `.spec.project` to `project-two`, it would have to be created in either namespace `namespace-two` or `argocd`.
+
+If an Application in `namespace-two` would set their `.spec.project` to `project-one` or an Application in `namespace-one` would set their `.spec.project` to `project-two`, Argo CD would consider this as a permission violation and refuse to reconcile the Application.
+
+Also, the Argo CD API will enforce these constraints, regardless of the Argo CD RBAC permissions.
+
+The `.spec.sourceNamespaces` field of the `AppProject` is a list that can contain an arbitrary amount of namespaces, and each entry supports shell-style wildcard, so that you can allow namespaces with patterns like `team-one-*`.
+
+!!! warning
+    Do not add user controlled namespaces in the `.spec.sourceNamespaces` field of any privileged AppProject like the `default` project. Always make sure that the AppProject follows the principle of granting least required privileges. Never grant access to the `argocd` namespace within the AppProject.
+
+!!! note
+    For backwards compatibility, Applications in the Argo CD control plane's namespace (`argocd`) are allowed to set their `.spec.project` field to reference any AppProject, regardless of the restrictions placed by the AppProject's `.spec.sourceNamespaces` field.
+  
+### Application names
+
+For the CLI and UI, applications are now referred to and displayed as in the format `<namespace>/<name>`. 
+
+For backwards compatibility, if the namespace of the Application is the control plane's namespace (i.e. `argocd`), the `<namespace>` can be omitted from the application name when referring to it. For example, the application names `argocd/someapp` and `someapp` are semantically the same and refer to the same application in the CLI and the UI.
+
+### Application RBAC
+
+The RBAC syntax for Application objects has been changed from `<project>/<application>` to `<project>/<namespace>/<application>` to accomodate the need to restrict access based on the source namespace of the Application to be managed.
+
+For backwards compatibility, Applications in the `argocd` namespace can still be refered to as `<project>/<application>` in the RBAC policy rules.
+
+Wildcards do not make any distinction between project and application namespaces yet. For example, the following RBAC rule would match any application belonging to project `foo`, regardless of the namespace it is created in:
+
+```
+p, somerole, applications, get, foo/*, allow
+```
+
+If you want to restrict access to be granted only to `Applications` in project `foo` within namespace `bar`, the rule would need to be adapted as follows:
+
+```
+p, somerole, applications, get, foo/bar/*, allow
+```
+  
+## Managing applications in other namespaces
+
+### Declaratively
+
+For declarative management of Applications, just create the Application from a YAML or JSON manifest in the desired namespace. Make sure that the `.spec.project` field refers to an AppProject that allows this namespace. For example, the following (incomplete) Application manifest creates an Application in the namespace `some-namespace`:
+
+```yaml
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: some-app
+  namespace: some-namespace
+spec:
+  project: some-project
+  # ...
+```
+
+The project `some-project` will then need to specify `some-namespace` in the list of allowed source namespaces, e.g.
+
+```yaml
+kind: AppProject
+apiVersion: argoproj.io/v1alpha1
+metadata:
+    name: some-project
+    namespace: argocd
+spec:
+    sourceNamespaces:
+    - some-namespace
+```
+
+### Using the CLI
+
+You can use all existing Argo CD CLI commands for managing applications in other namespaces, exactly as you would use the CLI to manage applications in the control plane's namespace.
+
+For example, to retrieve the `Application` named `foo` in the namespace `bar`, you can use the following CLI command:
+
+```shell
+argocd app get foo/bar
+```
+
+Likewise, to manage this application, keep referring to it as `foo/bar`:
+
+```bash
+# Create an application
+argocd app create foo/bar ...
+# Sync the application
+argocd app sync foo/bar
+# Delete the application
+argocd app delete foo/bar
+# Retrieve application's manifest
+argocd app manifests foo/bar
+```
+
+As stated previously, for applications in the Argo CD's control plane namespace, you can omit the namespace from the application name.
+
+### Using the UI
+
+Similar to the CLI, you can refer to the application in the UI as `foo/bar`.
+
+For example, to create an application named `bar` in the namespace `foo` in the web UI, set the application name in the creation dialogue's _Application Name_ field to `foo/bar`. If the namespace is omitted, the control plane's namespace will be used.
+
+### Using the REST API
+
+If you are using the REST API, the namespace for `Application` cannot be specified as the application name, and resources need to be specified using the optional `appNamespace` query parameter. For example, to work with the `Application` resource named `foo` in the namespace `bar`, the request would look like follows:
+
+```bash
+GET /api/v1/applications/foo?appNamespace=bar
+```
+
+For other operations such as `POST` and `PUT`, the `appNamespace` parameter must be part of the request's payload.
+
+For `Application` resources in the control plane namespace, this parameter can be omitted.
--- a/docs/operator-manual/application.yaml
+++ b/docs/operator-manual/application.yaml
@@ -45,6 +45,9 @@ spec:
      valueFiles:
      - values-prod.yaml

+      # Ignore locally missing valueFiles when installing Helm chart. Defaults to false
+      ignoreMissingValueFiles: false
+
      # Values file as block file
      values: |
        ingress:
@@ -61,6 +64,9 @@ spec:
              hosts:
                - mydomain.example.com

+      # Skip custom resource definition installation if chart contains custom resource definitions. Defaults to false
+      skipCrds: false
+
      # Optional Helm version to template with. If omitted it will fall back to look at the 'apiVersion' in Chart.yaml
      # and decide which Helm binary to use automatically. This field can be either 'v2' or 'v3'.
      version: v2
@@ -119,7 +125,10 @@ spec:

  # Destination cluster and namespace to deploy the application
  destination:
+    # cluster API URL
    server: https://kubernetes.default.svc
+    # or cluster name
+    # name: in-cluster
    # The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
    namespace: guestbook

--- a/docs/operator-manual/applicationset/Generators-Pull-Request.md
+++ b/docs/operator-manual/applicationset/Generators-Pull-Request.md
@@ -60,7 +60,7 @@ spec:
 * `repo`: Required name of the GitHub repository.
 * `api`: If using GitHub Enterprise, the URL to access it. (Optional)
 * `tokenRef`: A `Secret` name and key containing the GitHub access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional)
-* `labels`: Labels is used to filter the PRs that you want to target. (Optional)
+* `labels`: Filter the PRs to those containing **all** of the labels listed. (Optional)
 * `appSecretName`: A `Secret` name containing a GitHub App secret in [repo-creds format][repo-creds].

 [repo-creds]: ../declarative-setup.md#repository-credentials
@@ -318,3 +318,7 @@ The Pull Request Generator will requeue when the next action occurs.
 - `merge`

 For more information about each event, please refer to the [official documentation](https://docs.gitlab.com/ee/user/project/integrations/webhook_events.html#merge-request-events).
+
+## Lifecycle
+
+An Application will be generated when a Pull Request is discovered when the configured criteria is met - i.e. for GitHub when a Pull Request matches the specified `labels` and/or `pullRequestState`. Application will be removed when a Pull Request no longer meets the specified criteria.
--- a/docs/operator-manual/applicationset/Generators-SCM-Provider.md
+++ b/docs/operator-manual/applicationset/Generators-SCM-Provider.md
@@ -219,6 +219,41 @@ spec:
 * `api`: Optional. URL to Azure DevOps. If not set, `https://dev.azure.com` is used.
 * `allBranches`: Optional, default `false`. If `true`, scans every branch of eligible repositories. If `false`, check only the default branch of the eligible repositories.

+## Bitbucket Cloud
+
+The Bitbucket mode uses the Bitbucket API V2 to scan a workspace in bitbucket.org.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: myapps
+spec:
+  generators:
+  - scmProvider:
+      bitbucket:
+        # The workspace id (slug).  
+        owner: "example-owner"
+        # The user to use for basic authentication with an app password.
+        user: "example-user"
+        # If true, scan every branch of every repository. If false, scan only the main branch. Defaults to false.
+        allBranches: true
+        # Reference to a Secret containing an app password.
+        appPasswordRef:
+          secretName: appPassword
+          key: password
+  template:
+  # ...
+```
+
+* `owner`: The workspace ID (slug) to use when looking up repositories.
+* `user`: The user to use for authentication to the Bitbucket API V2 at bitbucket.org.
+* `allBranches`: By default (false) the template will only be evaluated for the main branch of each repo. If this is true, every branch of every repository will be passed to the filters. If using this flag, you likely want to use a `branchMatch` filter.
+* `appPasswordRef`: A `Secret` name and key containing the bitbucket app password to use for requests.
+
+This SCM provider does not yet support label filtering
+
+Available clone protocols are `ssh` and `https`.

 ## Filters

--- a/docs/operator-manual/applicationset/GoTemplate.md
+++ b/docs/operator-manual/applicationset/GoTemplate.md
@@ -74,13 +74,20 @@ All your templates must replace parameters with GoTemplate Syntax:

 Example: `{{ some.value }}` becomes `{{ .some.value }}`

+### Cluster Generators
+
+By activating Go Templating, `{{ .metadata }}` becomes an object.
+
+- `{{ metadata.labels.my-label }}` becomes `{{ index .metadata.labels "my-label" }}`
+- `{{ metadata.annotations.my/annotation }}` becomes `{{ index .metadata.annotations "my/annotation" }}`
+
 ### Git Generators

 By activating Go Templating, `{{ .path }}` becomes an object. Therefore, some changes must be made to the Git 
 generators' templating:

 - `{{ path }}` becomes `{{ .path.path }}`
- `{{ path[n] }}` becomes `{{ .path.segments[n] }}`
+- `{{ path[n] }}` becomes `{{ index .path.segments n }}`

 Here is an example:

@@ -148,7 +155,7 @@ It is also possible to use Sprig functions to construct the path variables manua
 | `{{path.filename}}` | `{{.path.filename}}` | `{{.path.filename}}` |
 | `{{path.basenameNormalized}}` | `{{.path.basenameNormalized}}` | `{{normalize .path.path}}` |
 | `{{path.filenameNormalized}}` | `{{.path.filenameNormalized}}` | `{{normalize .path.filename}}` |
-| `{{path[N]}}` | `{{.path.segments[N]}}` | `{{index (splitList "/" .path.path) N}}` |
+| `{{path[N]}}` | `-` | `{{index .path.segments N}}` |

 ## Examples

--- a/docs/operator-manual/argocd-cm.yaml
+++ b/docs/operator-manual/argocd-cm.yaml
@@ -47,7 +47,7 @@ data:
  help.download.windows-amd64: "path-or-url-to-download"

  # A dex connector configuration (optional). See SSO configuration documentation:
-  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso
+  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
  # https://dexidp.io/docs/connectors/
  dex.config: |
    connectors:
--- a/docs/operator-manual/argocd-cmd-params-cm.yaml
+++ b/docs/operator-manual/argocd-cmd-params-cm.yaml
@@ -139,26 +139,6 @@ data:
  reposerver.streamed.manifest.max.tar.size: "100M"
  # Maximum size of extracted manifests when streaming manifests to the repo server for generation
  reposerver.streamed.manifest.max.extracted.size: "1G"
-  # Enable git submodule support
-  reposerver.enable.git.submodule: "true"

  # Disable TLS on the HTTP endpoint
  dexserver.disable.tls: "false"
-
-  ## ApplicationSet Controller Properties
-  # Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
-  applicationsetcontroller.enable.leader.election: "false"
-  # Argo CD repo namespace (default: argocd)
-  applicationsetcontroller.namespace: ""
-  # "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion)"
-  applicationsetcontroller.policy: "sync"
-  # Print debug logs. Takes precedence over loglevel
-  applicationsetcontroller.debug: "false"
-  # Set the logging format. One of: text|json (default "text")
-  applicationsetcontroller.log.format: "text"
-  # Set the logging level. One of: debug|info|warn|error (default "info")
-  applicationsetcontroller.log.level: "info"
-  # Enable dry run mode
-  applicationsetcontroller.dryrun: "false"
-  # Enable git submodule support
-  applicationsetcontroller.enable.git.submodule: "true"
--- a/docs/operator-manual/custom_tools.md
+++ b/docs/operator-manual/custom_tools.md
@@ -51,7 +51,7 @@ following example builds an entirely customized repo-server from a Dockerfile, i
 dependencies that may be needed for generating manifests.

 ```Dockerfile
-FROM argoproj/argocd:latest
+FROM argoproj/argocd:v2.5.4 # Replace tag with the appropriate argo version

 # Switch to root for the ability to perform install
 USER root
--- a/docs/operator-manual/declarative-setup.md
+++ b/docs/operator-manual/declarative-setup.md
@@ -77,7 +77,7 @@ spec:
 ```

 !!! warning
-    By default, deleting an application will not perform a cascade delete, which would delete its resources. You must add the finalizer if you want this behaviour - which you may well not want.
+    Without the `resources-finalizer.argocd.argoproj.io` finalizer, deleting an application will not delete the resources it manages. To perform a cascading delete, you must add the finalizer. See [App Deletion](../user-guide/app_deletion.md#about-the-deletion-finalizer).

 ```yaml
 metadata:
--- a/docs/operator-manual/health.md
+++ b/docs/operator-manual/health.md
@@ -5,7 +5,7 @@ Argo CD provides built-in health assessment for several standard Kubernetes type
 surfaced to the overall Application health status as a whole. The following checks are made for
 specific types of kubernetes resources:

-### Deployment, ReplicaSet, StatefulSet DaemonSet
+### Deployment, ReplicaSet, StatefulSet, DaemonSet
 * Observed generation is equal to desired generation.
 * Number of **updated** replicas equals the number of desired replicas.

--- a/docs/operator-manual/high_availability.md
+++ b/docs/operator-manual/high_availability.md
@@ -6,8 +6,8 @@ A set of HA manifests are provided for users who wish to run Argo CD in a highly

 [Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests) 

-!!! note
-    The HA installation will require at least three different nodes due to pod anti-affinity roles in the specs.
+> **NOTE:** The HA installation will require at least three different nodes due to pod anti-affinity roles in the
+> specs. Additionally, IPv6 only clusters are not supported.

 ## Scaling Up

@@ -188,4 +188,4 @@ spec:
    targetRevision: HEAD
    path: my-application
 # ...
-```
+```
--- a/docs/operator-manual/installation.md
+++ b/docs/operator-manual/installation.md
@@ -80,7 +80,7 @@ resources:
 ## Helm

 The Argo CD can be installed using [Helm](https://helm.sh/). The Helm chart is currently community maintained and available at
-[argo-helm/charts/argo-cd](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd).
+[argo-helm/charts/argo-cd](https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd).

 ## Supported versions

--- a/docs/operator-manual/metrics.md
+++ b/docs/operator-manual/metrics.md
@@ -67,8 +67,7 @@ Scraped at the `argocd-server-metrics:8083/metrics` endpoint.
 | Metric | Type | Description |
 |--------|:----:|-------------|
 | `argocd_redis_request_duration` | histogram | Redis requests duration. |
-| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application
-reconciliation. |
+| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application reconciliation. |
 | `grpc_server_handled_total` | counter | Total number of RPCs completed on the server, regardless of success or failure. |
 | `grpc_server_msg_sent_total` | counter | Total number of gRPC stream messages sent by the server. |

--- a/docs/operator-manual/notifications/troubleshooting-commands.md
+++ b/docs/operator-manual/notifications/troubleshooting-commands.md
@@ -1,9 +1,9 @@
-## notifications template get
+## argocd admin notifications template get

 Prints information about configured templates

 ```
-notifications template get [flags]
+argocd admin notifications template get [flags]
 ```

 ### Examples
@@ -11,9 +11,9 @@ notifications template get [flags]
 ```

 # prints all templates
-notifications template get
+argocd admin notifications template get
 # print YAML formatted app-sync-succeeded template definition
-notifications template get app-sync-succeeded -o=yaml
+argocd admin notifications template get app-sync-succeeded -o=yaml

 ```

@@ -53,12 +53,12 @@ notifications template get app-sync-succeeded -o=yaml
      --username string                 Username for basic authentication to the API server
 ```

-## notifications template notify
+## argocd admin notifications template notify

 Generates notification using the specified template and send it to specified recipients

 ```
-notifications template notify NAME RESOURCE_NAME [flags]
+argocd admin notifications template notify NAME RESOURCE_NAME [flags]
 ```

 ### Examples
@@ -66,10 +66,10 @@ notifications template notify NAME RESOURCE_NAME [flags]
 ```

 # Trigger notification using in-cluster config map and secret
-notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
+argocd admin notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel

 # Render notification render generated notification in console
-notifications template notify app-sync-succeeded guestbook
+argocd admin notifications template notify app-sync-succeeded guestbook

 ```

@@ -109,12 +109,12 @@ notifications template notify app-sync-succeeded guestbook
      --username string                 Username for basic authentication to the API server
 ```

-## notifications trigger get
+## argocd admin notifications trigger get

 Prints information about configured triggers

 ```
-notifications trigger get [flags]
+argocd admin notifications trigger get [flags]
 ```

 ### Examples
@@ -122,9 +122,9 @@ notifications trigger get [flags]
 ```

 # prints all triggers
-notifications trigger get
+argocd admin notifications trigger get
 # print YAML formatted on-sync-failed trigger definition
-notifications trigger get on-sync-failed -o=yaml
+argocd admin notifications trigger get on-sync-failed -o=yaml

 ```

@@ -164,12 +164,12 @@ notifications trigger get on-sync-failed -o=yaml
      --username string                 Username for basic authentication to the API server
 ```

-## notifications trigger run
+## argocd admin notifications trigger run

 Evaluates specified trigger condition and prints the result

 ```
-notifications trigger run NAME RESOURCE_NAME [flags]
+argocd admin notifications trigger run NAME RESOURCE_NAME [flags]
 ```

 ### Examples
@@ -177,10 +177,10 @@ notifications trigger run NAME RESOURCE_NAME [flags]
 ```

 # Execute trigger configured in 'argocd-notification-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml

 # Execute trigger using my-config-map.yaml instead of 'argocd-notifications-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml \
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml \
    --config-map ./my-config-map.yaml
 ```

--- a/docs/operator-manual/notifications/troubleshooting.md
+++ b/docs/operator-manual/notifications/troubleshooting.md
@@ -1,6 +1,6 @@
 ## Troubleshooting

-The `argocd-notifications` binary includes a set of CLI commands that helps to configure the controller
+The `argocd admin notifications` is a CLI command group that helps to configure the controller
 settings and troubleshoot issues.

 ## Global flags
@@ -17,15 +17,15 @@ Additionally, you can specify `:empty` value to use empty secret with no notific
 * Get list of triggers configured in the local config map:

 ```bash
-argocd-notifications trigger get \
-  --config-map ./argocd-notifications-cm.yaml --secret :empty
+argocd admin notifications trigger get \
+  --config-map ./argocd admin notifications-cm.yaml --secret :empty
 ```

 * Trigger notification using in-cluster config map and secret:

 ```bash
-argocd-notifications template notify \
-  app-sync-succeeded guestbook --recipient slack:argocd-notifications
+argocd admin notifications template notify \
+  app-sync-succeeded guestbook --recipient slack:argocd admin notifications
 ```

 ## Kustomize
@@ -44,18 +44,18 @@ kustomize build ./argocd-notifications | \

 ### On your laptop

-You can download `argocd-notifications` from the github [release](https://github.com/argoproj-labs/argocd-notifications/releases)
+You can download the `argocd` CLI from the github [release](https://github.com/argoproj/argo-cd/releases)
 attachments.

-The binary is available in `argoprojlabs/argocd-notifications` image. Use the `docker run` and volume mount
+The binary is available in `argoproj/argo-cd` image. Use the `docker run` and volume mount
 to execute binary on any platform. 

 **Example:**

 ```bash
 docker run --rm -it -w /src -v $(pwd):/src \
-  argoprojlabs/argocd-notifications:<version> \
-  /app/argocd-notifications trigger get \
+  argoproj/argo-cd:<version> \
+  /app/argocd admin notifications trigger get \
  --config-map ./argocd-notifications-cm.yaml --secret :empty
 ```

@@ -67,7 +67,7 @@ configuration.
 **Example**
 ```bash
 kubectl exec -it argocd-notifications-controller-<pod-hash> \
-  /app/argocd-notifications trigger get
+  /app/argocd admin notifications trigger get
 ```

 ## Commands
--- a/docs/operator-manual/project.yaml
+++ b/docs/operator-manual/project.yaml
@@ -15,9 +15,11 @@ spec:
  - '*'

  # Only permit applications to deploy to the guestbook namespace in the same cluster
+  # Destination clusters can be identified by 'server', 'name', or both.
  destinations:
  - namespace: guestbook
    server: https://kubernetes.default.svc
+    name: in-cluster

  # Deny all cluster-scoped resources from being created, except for Namespace
  clusterResourceWhitelist:
--- a/docs/operator-manual/resource_actions.md
+++ b/docs/operator-manual/resource_actions.md
@@ -9,9 +9,8 @@ Operators can add actions to custom resources in form of a Lua script and expand

 Argo CD supports custom resource actions written in [Lua](https://www.lua.org/). This is useful if you:

-    * Have a custom resource for which Argo CD does not provide any built-in actions.
-    * Have a commonly performed manual task that might be error prone if executed by users via `kubectl`
-
+* Have a custom resource for which Argo CD does not provide any built-in actions.
+* Have a commonly performed manual task that might be error prone if executed by users via `kubectl`

 You can define your own custom resource actions in the `argocd-cm` ConfigMap.

--- a/docs/operator-manual/secret-management.md
+++ b/docs/operator-manual/secret-management.md
@@ -1,6 +1,11 @@
 # Secret Management

-Argo CD is un-opinionated about how secrets are managed. There's many ways to do it and there's no one-size-fits-all solution. Here's some ways people are doing GitOps secrets:
+Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there's no one-size-fits-all solution.
+
+Many solutions use plugins to inject secrets into the application manifests. See [Mitigating Risks of Secret-Injection Plugins](#mitigating-risks-of-secret-injection-plugins)
+below to make sure you use those plugins securely.
+
+Here are some ways people are doing GitOps secrets:

 * [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 * [External Secrets Operator](https://github.com/external-secrets/external-secrets)
@@ -12,5 +17,20 @@ Argo CD is un-opinionated about how secrets are managed. There's many ways to do
 * [KSOPS](https://github.com/viaduct-ai/kustomize-sops#argo-cd-integration)
 * [argocd-vault-plugin](https://github.com/argoproj-labs/argocd-vault-plugin)
 * [argocd-vault-replacer](https://github.com/crumbhole/argocd-vault-replacer)
+* [Kubernetes Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)

 For discussion, see [#1364](https://github.com/argoproj/argo-cd/issues/1364)
+
+## Mitigating Risks of Secret-Injection Plugins
+
+Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those 
+manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to 
+anyone who has access to the Redis instance or to the repo-server.
+
+Consider these steps to mitigate the risks of secret-injection plugins:
+
+1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your
+   cluster supports those network policies and can actually enforce them.
+2. Consider running Argo CD on its own cluster, with no other applications running on it.
+3. [Enable password authentication on the Redis instance](https://github.com/argoproj/argo-cd/issues/3130) (currently
+   only supported for non-HA Argo CD installations).
--- a/docs/operator-manual/signed-release-assets.md
+++ b/docs/operator-manual/signed-release-assets.md
@@ -4,21 +4,17 @@ All Argo CD container images are signed by cosign. Checksums are created for the

 ## Prerequisites
 - Cosign [installation instructions](https://docs.sigstore.dev/cosign/installation)
- Obtain or have a copy of the [public key](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) ```argocd-cosign.pub```
+- Obtain or have a copy of ```argocd-cosign.pub```, which can be located in the assets section of the [release page](https://github.com/argoproj/argo-cd/releases)
+
+Once you have installed cosign, you can use ```argocd-cosign.pub``` to verify the signed assets or container images.
+

-Once you have installed cosign, you can use [argocd-cosign.pub](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) to verify the signed assets or container images.
-```
-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
-JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
-----END PUBLIC KEY-----
-```
 ## Verification of container images

 ```bash
-cosign verify --key argocd-cosign.pub  quay.io/argoproj/argocd:latest
+cosign verify --key argocd-cosign.pub  quay.io/argoproj/argocd:<VERSION>

-Verification for quay.io/argoproj/argocd:latest --
+Verification for quay.io/argoproj/argocd:<VERSION> --
 The following checks were performed on each of these signatures:
  * The cosign claims were validated
  * The signatures were verified against the specified public key
@@ -27,6 +23,9 @@ The following checks were performed on each of these signatures:
 ## Verification of signed assets

 ```bash
-cosign verify-blob --key cosign.pub --signature $(cat argocd-$VERSION-checksums.sig) argocd-$VERSION-checksums.txt
+cosign verify-blob --key cosign.pub --signature $(cat argocd-<VERSION>-checksums.sig) argocd-$VERSION-checksums.txt
 Verified OK
 ```
+## Admission controllers
+
+Cosign is compatible with several types of admission controllers.  Please see the [Cosign documentation](https://docs.sigstore.dev/cosign/overview/#kubernetes-integrations) for supported controllers
--- a/docs/operator-manual/upgrading/1.8-2.0.md
+++ b/docs/operator-manual/upgrading/1.8-2.0.md
@@ -1,4 +1,4 @@
-# v1.8 to v2.0
+# v1.8 to 2.0

 ## Redis Upgraded to v6.2.1

--- a/docs/operator-manual/upgrading/2.4-2.5.md
+++ b/docs/operator-manual/upgrading/2.4-2.5.md
@@ -97,7 +97,7 @@ When using `argocd app diff --local`, code from the repo server is run on the us

 In order to support CMPs and reduce local requirements, we have implemented *server-side generation* of local manifests via the `--server-side-generate` argument. For example, `argocd app diff --local repoDir --server-side-generate` will upload the contents of `repoDir` to the repo server and run your manifest generation pipeline against it, the same as it would for a Git repo.

-In v2.6, the `--server-side-generate` argument will become the default and client-side generation will be removed.
+In v2.7, the `--server-side-generate` argument will become the default and client-side generation will be removed.

 !!! warning
    The semantics of *where* Argo will start generating manifests within a repo has changed between client-side and server-side generation. With client-side generation, the application's path (`spec.source.path`) was ignored and the value of `--local-repo-root` was effectively used (by default `/` relative to `--local`).
--- a/docs/operator-manual/user-management/auth0.md
+++ b/docs/operator-manual/user-management/auth0.md
@@ -12,7 +12,7 @@ Follow the [register app](https://auth0.com/docs/dashboard/guides/applications/r
 * Take note of the _clientId_ and _clientSecret_ values.
 * Register login url as https://your.argoingress.address/login
 * Set allowed callback url to https://your.argoingress.address/auth/callback
-* Under connections, select the user-registries you want to use with argo.
+* Under connections, select the user-registries you want to use with argo

 Any other settings are non-essential for the authentication to work.

@@ -70,4 +70,4 @@ data:
 <br>

 !!! note "Storing Client Secrets"
-    Details on storing your clientSecret securely and correctly can be found on the [User Management Overview page](index.md#sensitive-data-and-sso-client-secrets).
+    Details on storing your clientSecret securely and correctly can be found on the [User Management Overview page](../../user-management/#sensitive-data-and-sso-client-secrets).
--- a/docs/operator-manual/user-management/index.md
+++ b/docs/operator-manual/user-management/index.md
@@ -301,6 +301,19 @@ data:
    issuer: https://dev-123456.oktapreview.com
    clientID: aaaabbbbccccddddeee
    clientSecret: $oidc.okta.clientSecret
+    
+    # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above (and the 
+    # cliCientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must 
+    # explicitly include it in the list.
+    # Token verification will pass if any of the token's audiences matches any of the audiences in this list.
+    allowedAudiences:
+    - aaaabbbbccccddddeee
+    - qqqqwwwweeeerrrrttt
+
+    # Optional. If false, tokens without an audience will always fail validation. If true, tokens without an audience 
+    # will always pass validation.
+    # Defaults to true for Argo CD < 2.6.0. Defaults to false for Argo CD >= 2.6.0.
+    skipAudienceCheckWhenTokenHasNoAudience: true

    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
    requestedScopes: ["openid", "profile", "email", "groups"]
--- a/docs/operator-manual/user-management/keycloak.md
+++ b/docs/operator-manual/user-management/keycloak.md
@@ -17,6 +17,8 @@ Configure the client by setting the __Access Type__ to _confidential_ and set th
 hostname. It should be https://{hostname}/auth/callback (you can also leave the default less secure https://{hostname}/* ). You can also set the
 __Base URL__ to _/applications_.

+If you want to allow command line access, __Access Type__ must be set to _public_ and you also need to add http://localhost:8085/auth/callback in the list of Valid Redirect URIs. Then users can login using `argocd login {hostname} --sso`.
+
 ![Keycloak configure client](../../assets/keycloak-configure-client.png "Keycloak configure client")

 Make sure to click __Save__. You should now have a new tab called __Credentials__. You can copy the Secret that we'll use in our ArgoCD 
--- a/docs/proposals/proxy-extensions.md
+++ b/docs/proposals/proxy-extensions.md
@@ -1,425 +0,0 @@
---
-title: Reverse Proxy Extensions
-
-authors:
- "@leoluz"
-
-sponsors:
- TBD
-
-reviewers:
- TBD
-
-approvers:
- TBD
-
-creation-date: 2022-07-23
-
---
-
-# Reverse-Proxy Extensions support for Argo CD
-
-Enable UI extensions to use a backend service.
-
-* [Summary](#summary)
-* [Motivation](#motivation)
-* [Goals](#goals)
-* [Non-Goals](#non-goals)
-* [Proposal](#proposal)
-    * [Use cases](#use-cases)
-    * [Security Considerations](#security-considerations)
-    * [Risks and Mitigations](#risks-and-mitigations)
-    * [Upgrade / Downgrade](#upgrade--downgrade)
-* [Drawbacks](#drawbacks)
-* [Open Questions](#open-questions)
-
---
-
-## Summary
-
-Argo CD currently supports the creation of [UI extensions][1] allowing
-developers to define the visual content of the "more" tab inside
-a specific resource. Developers are able to access the resource state to
-build the UI. However, currently it isn't possible to use a backend
-service to provide additional functionality to extensions. This proposal
-defines a new reverse proxy feature in Argo CD, allowing developers to
-create a backend service that can be used in UI extensions. Extensions
-backend code will live outside Argo CD main repository.
-
-## Motivation
-
-The initiative to implement the anomaly detection capability in Argo CD
-highlighted the need to improve the existing UI extensions feature. The
-new capability will required the UI to have access to data that isn't
-available as part of Application's owned resources. It is necessary to
-access an API defined by the extension's development team so the proper
-information can be displayed.
-
-## Goals
-
-The following goals are desired but not necessarily all must be
-implemented in a given Argo CD release:
-
-#### [G-1] Argo CD (API Server) must have low performance impact when running extensions
-
-Argo CD API server is a critical component as it serves all APIs used by
-the CLI as well as the UI. The Argo CD team has no controll over what is
-going to be executed in extension's backend service. Thus it is important
-that the reverse proxy implementation to cause the lowest possible impact
-in the API server while processing high latency requests.
-
-Possible solutions:
- Implement a rate limit layer to protect Argo CD API server
- Implement configurable different types of timeouts (idle connection,
-  duration, etc) between Argo CD API server and backend services.
- Implement the reverse proxy as a separate server/pod (needs discussion).
-
----
-
-#### [G-2] Argo CD admins should be able to define rbacs to define which users can invoke specific extensions
-
-Argo CD Admins must be able to define which extensions are allowed to be
-executed by the logged in user. This should be fine grained by Argo CD
-project like the current rbac implementation.
-
----
-
-#### [G-3] Argo CD deployment should be independent from backend services
-
-Extension developers should be able to deploy their backend services
-independently from Argo CD. An extension can evolve their internal API and
-deploying a new version shouldn't require Argo CD to be updated or
-restarted.
-
----
-
-#### [G-4] Enhance the current Extensions framework to configure backend services
-
-*Not in the first release*
-
-[Argo CD extensions][2] is an `argoproj-labs` project that supports loading
-extensions in runtime. Currently the project is implementing a controller
-that defines and reconciles the custom resource `ArgoCDExtension`. This
-CRD should be enhanced to provide the ability to define backend services
-that will be used by the extension. Once configured UI can send requests
-to API server in a specific endpoint. API server will act as a reverse
-proxy receiving the request from the UI and routing to the appropriate
-backend service.
-
-Example:
-```yaml 
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCDExtension
-metadata:
-  name: my-cool-extention
-  finalizers:
-    - extensions-finalizer.argocd.argoproj.io
-spec:
-  sources:
-    - git:
-        url: https://github.com/some-org/my-cool-extension.git
-  backend:
-    serviceName: some-backend-svc
-    endpoint: /some-backend
-```
-
-**Note**: While this is a nice-to-have, it won't be part of the first proxy
-extension version. This would need to be considered if Argo CD extensions
-eventually get traction.
-
----
-
-#### [G-5] Setup multiple backend services for the same extension
-
-In case of one Argo CD instance managing applications in multiple clusters, it
-will be necessary to configure backend service URLs per cluster for the same
-extension. This should be an optional configuration. If only one URL is
-configured, that one should be used for all clusters.
-
----
-
-#### [G-6] Provide safe communication channel between Argo CD API server and extension backend
-
-Argo CD API server should provide configuration for establishing a safe communication
-channel with the extension backend. This can be achieved similarly to how Kubernetes
-API Server does to [authenticate with aggregated servers][5] by using certificates.
-
-## Non-Goals
-
-It isn't in the scope of this proposal to specify commands in the Argo CD
-CLI. This proposal covers the reverse-proxy extension spec that will be
-used by Argo CD UI.
-
-## Proposal
-
-### Use cases
-
-The following use cases should be implemented for the conclusion of this
-proposal:
-
-#### [UC-1]: As an Argo CD admin, I want to configure a backend services so it can be used by my UI extension
-
-Define a new section in the Argo CD configmap ([argocd-cm.yaml][4])
-allowing admins to register and configure new extensions. All enabled
-extensions backend will be available to be invoked by the Argo CD UI under
-the following API base path:
-
-`<argocd-host>/api/v1/extensions/<extension-name>`
-
-With the configuration below, the expected behavior is explained in the
-following examples:
-
-```yaml
-extension.config: |
-  extensions:
-    - name: some-extension
-      enabled: true
-      backend:
-        idleConnTimeout: 10s
-        services:
-          - url: http://extension-name.com:8080
-```
-
- **Example 1**:
-
-Argo CD API server acts as a reverse-proxy forwarding http requests as
-follows:
-
-```
-   ┌────────────┐
-   │ Argo CD UI │
-   └──────┬─────┘
-          │
-          │ GET http://argo.com/api/v1/extensions/some-extension
-          │
-          ▼
- ┌──────────────────┐
- │Argo CD API Server│
- └────────┬─────────┘
-          │
-          │ GET http://extension-name.com:8080
-          │
-          ▼
-  ┌───────────────┐
-  │Backend Service│
-  └───────────────┘
-```
-
- **Example 2**:
-
-If a backend provides an API under the `/apiv1/metrics` endpoint, Argo CD
-should be able to invoke it such as:
-
-```
-   ┌────────────┐
-   │ Argo CD UI │
-   └──────┬─────┘
-          │
-          │ GET http://argo.com/api/v1/extensions/some-extension/apiv1/metrics/123
-          │
-          ▼
- ┌──────────────────┐
- │Argo CD API Server│
- └────────┬─────────┘
-          │
-          │ GET http://extension-name.com:8080/apiv1/metrics/123
-          │
-          ▼
-  ┌───────────────┐
-  │Backend Service│
-  └───────────────┘
-```
-
- **Example 3**:
-
-In this use-case we have one Argo CD instance connected with different
-clusters. There is a requirement defining that every extension instance
-needs to be deployed in each of the target clusters. To address this
-use-case there is a need to configure multiple backend URLs for the
-same extension (one for each cluster). For doing so, the following
-configuration should be possible:
-
-```yaml
-extension.config: |
-  extensions:
-    - name: some-extension
-      enabled: true
-      backend:
-        idleConnTimeout: 10s
-        services:
-          - url: http://extension-name.com:8080
-            clusterName: kubernetes.local
-          - url: https://extension-name.ppd.cluster.k8s.local:8080
-            clusterName: admins@ppd.cluster.k8s.local
-```
-
-Note that there is an URL configuration per cluster name. The cluster
-name is extracted from the Argo CD cluster secret and must match the
-field `data.name`. In this case the UI must send the header
-`Argocd-Application-Name` with the full qualified application name
-(`<namespace>/<application-name>`).
-
-Example:
-
-`Argocd-Application-Name: preprod/some-application`
-
-With this information, API Server can check in which cluster it should
-get the backend URL from. This will be done by inspecting the
-Application destination configuration to find the proper cluster name.
-
-The diagram below shows how Argo CD UI could send the request with
-the additional header to get the proxy forwarding it to the proper
-cluster:
-
-```
-   ┌────────────┐
-   │ Argo CD UI │
-   └──────┬─────┘
-          │
-          │ GET http://argo.com/api/v1/extensions/some-extension
-          │ HEADER: "Argocd-Application-Name: default/ppd-application"
-          │
-          ▼
- ┌──────────────────┐
- │Argo CD API Server│
- └────────┬─────────┘
-          │
-          │ GET https://extension-name.ppd.cluster.k8s.local:8080
-          │
-          ▼
-  ┌───────────────┐
-  │Backend Service│
-  └───────────────┘
-```
-
-##### Considerations
-
- The `idleConnTimeout` can be used to avoid accumulating too many
-  goroutines waiting slow for extensions. In this case a proper timeout
-  error (408) should be returned to the browser.
- Scheme, http verb and request body are forwarded as it is
-  received by the API server to the backend service.
- Headers will be filtered and not forwarded as it is received in Argo CD
-  API server. Sensitive headers will be removed (e.g. `Cookie`).
- A new header is added in the forwared request (`X-Forwarded-Host`) to
-  allow ssl redirection.
- This proposal doesn't specify how backends should implement authz or
-  authn. This topic could be discussed as a future enhancement to the
-  proxy extension feature in Argo CD.
-
----
-
-#### [UC-2]: As an Argo CD admin, I want to define extensions rbacs so access permissions can be enforced
-
-Extend Argo CD rbac registering a new `ResourceType` for extensions in the
-[policy configuration][3]. The current policy permission configuration is
-defined as:
-
-```
-p, <subject>, <resource>, <action>, <object>, <access>
-```
-
-With a new resource type for extensions, admins will be able to configure
-access rights per extension per project.
-
-* **Basic config suggestion:**
-
-This is the basic suggestion where admins will be able to define permissions
-per project and per extension. In this case namespace specific permissions
-isn't covered.
-
-The `object` field must contain the project name and the extension name in
-the format `<project>/<extension>`
-
- *Example 1*:
-
-```
-p, role:allow-extensions, extensions, *, some-project/some-extension, allow
-```
-
-In the example 1, a permission is configured to allowing the subject
-`role:allow-extensions`, for the resource type `extensions`, for all (`*`)
-actions, in the project `some-project`, for the extension name
-`some-extension`.
-
-
- *Example 2*:
-
-```
-p, role:allow-extensions, extensions, *, */some-extension, allow
-```
-
-In the example 2, the permission is similar to the example 1 with the
-difference that the extension `some-extension` will be allowed for all
-projects.
-
- *Example 3*:
-
-```
-p, role:allow-extensions, extensions, *, */*, allow
-```
-
-In the example 3, the subject `role:allow-extensions` is allowed to
-execute extensions in all projects.
-
-* **Advanced config suggestions:**
-
-With advanced RBAC configuration suggestions, admins will be able to define
-permissions per project, per namespace and per extension.
-
-There are 3 main approaches to achieve this type of RBAC configuration:
-
-1. `<object>` has addional section for namespace:
-```
-p, dev, extensions, *, some-project/some-namespace/some-extension, allow
-```
-
-2. `<action>` has 2 sections for extension name and namespace:
-```
-p, dev, extensions, some-extension/some-namespace, some-project/some-application, allow
-```
-
-3. `<resource>` has 2 sections for extension type and extension name:
-```
-p, dev, extensions/some-extension, *, some-project/some-application, allow
-```
-
-Reference: [Original discussion][6]
-
-The final RBAC format must be defined and properly documented during implementation.
-
-### Security Considerations
-
- Argo CD API Server must apply **authn** and **authz** for all incoming
-  extensions requests
- Argo CD must authorize requests coming from UI and check that the
-  authenticated user has access to invoke a specific URL belonging to an
-  extension
-
-### Risks and Mitigations
-
-### Upgrade / Downgrade
-
-## Drawbacks
-
- Slight increase in Argo CD code base complexity.
- Increased security risk.
- Impact of extensions on overall Argo CD performance (mitigated by rate limiting + idle conn timeout).
-
-## Open Questions
-
-1. What are the possible actions that can be provided to extensions RBAC?
-A. This proposal does not define additional RBAC actions for extensions.
-Currently the only possible value is `*` which will allow admins to enable
-or disable certain extensions per project. If there is a new requirement
-to support additional actions for extensions to limit just specific HTTP
-verbs for example, an enhancement can be created to extend this
-functionality. If this requirement becomes necessary, it won't be a
-breaking change as it will be more restrictive.
-
-[1]: https://argo-cd.readthedocs.io/en/stable/developer-guide/ui-extensions/
-[2]: https://github.com/argoproj-labs/argocd-extensions
-[3]: https://github.com/argoproj/argo-cd/blob/a23bfc3acaa464cbdeafdbbe66d05a121d5d1fb3/server/rbacpolicy/rbacpolicy.go#L17-L25
-[4]: https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cm.yaml
-[5]: https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#authentication-flow
-[6]: https://github.com/argoproj/argo-cd/pull/10435#discussion_r986941880
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,5 +1,5 @@
 mkdocs==1.2.3
-mkdocs-material==7.1.7
+mkdocs-material==7.1.8
 markdown_include==0.6.0
 pygments==2.7.4
 jinja2==3.0.3
--- a/docs/snyk/index.md
+++ b/docs/snyk/index.md
@@ -14,63 +14,50 @@ recent minor releases.
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
 | [go.mod](master/argocd-test.html) | 0 | 0 | 2 | 0 |
-| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 3 | 0 |
-| [dex:v2.35.3-distroless](master/ghcr.io_dexidp_dex_v2.35.3-distroless.html) | 0 | 0 | 0 | 0 |
+| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 0 | 0 |
+| [dex:v2.32.0-distroless](master/ghcr.io_dexidp_dex_v2.32.0-distroless.html) | 0 | 0 | 0 | 0 |
 | [haproxy:2.6.2-alpine](master/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 1 | 13 |
-| [redis:7.0.5-alpine](master/redis_7.0.5-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 3 | 17 |
+| [redis:7.0.4-alpine](master/redis_7.0.4-alpine.html) | 0 | 0 | 0 | 0 |
 | [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |

-### v2.5.0-rc3
+### v2.4.11

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.5.0-rc3/argocd-test.html) | 0 | 0 | 2 | 0 |
-| [ui/yarn.lock](v2.5.0-rc3/argocd-test.html) | 0 | 0 | 3 | 0 |
-| [dex:v2.35.3-distroless](v2.5.0-rc3/ghcr.io_dexidp_dex_v2.35.3-distroless.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.6.2-alpine](v2.5.0-rc3/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.5.0-rc3](v2.5.0-rc3/quay.io_argoproj_argocd_v2.5.0-rc3.html) | 0 | 1 | 8 | 13 |
-| [redis:7.0.5-alpine](v2.5.0-rc3/redis_7.0.5-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.5.0-rc3/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.5.0-rc3/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.4.11/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.4.11/argocd-test.html) | 0 | 0 | 0 | 0 |
+| [dex:v2.32.0](v2.4.11/ghcr.io_dexidp_dex_v2.32.0.html) | 1 | 1 | 1 | 0 |
+| [haproxy:2.0.29-alpine](v2.4.11/haproxy_2.0.29-alpine.html) | 1 | 0 | 0 | 0 |
+| [argocd:v2.4.11](v2.4.11/quay.io_argoproj_argocd_v2.4.11.html) | 0 | 0 | 3 | 18 |
+| [redis:7.0.4-alpine](v2.4.11/redis_7.0.4-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.4.11/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.4.11/argocd-iac-namespace-install.html) | - | - | - | - |

-### v2.4.15
+### v2.3.7

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.4.15/argocd-test.html) | 0 | 0 | 3 | 0 |
-| [ui/yarn.lock](v2.4.15/argocd-test.html) | 0 | 0 | 3 | 0 |
-| [dex:v2.35.3-distroless](v2.4.15/ghcr.io_dexidp_dex_v2.35.3-distroless.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.0.29-alpine](v2.4.15/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.4.15](v2.4.15/quay.io_argoproj_argocd_v2.4.15.html) | 0 | 1 | 7 | 13 |
-| [redis:7.0.4-alpine](v2.4.15/redis_7.0.4-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.4.15/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.4.15/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.3.7/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.3.7/argocd-test.html) | 0 | 1 | 2 | 0 |
+| [dex:v2.32.0](v2.3.7/ghcr.io_dexidp_dex_v2.32.0.html) | 1 | 1 | 1 | 0 |
+| [haproxy:2.0.29-alpine](v2.3.7/haproxy_2.0.29-alpine.html) | 1 | 0 | 0 | 0 |
+| [argocd-applicationset:v0.4.1](v2.3.7/quay.io_argoproj_argocd-applicationset_v0.4.1.html) | 0 | 4 | 38 | 29 |
+| [argocd:v2.3.7](v2.3.7/quay.io_argoproj_argocd_v2.3.7.html) | 0 | 0 | 4 | 18 |
+| [redis:6.2.7-alpine](v2.3.7/redis_6.2.7-alpine.html) | 1 | 0 | 0 | 0 |
+| [install.yaml](v2.3.7/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.3.7/argocd-iac-namespace-install.html) | - | - | - | - |

-### v2.3.10
+### v2.2.12

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.3.10/argocd-test.html) | 0 | 0 | 3 | 0 |
-| [ui/yarn.lock](v2.3.10/argocd-test.html) | 0 | 1 | 5 | 0 |
-| [dex:v2.35.3-distroless](v2.3.10/ghcr.io_dexidp_dex_v2.35.3-distroless.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.0.29-alpine](v2.3.10/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd-applicationset:v0.4.1](v2.3.10/quay.io_argoproj_argocd-applicationset_v0.4.1.html) | 0 | 4 | 38 | 29 |
-| [argocd:v2.3.10](v2.3.10/quay.io_argoproj_argocd_v2.3.10.html) | 0 | 1 | 7 | 13 |
-| [redis:6.2.7-alpine](v2.3.10/redis_6.2.7-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.3.10/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.3.10/argocd-iac-namespace-install.html) | - | - | - | - |
-
-### v2.2.15
-
-|    | Critical | High | Medium | Low |
-|---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.2.15/argocd-test.html) | 0 | 0 | 4 | 0 |
-| [ui/yarn.lock](v2.2.15/argocd-test.html) | 0 | 1 | 5 | 0 |
-| [dex:v2.35.3-distroless](v2.2.15/ghcr.io_dexidp_dex_v2.35.3-distroless.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.0.29-alpine](v2.2.15/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.2.15](v2.2.15/quay.io_argoproj_argocd_v2.2.15.html) | 0 | 1 | 7 | 23 |
-| [redis:6.2.7-alpine](v2.2.15/redis_6.2.7-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.2.15/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.2.15/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.2.12/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.2.12/argocd-test.html) | 0 | 1 | 2 | 0 |
+| [dex:v2.32.0](v2.2.12/ghcr.io_dexidp_dex_v2.32.0.html) | 1 | 1 | 1 | 0 |
+| [haproxy:2.0.29-alpine](v2.2.12/haproxy_2.0.29-alpine.html) | 1 | 0 | 0 | 0 |
+| [argocd:v2.2.12](v2.2.12/quay.io_argoproj_argocd_v2.2.12.html) | 0 | 0 | 7 | 28 |
+| [redis:6.2.7-alpine](v2.2.12/redis_6.2.7-alpine.html) | 1 | 0 | 0 | 0 |
+| [install.yaml](v2.2.12/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.2.12/argocd-iac-namespace-install.html) | - | - | - | - |
--- a/docs/snyk/master/argocd-iac-install.html
+++ b/docs/snyk/master/argocd-iac-install.html
@@ -456,12 +456,12 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:21:01 am</p>
+                <p class="timestamp">September 7th 2022, 7:35:15 pm</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
                  <ul>
-                    <li class="paths">/argo-cd/manifests/install.yaml (Kubernetes)</li>
+                    <li class="paths">/private/argo-cd/manifests/install.yaml (Kubernetes)</li>
                  </ul>
                </div>
    
@@ -476,7 +476,7 @@
            <table class="metatable">
                <tbody>
                <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">manifests/install.yaml</td></tr>
-                <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">/argo-cd/manifests/install.yaml</td></tr>
+                <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">/private/argo-cd/manifests/install.yaml</td></tr>
                <tr class="meta-row"><th class="meta-row-label">Project Type</th> <td class="meta-row-value">Kubernetes</td></tr>
                </tbody>
            </table>
@@ -508,6 +508,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 9299
+                          </li>
                      </ul>
              
                      <hr/>
@@ -553,6 +556,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 9338
+                          </li>
                      </ul>
              
                      <hr/>
@@ -598,51 +604,9 @@
                                  
                          </li>
              
-                      </ul>
-              
-                      <hr/>
-              
-                          <h2>Impact</h2>
-                          <p>Using this role grants dangerous permissions</p>
-              
-                          <h2>Remediation</h2>
-                          <p>Consider removing this permissions</p>
-              
-              
-                          <hr/>
-                  </div><!-- .card__section -->
-              
-                  <div class="cta card__cta">
-                      <p><a href="https://snyk.io/security-rules/SNYK-CC-K8S-47">More about this issue</a></p>
-                  </div>
-              
-              </div><!-- .card -->
-              <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-                  <h2 class="card__title">Role with dangerous permissions</h2>
-                  <div class="card__section">
-              
-                      <div class="label label--medium">
-                          <span class="label__text">medium severity</span>
-                      </div>
-              
-                      <hr/>
-              
-                      <ul class="card__meta">
                          <li class="card__meta__item">
-                              Public ID: <a href="https://snyk.io/security-rules/SNYK-CC-K8S-47">SNYK-CC-K8S-47</a> 
+                              Line number: 9404
                          </li>
-              
-                          <li class="card__meta__item">Introduced through:
-                                  [DocId: 13]
-                                   <span class="list-paths__item__arrow">›</span> 
-                                  role
-                                   <span class="list-paths__item__arrow">›</span> 
-                                  rules[3]
-                                   <span class="list-paths__item__arrow">›</span> 
-                                  resources
-                                  
-                          </li>
-              
                      </ul>
              
                      <hr/>
@@ -688,6 +652,57 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 9423
+                          </li>
+                      </ul>
+              
+                      <hr/>
+              
+                          <h2>Impact</h2>
+                          <p>Using this role grants dangerous permissions</p>
+              
+                          <h2>Remediation</h2>
+                          <p>Consider removing this permissions</p>
+              
+              
+                          <hr/>
+                  </div><!-- .card__section -->
+              
+                  <div class="cta card__cta">
+                      <p><a href="https://snyk.io/security-rules/SNYK-CC-K8S-47">More about this issue</a></p>
+                  </div>
+              
+              </div><!-- .card -->
+              <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+                  <h2 class="card__title">Role with dangerous permissions</h2>
+                  <div class="card__section">
+              
+                      <div class="label label--medium">
+                          <span class="label__text">medium severity</span>
+                      </div>
+              
+                      <hr/>
+              
+                      <ul class="card__meta">
+                          <li class="card__meta__item">
+                              Public ID: <a href="https://snyk.io/security-rules/SNYK-CC-K8S-47">SNYK-CC-K8S-47</a> 
+                          </li>
+              
+                          <li class="card__meta__item">Introduced through:
+                                  [DocId: 13]
+                                   <span class="list-paths__item__arrow">›</span> 
+                                  role
+                                   <span class="list-paths__item__arrow">›</span> 
+                                  rules[3]
+                                   <span class="list-paths__item__arrow">›</span> 
+                                  resources
+                                  
+                          </li>
+              
+                          <li class="card__meta__item">
+                              Line number: 9423
+                          </li>
                      </ul>
              
                      <hr/>
@@ -733,6 +748,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 9464
+                          </li>
                      </ul>
              
                      <hr/>
@@ -783,7 +801,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10481
+                              Line number: 10412
                          </li>
                      </ul>
              
@@ -841,7 +859,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 9950
+                              Line number: 9942
                          </li>
                      </ul>
              
@@ -899,7 +917,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10117
+                              Line number: 10055
                          </li>
                      </ul>
              
@@ -957,7 +975,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10083
+                              Line number: 10021
                          </li>
                      </ul>
              
@@ -1015,7 +1033,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10173
+                              Line number: 10111
                          </li>
                      </ul>
              
@@ -1073,7 +1091,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10247
+                              Line number: 10185
                          </li>
                      </ul>
              
@@ -1131,7 +1149,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10481
+                              Line number: 10412
                          </li>
                      </ul>
              
@@ -1189,7 +1207,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10303
+                              Line number: 10241
                          </li>
                      </ul>
              
@@ -1247,7 +1265,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10566
+                              Line number: 10497
                          </li>
                      </ul>
              
@@ -1305,7 +1323,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10864
+                              Line number: 10794
                          </li>
                      </ul>
              
@@ -1357,7 +1375,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10097
+                              Line number: 10035
                          </li>
                      </ul>
              
@@ -1413,7 +1431,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10257
+                              Line number: 10195
                          </li>
                      </ul>
              
@@ -1465,7 +1483,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 9950
+                              Line number: 9942
                          </li>
                      </ul>
              
@@ -1517,7 +1535,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10083
+                              Line number: 10021
                          </li>
                      </ul>
              
@@ -1569,7 +1587,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10117
+                              Line number: 10055
                          </li>
                      </ul>
              
@@ -1621,7 +1639,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10247
+                              Line number: 10185
                          </li>
                      </ul>
              
@@ -1673,7 +1691,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10481
+                              Line number: 10412
                          </li>
                      </ul>
              
@@ -1731,7 +1749,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 9950
+                              Line number: 9942
                          </li>
                      </ul>
              
@@ -1789,7 +1807,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10083
+                              Line number: 10021
                          </li>
                      </ul>
              
@@ -1847,7 +1865,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10117
+                              Line number: 10055
                          </li>
                      </ul>
              
@@ -1905,7 +1923,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10173
+                              Line number: 10111
                          </li>
                      </ul>
              
@@ -1963,7 +1981,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10247
+                              Line number: 10185
                          </li>
                      </ul>
              
@@ -2021,7 +2039,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10481
+                              Line number: 10412
                          </li>
                      </ul>
              
@@ -2079,7 +2097,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10303
+                              Line number: 10241
                          </li>
                      </ul>
              
@@ -2137,7 +2155,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10566
+                              Line number: 10497
                          </li>
                      </ul>
              
@@ -2195,7 +2213,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 10864
+                              Line number: 10794
                          </li>
                      </ul>
              
--- a/docs/snyk/master/argocd-iac-namespace-install.html
+++ b/docs/snyk/master/argocd-iac-namespace-install.html
@@ -456,12 +456,12 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:21:12 am</p>
+                <p class="timestamp">September 7th 2022, 7:35:27 pm</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
                  <ul>
-                    <li class="paths">/argo-cd/manifests/namespace-install.yaml (Kubernetes)</li>
+                    <li class="paths">/private/argo-cd/manifests/namespace-install.yaml (Kubernetes)</li>
                  </ul>
                </div>
    
@@ -476,7 +476,7 @@
            <table class="metatable">
                <tbody>
                <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">manifests/namespace-install.yaml</td></tr>
-                <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">/argo-cd/manifests/namespace-install.yaml</td></tr>
+                <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">/private/argo-cd/manifests/namespace-install.yaml</td></tr>
                <tr class="meta-row"><th class="meta-row-label">Project Type</th> <td class="meta-row-value">Kubernetes</td></tr>
                </tbody>
            </table>
@@ -508,6 +508,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 65
+                          </li>
                      </ul>
              
                      <hr/>
@@ -553,6 +556,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 104
+                          </li>
                      </ul>
              
                      <hr/>
@@ -598,51 +604,9 @@
                                  
                          </li>
              
-                      </ul>
-              
-                      <hr/>
-              
-                          <h2>Impact</h2>
-                          <p>Using this role grants dangerous permissions</p>
-              
-                          <h2>Remediation</h2>
-                          <p>Consider removing this permissions</p>
-              
-              
-                          <hr/>
-                  </div><!-- .card__section -->
-              
-                  <div class="cta card__cta">
-                      <p><a href="https://snyk.io/security-rules/SNYK-CC-K8S-47">More about this issue</a></p>
-                  </div>
-              
-              </div><!-- .card -->
-              <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-                  <h2 class="card__title">Role with dangerous permissions</h2>
-                  <div class="card__section">
-              
-                      <div class="label label--medium">
-                          <span class="label__text">medium severity</span>
-                      </div>
-              
-                      <hr/>
-              
-                      <ul class="card__meta">
                          <li class="card__meta__item">
-                              Public ID: <a href="https://snyk.io/security-rules/SNYK-CC-K8S-47">SNYK-CC-K8S-47</a> 
+                              Line number: 170
                          </li>
-              
-                          <li class="card__meta__item">Introduced through:
-                                  [DocId: 10]
-                                   <span class="list-paths__item__arrow">›</span> 
-                                  role
-                                   <span class="list-paths__item__arrow">›</span> 
-                                  rules[3]
-                                   <span class="list-paths__item__arrow">›</span> 
-                                  resources
-                                  
-                          </li>
-              
                      </ul>
              
                      <hr/>
@@ -688,6 +652,57 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 189
+                          </li>
+                      </ul>
+              
+                      <hr/>
+              
+                          <h2>Impact</h2>
+                          <p>Using this role grants dangerous permissions</p>
+              
+                          <h2>Remediation</h2>
+                          <p>Consider removing this permissions</p>
+              
+              
+                          <hr/>
+                  </div><!-- .card__section -->
+              
+                  <div class="cta card__cta">
+                      <p><a href="https://snyk.io/security-rules/SNYK-CC-K8S-47">More about this issue</a></p>
+                  </div>
+              
+              </div><!-- .card -->
+              <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+                  <h2 class="card__title">Role with dangerous permissions</h2>
+                  <div class="card__section">
+              
+                      <div class="label label--medium">
+                          <span class="label__text">medium severity</span>
+                      </div>
+              
+                      <hr/>
+              
+                      <ul class="card__meta">
+                          <li class="card__meta__item">
+                              Public ID: <a href="https://snyk.io/security-rules/SNYK-CC-K8S-47">SNYK-CC-K8S-47</a> 
+                          </li>
+              
+                          <li class="card__meta__item">Introduced through:
+                                  [DocId: 10]
+                                   <span class="list-paths__item__arrow">›</span> 
+                                  role
+                                   <span class="list-paths__item__arrow">›</span> 
+                                  rules[3]
+                                   <span class="list-paths__item__arrow">›</span> 
+                                  resources
+                                  
+                          </li>
+              
+                          <li class="card__meta__item">
+                              Line number: 189
+                          </li>
                      </ul>
              
                      <hr/>
@@ -733,6 +748,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 230
+                          </li>
                      </ul>
              
                      <hr/>
@@ -783,7 +801,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1085
                          </li>
                      </ul>
              
@@ -841,7 +859,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 616
+                              Line number: 615
                          </li>
                      </ul>
              
@@ -899,7 +917,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 728
                          </li>
                      </ul>
              
@@ -957,7 +975,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 694
                          </li>
                      </ul>
              
@@ -1015,7 +1033,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 839
+                              Line number: 784
                          </li>
                      </ul>
              
@@ -1073,7 +1091,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 858
                          </li>
                      </ul>
              
@@ -1131,7 +1149,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1085
                          </li>
                      </ul>
              
@@ -1189,7 +1207,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 969
+                              Line number: 914
                          </li>
                      </ul>
              
@@ -1247,7 +1265,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1232
+                              Line number: 1170
                          </li>
                      </ul>
              
@@ -1305,7 +1323,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1530
+                              Line number: 1467
                          </li>
                      </ul>
              
@@ -1357,7 +1375,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 763
+                              Line number: 708
                          </li>
                      </ul>
              
@@ -1413,7 +1431,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 923
+                              Line number: 868
                          </li>
                      </ul>
              
@@ -1465,7 +1483,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 616
+                              Line number: 615
                          </li>
                      </ul>
              
@@ -1517,7 +1535,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 694
                          </li>
                      </ul>
              
@@ -1569,7 +1587,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 728
                          </li>
                      </ul>
              
@@ -1621,7 +1639,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 858
                          </li>
                      </ul>
              
@@ -1673,7 +1691,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1085
                          </li>
                      </ul>
              
@@ -1731,7 +1749,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 616
+                              Line number: 615
                          </li>
                      </ul>
              
@@ -1789,7 +1807,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 694
                          </li>
                      </ul>
              
@@ -1847,7 +1865,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 728
                          </li>
                      </ul>
              
@@ -1905,7 +1923,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 839
+                              Line number: 784
                          </li>
                      </ul>
              
@@ -1963,7 +1981,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 858
                          </li>
                      </ul>
              
@@ -2021,7 +2039,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1085
                          </li>
                      </ul>
              
@@ -2079,7 +2097,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 969
+                              Line number: 914
                          </li>
                      </ul>
              
@@ -2137,7 +2155,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1232
+                              Line number: 1170
                          </li>
                      </ul>
              
@@ -2195,7 +2213,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1530
+                              Line number: 1467
                          </li>
                      </ul>
              
--- a/docs/snyk/master/argocd-test.html
+++ b/docs/snyk/master/argocd-test.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="5 known vulnerabilities found in 9 vulnerable dependency paths.">
+  <meta name="description" content="2 known vulnerabilities found in 6 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -456,19 +456,19 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:19:12 am</p>
+                <p class="timestamp">September 7th 2022, 7:33:58 pm</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
                <ul>
-                  <li class="paths">/argo-cd/argoproj/argo-cd/v2 (gomodules)</li><li class="paths">/argo-cd (yarn)</li>
+                  <li class="paths">/private/argo-cd/argoproj/argo-cd/v2 (gomodules)</li><li class="paths">/private/argo-cd (yarn)</li>
                </ul>
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>5</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>9 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>1721</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>2</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>6 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>1717</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
          </header><!-- .project__header -->
@@ -476,312 +476,6 @@

    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Server-side Request Forgery (SSRF)</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: npm
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            parse-url
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    argo-cd-ui@1.0.0, git-url-parse@11.6.0 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        git-url-parse@11.6.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        git-up@4.0.5
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        parse-url@6.0.5
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://www.npmjs.org/package/parse-url">parse-url</a> is an An advanced url parser supporting git urls too.</p>
-        <p>Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper detection of protocol, resource, and pathname fields. Exploiting this vulnerability results in bypassing protocol verification.</p>
-        <h2 id="poc">PoC:</h2>
-        <pre><code class="language-js">import parseUrl from &quot;parse-url&quot;;
-        import fetch from &#39;node-fetch&#39;;
-        var parsed=parseUrl(&quot;http://nnnn@localhost:808:/?id=xss&quot;)
-        if(parsed.resource==&quot;localhost&quot;){
-        console.log(&quot;internal network access is blocked&quot;)
-        }
-        else{
-           const response = await fetch(&#39;http://&#39;+parsed.resource+parsed.pathname);
-                console.log(response)
-         }
-        </code></pre>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>parse-url</code> to version 8.1.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/IonicaBizau/parse-url/commit/881ecb46e39286b0c2b3c32fe61dca9377176884">GitHub Commit</a></li>
-        <li><a href="https://github.com/IonicaBizau/parse-url/pull/55">GitHub PR</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-JS-PARSEURL-3023021">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Improper Input Validation</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: npm
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            parse-url
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    argo-cd-ui@1.0.0, git-url-parse@11.6.0 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        git-url-parse@11.6.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        git-up@4.0.5
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        parse-url@6.0.5
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://www.npmjs.org/package/parse-url">parse-url</a> is an An advanced url parser supporting git urls too.</p>
-        <p>Affected versions of this package are vulnerable to Improper Input Validation due to incorrect parsing of URLs. This allows the attacker to craft a malformed URL which can lead to a phishing attack.</p>
-        <pre><code class="language-js">
-        const parseUrl = require(&quot;parse-url&quot;);
-        const Url = require(&quot;url&quot;);
-        
-        const express = require(&#39;express&#39;);
-        const app = express();
-        
-        var url = &quot;https://www.google.com:x@fakesite.com:x&quot;;
-        parsed = parseUrl(url);
-        console.log(&quot;[*]`parse-url` output: &quot;)
-        console.log(parsed);
-        
-        parsed2 = Url.parse(url);
-        console.log(&quot;[*]`url` output: &quot;)
-        console.log(parsed2)
-        
-        app.get(&#39;/&#39;, (req, res) =&gt; {
-            if (parsed.host == &quot;www.google.com&quot;) {
-                res.send(&quot;&lt;a href=\&#39;&quot; + parsed2.href + &quot;\&#39;&gt;CLICK ME!&lt;/a&gt;&quot;)
-            }
-        })
-        
-        app.listen(8888,&quot;0.0.0.0&quot;);
-        </code></pre>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>parse-url</code> to version 8.1.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/IonicaBizau/parse-url/commit/881ecb46e39286b0c2b3c32fe61dca9377176884">GitHub Commit</a></li>
-        <li><a href="https://github.com/IonicaBizau/parse-url/commit/9500430a3b9973bb1b5b2b9b319af2685ad272b3">GitHub Commit</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-JS-PARSEURL-3024398">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: npm
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            minimatch
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        redoc@2.0.0-rc.64
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        @redocly/openapi-core@1.0.0-beta.82
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        minimatch@3.0.4
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://www.npmjs.com/package/minimatch">minimatch</a> is a minimal matching utility.</p>
-        <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the <code>braceExpand</code> function in <code>minimatch.js</code>.</p>
-        <h2 id="details">Details</h2>
-        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p>
-        <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren&#39;t very intuitive and can ultimately end up making it easy for attackers to take your site down.</p>
-        <p>Let’s take the following regular expression as an example:</p>
-        <pre><code class="language-js">regex = /A(B|C+)+D/
-        </code></pre>
-        <p>This regular expression accomplishes the following:</p>
-        <ul>
-        <li><code>A</code> The string must start with the letter &#39;A&#39;</li>
-        <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter &#39;B&#39; or some number of occurrences of the letter &#39;C&#39; (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li>
-        <li><code>D</code> Finally, we ensure this section of the string ends with a &#39;D&#39;</li>
-        </ul>
-        <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p>
-        <p>It most cases, it doesn&#39;t take very long for a regex engine to find a match:</p>
-        <pre><code class="language-bash">$ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD&quot;)&#39;
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX&quot;)&#39;
-        1.79s user 0.02s system 99% cpu 1.812 total
-        </code></pre>
-        <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p>
-        <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p>
-        <p>Let&#39;s look at how our expression runs into this problem, using a shorter string: &quot;ACCCX&quot;. While it seems fairly straightforward, there are still four different ways that the engine could match those three C&#39;s:</p>
-        <ol>
-        <li>CCC</li>
-        <li>CC+C</li>
-        <li>C+CC</li>
-        <li>C+C+C.</li>
-        </ol>
-        <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn&#39;t match.</p>
-        <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p>
-        <table>
-        <thead>
-        <tr>
-        <th>String</th>
-        <th align="right">Number of C&#39;s</th>
-        <th align="right">Number of steps</th>
-        </tr>
-        </thead>
-        <tbody><tr>
-        <td>ACCCX</td>
-        <td align="right">3</td>
-        <td align="right">38</td>
-        </tr>
-        <tr>
-        <td>ACCCCX</td>
-        <td align="right">4</td>
-        <td align="right">71</td>
-        </tr>
-        <tr>
-        <td>ACCCCCX</td>
-        <td align="right">5</td>
-        <td align="right">136</td>
-        </tr>
-        <tr>
-        <td>ACCCCCCCCCCCCCCX</td>
-        <td align="right">14</td>
-        <td align="right">65,553</td>
-        </tr>
-        </tbody></table>
-        <p>By the time the string includes 14 C&#39;s, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>minimatch</code> to version 3.0.5 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6">GitHub Commit</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Improper Input Validation</h2>
            <div class="card__section">
--- a/docs/snyk/v2.3.10/ghcr.io_dexidp_dex_v2.35.3-distroless.html
+++ b/docs/snyk/v2.3.10/ghcr.io_dexidp_dex_v2.35.3-distroless.html
@@ -456,12 +456,12 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:25:32 am</p>
+                <p class="timestamp">September 7th 2022, 7:34:05 pm</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
                <ul>
-                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3-distroless/dexidp/dex (deb)</li>
+                  <li class="paths">ghcr.io/dexidp/dex:v2.32.0-distroless/dexidp/dex (deb)</li>
                </ul>
              </div>
    
@@ -477,7 +477,7 @@
          <table class="metatable">
              <tbody>
              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|ghcr.io/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.35.3-distroless/dexidp/dex</td></tr>
+              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.32.0-distroless/dexidp/dex</td></tr>
              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">deb</td></tr>
              
              </tbody>
--- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.35.3-distroless.html
+++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.35.3-distroless.html
@@ -1,492 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-
-<head>
-  <meta http-equiv="Content-type" content="text/html; charset=utf-8">
-  <meta http-equiv="Content-Language" content="en-us">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <meta http-equiv="X-UA-Compatible" content="IE=edge">
-  <title>Snyk test report</title>
-  <meta name="description" content="0 known vulnerabilities found in 0 vulnerable dependency paths.">
-  <base target="_blank">
-  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
-    sizes="194x194">
-  <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico">
-  <style type="text/css">
-  
-    body {
-      -moz-font-feature-settings: "pnum";
-      -webkit-font-feature-settings: "pnum";
-      font-variant-numeric: proportional-nums;
-      display: flex;
-      flex-direction: column;
-      font-feature-settings: "pnum";
-      font-size: 100%;
-      line-height: 1.5;
-      min-height: 100vh;
-      -webkit-text-size-adjust: 100%;
-      margin: 0;
-      padding: 0;
-      background-color: #F5F5F5;
-      font-family: 'Arial', 'Helvetica', Calibri, sans-serif;
-    }
-  
-    h1,
-    h2,
-    h3,
-    h4,
-    h5,
-    h6 {
-      font-weight: 500;
-    }
-  
-    a,
-    a:link,
-    a:visited {
-      border-bottom: 1px solid #4b45a9;
-      text-decoration: none;
-      color: #4b45a9;
-    }
-  
-    a:hover,
-    a:focus,
-    a:active {
-      border-bottom: 1px solid #4b45a9;
-    }
-  
-    hr {
-      border: none;
-      margin: 1em 0;
-      border-top: 1px solid #c5c5c5;
-    }
-  
-    ul {
-      padding: 0 1em;
-      margin: 1em 0;
-    }
-  
-    code {
-      background-color: #EEE;
-      color: #333;
-      padding: 0.25em 0.5em;
-      border-radius: 0.25em;
-    }
-  
-    pre {
-      background-color: #333;
-      font-family: monospace;
-      padding: 0.5em 1em 0.75em;
-      border-radius: 0.25em;
-      font-size: 14px;
-    }
-  
-    pre code {
-      padding: 0;
-      background-color: transparent;
-      color: #fff;
-    }
-  
-    a code {
-      border-radius: .125rem .125rem 0 0;
-      padding-bottom: 0;
-      color: #4b45a9;
-    }
-  
-    a[href^="http://"]:after,
-    a[href^="https://"]:after {
-      background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E");
-      background-repeat: no-repeat;
-      background-size: .75rem;
-      content: "";
-      display: inline-block;
-      height: .75rem;
-      margin-left: .25rem;
-      width: .75rem;
-    }
-  
-  
-  /* Layout */
-  
-    [class*=layout-container] {
-      margin: 0 auto;
-      max-width: 71.25em;
-      padding: 1.9em 1.3em;
-      position: relative;
-    }
-    .layout-container--short {
-      padding-top: 0;
-      padding-bottom: 0;
-      max-width: 48.75em;
-    }
-  
-    .layout-container--short:after {
-      display: block;
-      content: "";
-      clear: both;
-    }
-  
-  /* Header */
-  
-    .header {
-      padding-bottom: 1px;
-    }
-  
-    .paths {
-      margin-left: 8px;
-    }
-    .header-wrap {
-      display: flex;
-      flex-direction: row;
-      justify-content: space-between;
-      padding-top: 2em;
-    }
-    .project__header {
-      background-color: #4b45a9;
-      color: #fff;
-      margin-bottom: -1px;
-      padding-top: 1em;
-      padding-bottom: 0.25em;
-      border-bottom: 2px solid #BBB;
-    }
-  
-    .project__header__title {
-      overflow-wrap: break-word;
-      word-wrap: break-word;
-      word-break: break-all;
-      margin-bottom: .1em;
-      margin-top: 0;
-    }
-  
-    .timestamp {
-      float: right;
-      clear: none;
-      margin-bottom: 0;
-    }
-  
-    .meta-counts {
-      clear: both;
-      display: block;
-      flex-wrap: wrap;
-      justify-content: space-between;
-      margin: 0 0 1.5em;
-      color: #fff;
-      clear: both;
-      font-size: 1.1em;
-    }
-  
-    .meta-count {
-      display: block;
-      flex-basis: 100%;
-      margin: 0 1em 1em 0;
-      float: left;
-      padding-right: 1em;
-      border-right: 2px solid #fff;
-    }
-  
-    .meta-count:last-child {
-      border-right: 0;
-      padding-right: 0;
-      margin-right: 0;
-    }
-  
-  /* Card */
-  
-    .card {
-      background-color: #fff;
-      border: 1px solid #c5c5c5;
-      border-radius: .25rem;
-      margin: 0 0 2em 0;
-      position: relative;
-      min-height: 40px;
-      padding: 1.5em;
-    }
-  
-    .card .label {
-      background-color: #767676;
-      border: 2px solid #767676;
-      color: white;
-      padding: 0.25rem 0.75rem;
-      font-size: 0.875rem;
-      text-transform: uppercase;
-      display: inline-block;
-      margin: 0;
-      border-radius: 0.25rem;
-    }
-  
-    .card .label__text {
-      vertical-align: text-top;
-        font-weight: bold;
-    }
-  
-    .card .label--critical {
-      background-color: #AB1A1A;
-      border-color: #AB1A1A;
-    }
-  
-    .card .label--high {
-      background-color: #CE5019;
-      border-color: #CE5019;
-    }
-  
-    .card .label--medium {
-      background-color: #D68000;
-      border-color: #D68000;
-    }
-  
-    .card .label--low {
-      background-color: #88879E;
-      border-color: #88879E;
-    }
-  
-    .severity--low {
-      border-color: #88879E;
-    }
-  
-    .severity--medium {
-      border-color: #D68000;
-    }
-  
-    .severity--high {
-      border-color: #CE5019;
-    }
-  
-    .severity--critical {
-      border-color: #AB1A1A;
-    }
-  
-    .card--vuln {
-      padding-top: 4em;
-    }
-  
-    .card--vuln .label {
-      left: 0;
-      position: absolute;
-      top: 1.1em;
-      padding-left: 1.9em;
-      padding-right: 1.9em;
-      border-radius: 0 0.25rem 0.25rem 0;
-    }
-  
-    .card--vuln .card__section h2 {
-      font-size: 22px;
-      margin-bottom: 0.5em;
-    }
-  
-    .card--vuln .card__section p {
-      margin: 0 0 0.5em 0;
-    }
-  
-    .card--vuln .card__meta {
-      padding: 0 0 0 1em;
-      margin: 0;
-      font-size: 1.1em;
-    }
-  
-    .card .card__meta__paths {
-      font-size: 0.9em;
-    }
-  
-    .card--vuln .card__title {
-      font-size: 28px;
-      margin-top: 0;
-    }
-  
-    .card--vuln .card__cta p {
-      margin: 0;
-      text-align: right;
-    }
-  
-    .source-panel {
-      clear: both;
-      display: flex;
-      justify-content: flex-start;
-      flex-direction: column;
-      align-items: flex-start;
-      padding: 0.5em 0;
-      width: fit-content;
-    }
-  
-  
-  
-  </style>
-  <style type="text/css">
-    .metatable {
-      text-size-adjust: 100%;
-      -webkit-font-smoothing: antialiased;
-      -webkit-box-direction: normal;
-      color: inherit;
-      font-feature-settings: "pnum";
-      box-sizing: border-box;
-      background: transparent;
-      border: 0;
-      font: inherit;
-      font-size: 100%;
-      margin: 0;
-      outline: none;
-      padding: 0;
-      text-align: left;
-      text-decoration: none;
-      vertical-align: baseline;
-      z-index: auto;
-      margin-top: 12px;
-      border-collapse: collapse;
-      border-spacing: 0;
-      font-variant-numeric: tabular-nums;
-      max-width: 51.75em;
-    }
-  
-    tbody {
-      text-size-adjust: 100%;
-      -webkit-font-smoothing: antialiased;
-      -webkit-box-direction: normal;
-      color: inherit;
-      font-feature-settings: "pnum";
-      border-collapse: collapse;
-      border-spacing: 0;
-      box-sizing: border-box;
-      background: transparent;
-      border: 0;
-      font: inherit;
-      font-size: 100%;
-      margin: 0;
-      outline: none;
-      padding: 0;
-      text-align: left;
-      text-decoration: none;
-      vertical-align: baseline;
-      z-index: auto;
-      display: flex;
-      flex-wrap: wrap;
-    }
-  
-    .meta-row {
-      text-size-adjust: 100%;
-      -webkit-font-smoothing: antialiased;
-      -webkit-box-direction: normal;
-      color: inherit;
-      font-feature-settings: "pnum";
-      border-collapse: collapse;
-      border-spacing: 0;
-      box-sizing: border-box;
-      background: transparent;
-      border: 0;
-      font: inherit;
-      font-size: 100%;
-      outline: none;
-      text-align: left;
-      text-decoration: none;
-      vertical-align: baseline;
-      z-index: auto;
-      display: flex;
-      align-items: start;
-      border-top: 1px solid #d3d3d9;
-      padding: 8px 0 0 0;
-      border-bottom: none;
-      margin: 8px;
-      width: 47.75%;
-    }
-  
-    .meta-row-label {
-      text-size-adjust: 100%;
-      -webkit-font-smoothing: antialiased;
-      -webkit-box-direction: normal;
-      font-feature-settings: "pnum";
-      border-collapse: collapse;
-      border-spacing: 0;
-      color: #4c4a73;
-      box-sizing: border-box;
-      background: transparent;
-      border: 0;
-      font: inherit;
-      margin: 0;
-      outline: none;
-      text-decoration: none;
-      z-index: auto;
-      align-self: start;
-      flex: 1;
-      font-size: 1rem;
-      line-height: 1.5rem;
-      padding: 0;
-      text-align: left;
-      vertical-align: top;
-      text-transform: none;
-      letter-spacing: 0;
-    }
-  
-    .meta-row-value {
-      text-size-adjust: 100%;
-      -webkit-font-smoothing: antialiased;
-      -webkit-box-direction: normal;
-      color: inherit;
-      font-feature-settings: "pnum";
-      border-collapse: collapse;
-      border-spacing: 0;
-      word-break: break-word;
-      box-sizing: border-box;
-      background: transparent;
-      border: 0;
-      font: inherit;
-      font-size: 100%;
-      margin: 0;
-      outline: none;
-      padding: 0;
-      text-align: right;
-      text-decoration: none;
-      vertical-align: baseline;
-      z-index: auto;
-    }
-  </style>
-</head>
-
-<body class="section-projects">
-  <main class="layout-stacked">
-        <div class="layout-stacked__header header">
-          <header class="project__header">
-            <div class="layout-container">
-              <a class="brand" href="https://snyk.io" title="Snyk">
-                <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img">
-                  <title>Snyk - Open Source Security</title>
-                  <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
-                    <g fill="#fff">
-                      <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path>
-                    </g>
-                  </g>
-                </svg>
-              </a>
-              <div class="header-wrap">
-                  <h1 class="project__header__title">Snyk test report</h1>
-    
-                <p class="timestamp">October 30th 2022, 12:19:27 am</p>
-              </div>
-              <div class="source-panel">
-                <span>Scanned the following path:</span>
-                <ul>
-                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3-distroless/dexidp/dex (deb)</li>
-                </ul>
-              </div>
-    
-              <div class="meta-counts">
-                <div class="meta-count"><span>0</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>0 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>3</span> <span>dependencies</span></div>
-              </div><!-- .meta-counts -->
-            </div><!-- .layout-container--short -->
-          </header><!-- .project__header -->
-        </div><!-- .layout-stacked__header -->
-      <section class="layout-container">
-          <table class="metatable">
-              <tbody>
-              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|ghcr.io/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.35.3-distroless/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">deb</td></tr>
-              
-              </tbody>
-          </table>
-      </section>
-    <div class="layout-container" style="padding-top: 35px;">
-      No known vulnerabilities detected.
-    </div>
-  </main><!-- .layout-stacked__content -->
-</body>
-
-</html>
--- a/docs/snyk/master/haproxy_2.6.2-alpine.html
+++ b/docs/snyk/master/haproxy_2.6.2-alpine.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:19:33 am</p>
+                <p class="timestamp">September 7th 2022, 7:34:13 pm</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html
+++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html
--- a/docs/snyk/v2.4.15/redis_7.0.4-alpine.html
+++ b/docs/snyk/v2.4.15/redis_7.0.4-alpine.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:24:06 am</p>
+                <p class="timestamp">September 7th 2022, 7:34:30 pm</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/v2.2.12/argocd-iac-install.html
+++ b/docs/snyk/v2.2.12/argocd-iac-install.html
@@ -456,12 +456,12 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:29:41 am</p>
+                <p class="timestamp">September 7th 2022, 7:39:56 pm</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
                  <ul>
-                    <li class="paths">/argo-cd/manifests/install.yaml (Kubernetes)</li>
+                    <li class="paths">/private/argo-cd/manifests/install.yaml (Kubernetes)</li>
                  </ul>
                </div>
    
@@ -476,7 +476,7 @@
            <table class="metatable">
                <tbody>
                <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">manifests/install.yaml</td></tr>
-                <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">/argo-cd/manifests/install.yaml</td></tr>
+                <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">/private/argo-cd/manifests/install.yaml</td></tr>
                <tr class="meta-row"><th class="meta-row-label">Project Type</th> <td class="meta-row-value">Kubernetes</td></tr>
                </tbody>
            </table>
@@ -1020,6 +1020,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 2594
+                          </li>
                      </ul>
              
                      <hr/>
@@ -1065,6 +1068,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 2633
+                          </li>
                      </ul>
              
                      <hr/>
@@ -1110,6 +1116,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 2652
+                          </li>
                      </ul>
              
                      <hr/>
--- a/docs/snyk/v2.2.12/argocd-iac-namespace-install.html
+++ b/docs/snyk/v2.2.12/argocd-iac-namespace-install.html
@@ -456,12 +456,12 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:29:48 am</p>
+                <p class="timestamp">September 7th 2022, 7:40:03 pm</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
                  <ul>
-                    <li class="paths">/argo-cd/manifests/namespace-install.yaml (Kubernetes)</li>
+                    <li class="paths">/private/argo-cd/manifests/namespace-install.yaml (Kubernetes)</li>
                  </ul>
                </div>
    
@@ -476,7 +476,7 @@
            <table class="metatable">
                <tbody>
                <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">manifests/namespace-install.yaml</td></tr>
-                <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">/argo-cd/manifests/namespace-install.yaml</td></tr>
+                <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">/private/argo-cd/manifests/namespace-install.yaml</td></tr>
                <tr class="meta-row"><th class="meta-row-label">Project Type</th> <td class="meta-row-value">Kubernetes</td></tr>
                </tbody>
            </table>
@@ -1020,6 +1020,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 38
+                          </li>
                      </ul>
              
                      <hr/>
@@ -1065,6 +1068,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 77
+                          </li>
                      </ul>
              
                      <hr/>
@@ -1110,6 +1116,9 @@
                                  
                          </li>
              
+                          <li class="card__meta__item">
+                              Line number: 96
+                          </li>
                      </ul>
              
                      <hr/>
--- a/docs/snyk/v2.2.12/argocd-test.html
+++ b/docs/snyk/v2.2.12/argocd-test.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="10 known vulnerabilities found in 15 vulnerable dependency paths.">
+  <meta name="description" content="6 known vulnerabilities found in 11 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -456,18 +456,18 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">October 30th 2022, 12:28:26 am</p>
+                <p class="timestamp">September 7th 2022, 7:39:03 pm</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
                <ul>
-                  <li class="paths">/argo-cd/argoproj/argo-cd/v2 (gomodules)</li><li class="paths">/argo-cd (yarn)</li>
+                  <li class="paths">/private/argo-cd/argoproj/argo-cd/v2 (gomodules)</li><li class="paths">/private/argo-cd (yarn)</li>
                </ul>
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>10</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>15 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>6</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>11 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>1367</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@@ -621,182 +621,6 @@
                <p><a href="https://snyk.io/vuln/SNYK-JS-MOMENT-2944238">More about this vulnerability</a></p>
            </div>
        
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Server-side Request Forgery (SSRF)</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: npm
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            parse-url
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    argo-cd-ui@1.0.0, git-url-parse@11.1.2 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        git-url-parse@11.1.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        git-up@4.0.5
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        parse-url@6.0.5
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://www.npmjs.org/package/parse-url">parse-url</a> is an An advanced url parser supporting git urls too.</p>
-        <p>Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper detection of protocol, resource, and pathname fields. Exploiting this vulnerability results in bypassing protocol verification.</p>
-        <h2 id="poc">PoC:</h2>
-        <pre><code class="language-js">import parseUrl from &quot;parse-url&quot;;
-        import fetch from &#39;node-fetch&#39;;
-        var parsed=parseUrl(&quot;http://nnnn@localhost:808:/?id=xss&quot;)
-        if(parsed.resource==&quot;localhost&quot;){
-        console.log(&quot;internal network access is blocked&quot;)
-        }
-        else{
-           const response = await fetch(&#39;http://&#39;+parsed.resource+parsed.pathname);
-                console.log(response)
-         }
-        </code></pre>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>parse-url</code> to version 8.1.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/IonicaBizau/parse-url/commit/881ecb46e39286b0c2b3c32fe61dca9377176884">GitHub Commit</a></li>
-        <li><a href="https://github.com/IonicaBizau/parse-url/pull/55">GitHub PR</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-JS-PARSEURL-3023021">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Improper Input Validation</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: npm
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            parse-url
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    argo-cd-ui@1.0.0, git-url-parse@11.1.2 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        git-url-parse@11.1.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        git-up@4.0.5
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        parse-url@6.0.5
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://www.npmjs.org/package/parse-url">parse-url</a> is an An advanced url parser supporting git urls too.</p>
-        <p>Affected versions of this package are vulnerable to Improper Input Validation due to incorrect parsing of URLs. This allows the attacker to craft a malformed URL which can lead to a phishing attack.</p>
-        <pre><code class="language-js">
-        const parseUrl = require(&quot;parse-url&quot;);
-        const Url = require(&quot;url&quot;);
-        
-        const express = require(&#39;express&#39;);
-        const app = express();
-        
-        var url = &quot;https://www.google.com:x@fakesite.com:x&quot;;
-        parsed = parseUrl(url);
-        console.log(&quot;[*]`parse-url` output: &quot;)
-        console.log(parsed);
-        
-        parsed2 = Url.parse(url);
-        console.log(&quot;[*]`url` output: &quot;)
-        console.log(parsed2)
-        
-        app.get(&#39;/&#39;, (req, res) =&gt; {
-            if (parsed.host == &quot;www.google.com&quot;) {
-                res.send(&quot;&lt;a href=\&#39;&quot; + parsed2.href + &quot;\&#39;&gt;CLICK ME!&lt;/a&gt;&quot;)
-            }
-        })
-        
-        app.listen(8888,&quot;0.0.0.0&quot;);
-        </code></pre>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>parse-url</code> to version 8.1.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/IonicaBizau/parse-url/commit/881ecb46e39286b0c2b3c32fe61dca9377176884">GitHub Commit</a></li>
-        <li><a href="https://github.com/IonicaBizau/parse-url/commit/9500430a3b9973bb1b5b2b9b319af2685ad272b3">GitHub Commit</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-JS-PARSEURL-3024398">More about this vulnerability</a></p>
-            </div>
-        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Information Exposure</h2>
@@ -939,216 +763,6 @@
                <p><a href="https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311">More about this vulnerability</a></p>
            </div>
        
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: npm
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            minimatch
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                argo-cd-ui@1.0.0 and minimatch@3.0.4
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        argo-cd-ui@1.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        minimatch@3.0.4
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://www.npmjs.com/package/minimatch">minimatch</a> is a minimal matching utility.</p>
-        <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the <code>braceExpand</code> function in <code>minimatch.js</code>.</p>
-        <h2 id="details">Details</h2>
-        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p>
-        <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren&#39;t very intuitive and can ultimately end up making it easy for attackers to take your site down.</p>
-        <p>Let’s take the following regular expression as an example:</p>
-        <pre><code class="language-js">regex = /A(B|C+)+D/
-        </code></pre>
-        <p>This regular expression accomplishes the following:</p>
-        <ul>
-        <li><code>A</code> The string must start with the letter &#39;A&#39;</li>
-        <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter &#39;B&#39; or some number of occurrences of the letter &#39;C&#39; (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li>
-        <li><code>D</code> Finally, we ensure this section of the string ends with a &#39;D&#39;</li>
-        </ul>
-        <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p>
-        <p>It most cases, it doesn&#39;t take very long for a regex engine to find a match:</p>
-        <pre><code class="language-bash">$ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD&quot;)&#39;
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX&quot;)&#39;
-        1.79s user 0.02s system 99% cpu 1.812 total
-        </code></pre>
-        <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p>
-        <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p>
-        <p>Let&#39;s look at how our expression runs into this problem, using a shorter string: &quot;ACCCX&quot;. While it seems fairly straightforward, there are still four different ways that the engine could match those three C&#39;s:</p>
-        <ol>
-        <li>CCC</li>
-        <li>CC+C</li>
-        <li>C+CC</li>
-        <li>C+C+C.</li>
-        </ol>
-        <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn&#39;t match.</p>
-        <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p>
-        <table>
-        <thead>
-        <tr>
-        <th>String</th>
-        <th align="right">Number of C&#39;s</th>
-        <th align="right">Number of steps</th>
-        </tr>
-        </thead>
-        <tbody><tr>
-        <td>ACCCX</td>
-        <td align="right">3</td>
-        <td align="right">38</td>
-        </tr>
-        <tr>
-        <td>ACCCCX</td>
-        <td align="right">4</td>
-        <td align="right">71</td>
-        </tr>
-        <tr>
-        <td>ACCCCCX</td>
-        <td align="right">5</td>
-        <td align="right">136</td>
-        </tr>
-        <tr>
-        <td>ACCCCCCCCCCCCCCX</td>
-        <td align="right">14</td>
-        <td align="right">65,553</td>
-        </tr>
-        </tbody></table>
-        <p>By the time the string includes 14 C&#39;s, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>minimatch</code> to version 3.0.5 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6">GitHub Commit</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Improper Input Validation</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/text/language
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    github.com/argoproj/argo-cd/v2@0.0.0, sigs.k8s.io/controller-runtime/pkg/envtest@0.8.3 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        sigs.k8s.io/controller-runtime/pkg/envtest@0.8.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        sigs.k8s.io/controller-runtime/pkg/internal/testing/integration@0.8.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        sigs.k8s.io/controller-runtime/pkg/internal/testing/integration/internal@0.8.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/onsi/gomega/gexec@1.15.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/onsi/gomega@1.15.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/onsi/gomega/matchers@1.15.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/net/html/charset@#491a49abca63
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/text/encoding/htmlindex@0.3.6
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/text/language@0.3.6
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p>Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing <code>Accept-Language</code> headers.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/text/language</code> to version 0.3.8 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/56152">GitHub Issue</a></li>
-        <li><a href="https://github.com/golang/text/releases/tag/v0.3.8">GitHub Release</a></li>
-        <li><a href="https://groups.google.com/g/golang-dev/c/qfPIly0X7aU">Google Groups Forum</a></li>
-        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2134010">RedHat Bugzilla Bug</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869">More about this vulnerability</a></p>
-            </div>
-        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Out-of-bounds Read</h2>
--- a/docs/snyk/v2.2.12/ghcr.io_dexidp_dex_v2.32.0.html
+++ b/docs/snyk/v2.2.12/ghcr.io_dexidp_dex_v2.32.0.html
@@ -0,0 +1,805 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+  <meta http-equiv="Content-Language" content="en-us">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <title>Snyk test report</title>
+  <meta name="description" content="3 known vulnerabilities found in 12 vulnerable dependency paths.">
+  <base target="_blank">
+  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
+    sizes="194x194">
+  <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico">
+  <style type="text/css">
+  
+    body {
+      -moz-font-feature-settings: "pnum";
+      -webkit-font-feature-settings: "pnum";
+      font-variant-numeric: proportional-nums;
+      display: flex;
+      flex-direction: column;
+      font-feature-settings: "pnum";
+      font-size: 100%;
+      line-height: 1.5;
+      min-height: 100vh;
+      -webkit-text-size-adjust: 100%;
+      margin: 0;
+      padding: 0;
+      background-color: #F5F5F5;
+      font-family: 'Arial', 'Helvetica', Calibri, sans-serif;
+    }
+  
+    h1,
+    h2,
+    h3,
+    h4,
+    h5,
+    h6 {
+      font-weight: 500;
+    }
+  
+    a,
+    a:link,
+    a:visited {
+      border-bottom: 1px solid #4b45a9;
+      text-decoration: none;
+      color: #4b45a9;
+    }
+  
+    a:hover,
+    a:focus,
+    a:active {
+      border-bottom: 1px solid #4b45a9;
+    }
+  
+    hr {
+      border: none;
+      margin: 1em 0;
+      border-top: 1px solid #c5c5c5;
+    }
+  
+    ul {
+      padding: 0 1em;
+      margin: 1em 0;
+    }
+  
+    code {
+      background-color: #EEE;
+      color: #333;
+      padding: 0.25em 0.5em;
+      border-radius: 0.25em;
+    }
+  
+    pre {
+      background-color: #333;
+      font-family: monospace;
+      padding: 0.5em 1em 0.75em;
+      border-radius: 0.25em;
+      font-size: 14px;
+    }
+  
+    pre code {
+      padding: 0;
+      background-color: transparent;
+      color: #fff;
+    }
+  
+    a code {
+      border-radius: .125rem .125rem 0 0;
+      padding-bottom: 0;
+      color: #4b45a9;
+    }
+  
+    a[href^="http://"]:after,
+    a[href^="https://"]:after {
+      background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E");
+      background-repeat: no-repeat;
+      background-size: .75rem;
+      content: "";
+      display: inline-block;
+      height: .75rem;
+      margin-left: .25rem;
+      width: .75rem;
+    }
+  
+  
+  /* Layout */
+  
+    [class*=layout-container] {
+      margin: 0 auto;
+      max-width: 71.25em;
+      padding: 1.9em 1.3em;
+      position: relative;
+    }
+    .layout-container--short {
+      padding-top: 0;
+      padding-bottom: 0;
+      max-width: 48.75em;
+    }
+  
+    .layout-container--short:after {
+      display: block;
+      content: "";
+      clear: both;
+    }
+  
+  /* Header */
+  
+    .header {
+      padding-bottom: 1px;
+    }
+  
+    .paths {
+      margin-left: 8px;
+    }
+    .header-wrap {
+      display: flex;
+      flex-direction: row;
+      justify-content: space-between;
+      padding-top: 2em;
+    }
+    .project__header {
+      background-color: #4b45a9;
+      color: #fff;
+      margin-bottom: -1px;
+      padding-top: 1em;
+      padding-bottom: 0.25em;
+      border-bottom: 2px solid #BBB;
+    }
+  
+    .project__header__title {
+      overflow-wrap: break-word;
+      word-wrap: break-word;
+      word-break: break-all;
+      margin-bottom: .1em;
+      margin-top: 0;
+    }
+  
+    .timestamp {
+      float: right;
+      clear: none;
+      margin-bottom: 0;
+    }
+  
+    .meta-counts {
+      clear: both;
+      display: block;
+      flex-wrap: wrap;
+      justify-content: space-between;
+      margin: 0 0 1.5em;
+      color: #fff;
+      clear: both;
+      font-size: 1.1em;
+    }
+  
+    .meta-count {
+      display: block;
+      flex-basis: 100%;
+      margin: 0 1em 1em 0;
+      float: left;
+      padding-right: 1em;
+      border-right: 2px solid #fff;
+    }
+  
+    .meta-count:last-child {
+      border-right: 0;
+      padding-right: 0;
+      margin-right: 0;
+    }
+  
+  /* Card */
+  
+    .card {
+      background-color: #fff;
+      border: 1px solid #c5c5c5;
+      border-radius: .25rem;
+      margin: 0 0 2em 0;
+      position: relative;
+      min-height: 40px;
+      padding: 1.5em;
+    }
+  
+    .card .label {
+      background-color: #767676;
+      border: 2px solid #767676;
+      color: white;
+      padding: 0.25rem 0.75rem;
+      font-size: 0.875rem;
+      text-transform: uppercase;
+      display: inline-block;
+      margin: 0;
+      border-radius: 0.25rem;
+    }
+  
+    .card .label__text {
+      vertical-align: text-top;
+        font-weight: bold;
+    }
+  
+    .card .label--critical {
+      background-color: #AB1A1A;
+      border-color: #AB1A1A;
+    }
+  
+    .card .label--high {
+      background-color: #CE5019;
+      border-color: #CE5019;
+    }
+  
+    .card .label--medium {
+      background-color: #D68000;
+      border-color: #D68000;
+    }
+  
+    .card .label--low {
+      background-color: #88879E;
+      border-color: #88879E;
+    }
+  
+    .severity--low {
+      border-color: #88879E;
+    }
+  
+    .severity--medium {
+      border-color: #D68000;
+    }
+  
+    .severity--high {
+      border-color: #CE5019;
+    }
+  
+    .severity--critical {
+      border-color: #AB1A1A;
+    }
+  
+    .card--vuln {
+      padding-top: 4em;
+    }
+  
+    .card--vuln .label {
+      left: 0;
+      position: absolute;
+      top: 1.1em;
+      padding-left: 1.9em;
+      padding-right: 1.9em;
+      border-radius: 0 0.25rem 0.25rem 0;
+    }
+  
+    .card--vuln .card__section h2 {
+      font-size: 22px;
+      margin-bottom: 0.5em;
+    }
+  
+    .card--vuln .card__section p {
+      margin: 0 0 0.5em 0;
+    }
+  
+    .card--vuln .card__meta {
+      padding: 0 0 0 1em;
+      margin: 0;
+      font-size: 1.1em;
+    }
+  
+    .card .card__meta__paths {
+      font-size: 0.9em;
+    }
+  
+    .card--vuln .card__title {
+      font-size: 28px;
+      margin-top: 0;
+    }
+  
+    .card--vuln .card__cta p {
+      margin: 0;
+      text-align: right;
+    }
+  
+    .source-panel {
+      clear: both;
+      display: flex;
+      justify-content: flex-start;
+      flex-direction: column;
+      align-items: flex-start;
+      padding: 0.5em 0;
+      width: fit-content;
+    }
+  
+  
+  
+  </style>
+  <style type="text/css">
+    .metatable {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      margin-top: 12px;
+      border-collapse: collapse;
+      border-spacing: 0;
+      font-variant-numeric: tabular-nums;
+      max-width: 51.75em;
+    }
+  
+    tbody {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      display: flex;
+      flex-wrap: wrap;
+    }
+  
+    .meta-row {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      outline: none;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      display: flex;
+      align-items: start;
+      border-top: 1px solid #d3d3d9;
+      padding: 8px 0 0 0;
+      border-bottom: none;
+      margin: 8px;
+      width: 47.75%;
+    }
+  
+    .meta-row-label {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      color: #4c4a73;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      margin: 0;
+      outline: none;
+      text-decoration: none;
+      z-index: auto;
+      align-self: start;
+      flex: 1;
+      font-size: 1rem;
+      line-height: 1.5rem;
+      padding: 0;
+      text-align: left;
+      vertical-align: top;
+      text-transform: none;
+      letter-spacing: 0;
+    }
+  
+    .meta-row-value {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      word-break: break-word;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: right;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+    }
+  </style>
+</head>
+
+<body class="section-projects">
+  <main class="layout-stacked">
+        <div class="layout-stacked__header header">
+          <header class="project__header">
+            <div class="layout-container">
+              <a class="brand" href="https://snyk.io" title="Snyk">
+                <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img">
+                  <title>Snyk - Open Source Security</title>
+                  <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+                    <g fill="#fff">
+                      <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path>
+                    </g>
+                  </g>
+                </svg>
+              </a>
+              <div class="header-wrap">
+                  <h1 class="project__header__title">Snyk test report</h1>
+    
+                <p class="timestamp">September 7th 2022, 7:39:09 pm</p>
+              </div>
+              <div class="source-panel">
+                <span>Scanned the following path:</span>
+                <ul>
+                  <li class="paths">ghcr.io/dexidp/dex:v2.32.0/dexidp/dex (apk)</li>
+                </ul>
+              </div>
+    
+              <div class="meta-counts">
+                <div class="meta-count"><span>3</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>12 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>14</span> <span>dependencies</span></div>
+              </div><!-- .meta-counts -->
+            </div><!-- .layout-container--short -->
+          </header><!-- .project__header -->
+        </div><!-- .layout-stacked__header -->
+      <section class="layout-container">
+          <table class="metatable">
+              <tbody>
+              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|ghcr.io/dexidp/dex</td></tr>
+              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.32.0/dexidp/dex</td></tr>
+              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
+              
+              </tbody>
+          </table>
+      </section>
+    <div class="layout-container" style="padding-top: 35px;">
+      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Out-of-bounds Write</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: alpine:3.16
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            zlib/zlib
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                docker-image|ghcr.io/dexidp/dex@v2.32.0 and zlib/zlib@1.2.12-r1
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        zlib/zlib@1.2.12-r1
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        apk-tools/apk-tools@2.12.9-r3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        zlib/zlib@1.2.12-r1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>zlib</code> package.</em>
+        <em>See <code>How to fix?</code> for <code>Alpine:3.16</code> relevant versions.</em></p>
+        <p>zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Alpine:3.16</code> <code>zlib</code> to version 1.2.12-r2 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764">MISC</a></li>
+        <li><a href="https://github.com/ivd38/zlib_overflow">MISC</a></li>
+        <li><a href="https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1">MISC</a></li>
+        <li><a href="https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063">MISC</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2022/08/05/2">MLIST</a></li>
+        <li><a href="https://github.com/curl/curl/issues/9271">MISC</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2022/08/09/1">MLIST</a></li>
+        <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/">FEDORA</a></li>
+        <li><a href="https://www.debian.org/security/2022/dsa-5218">DEBIAN</a></li>
+        <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/">FEDORA</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20220901-0005/">CONFIRM</a></li>
+        <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/">FEDORA</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-ALPINE316-ZLIB-2976176">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Use After Free</h2>
+            <div class="card__section">
+        
+                <div class="label label--high">
+                    <span class="label__text">high severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: alpine:3.16
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            busybox/busybox
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                docker-image|ghcr.io/dexidp/dex@v2.32.0 and busybox/busybox@1.35.0-r13
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        busybox/busybox@1.35.0-r13
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        alpine-baselayout/alpine-baselayout-data@3.2.0-r20
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        alpine-baselayout/alpine-baselayout@3.2.0-r20
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        busybox/busybox@1.35.0-r13
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        busybox/ssl_client@1.35.0-r13
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>busybox</code> package.</em>
+        <em>See <code>How to fix?</code> for <code>Alpine:3.16</code> relevant versions.</em></p>
+        <p>A use-after-free in Busybox 1.35-x&#39;s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Alpine:3.16</code> <code>busybox</code> to version 1.35.0-r15 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://bugs.busybox.net/show_bug.cgi?id=14781">MISC</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-ALPINE316-BUSYBOX-2953070">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Inadequate Encryption Strength</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: alpine:3.16
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            openssl/libcrypto1.1
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                docker-image|ghcr.io/dexidp/dex@v2.32.0 and openssl/libcrypto1.1@1.1.1o-r0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssl/libcrypto1.1@1.1.1o-r0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssl/libssl1.1@1.1.1o-r0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssl/libcrypto1.1@1.1.1o-r0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        apk-tools/apk-tools@2.12.9-r3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssl/libcrypto1.1@1.1.1o-r0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        busybox/ssl_client@1.35.0-r13
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssl/libcrypto1.1@1.1.1o-r0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssl/libssl1.1@1.1.1o-r0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        apk-tools/apk-tools@2.12.9-r3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssl/libssl1.1@1.1.1o-r0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|ghcr.io/dexidp/dex@v2.32.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        busybox/ssl_client@1.35.0-r13
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssl/libssl1.1@1.1.1o-r0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssl</code> package.</em>
+        <em>See <code>How to fix?</code> for <code>Alpine:3.16</code> relevant versions.</em></p>
+        <p>AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn&#39;t written. In the special case of &#34;in place&#34; encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Alpine:3.16</code> <code>openssl</code> to version 1.1.1q-r0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://www.openssl.org/news/secadv/20220705.txt">CONFIRM</a></li>
+        <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93">CONFIRM</a></li>
+        <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431">CONFIRM</a></li>
+        <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/">FEDORA</a></li>
+        <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/">FEDORA</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20220715-0011/">CONFIRM</a></li>
+        <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/">FEDORA</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-2941806">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+      </div><!-- cards -->
+    </div>
+  </main><!-- .layout-stacked__content -->
+</body>
+
+</html>
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .5.0
 .5.12