chore: add security section to generated release notes

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
[Bot] docs: Update Snyk reports (#12290 )
2026-02-25 03:58:48 +01:00 · 2023-02-06 13:46:33 -05:00 · 2023-02-06 13:42:04 -05:00 · 2023-02-06 13:19:50 -05:00 · 2023-02-06 13:02:02 -05:00 · 2023-02-06 11:53:41 -05:00
270 changed files with 38899 additions and 19229 deletions
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -9,11 +9,10 @@ on:
  pull_request:
    branches:
      - 'master'
-      - 'release-*'

 env:
  # Golang version to use across CI steps
-  GOLANG_VERSION: '1.19.10'
+  GOLANG_VERSION: '1.18'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -28,9 +27,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@@ -46,13 +45,13 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -70,9 +69,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
@@ -93,11 +92,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -117,17 +116,13 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
-        # We install kustomize in the dist directory
-      - name: Add dist to PATH
-        run: |
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Setup git username and email
        run: |
          git config --global user.name "John Doe"
@@ -160,11 +155,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -184,17 +179,13 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
-        # We install kustomize in the dist directory
-      - name: Add dist to PATH
-        run: |
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Setup git username and email
        run: |
          git config --global user.name "John Doe"
@@ -215,9 +206,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
@@ -241,10 +232,6 @@ jobs:
          make install-codegen-tools-local
          make install-go-tools-local
        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
-        # We install kustomize in the dist directory
-      - name: Add dist to PATH
-        run: |
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Run codegen
        run: |
          set -x
@@ -263,14 +250,14 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup NodeJS
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          node-version: '12.18.4'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -300,12 +287,12 @@ jobs:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -361,7 +348,7 @@ jobs:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
-        k3s-version: [v1.24.3, v1.23.3, v1.22.6]
+        k3s-version: [v1.26.0, v1.25.4, v1.24.3, v1.23.3]
    needs: 
      - build-go
    env:
@@ -379,9 +366,9 @@ jobs:
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: GH actions workaround - Kill XSP4 process
@@ -399,7 +386,7 @@ jobs:
          sudo chown runner $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -425,9 +412,9 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.37.0
+          docker pull ghcr.io/dexidp/dex:v2.35.3
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.11-alpine
+          docker pull redis:7.0.7-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -5,7 +5,6 @@ on:
    # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
    branches-ignore:
      - 'dependabot/**'
-      - 'cherry-pick-*'
  pull_request:
  schedule:
    - cron: '0 19 * * 0'
@@ -30,7 +29,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -10,7 +10,7 @@ on:
    types: [ labeled, unlabeled, opened, synchronize, reopened ]

 env:
-  GOLANG_VERSION: '1.19.10'
+  GOLANG_VERSION: '1.18'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,10 +29,10 @@ jobs:
    env:
      GOPATH: /home/runner/work/argo-cd/argo-cd
    steps:
-      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          path: src/github.com/argoproj/argo-cd

@@ -54,7 +54,7 @@ jobs:

      # build
      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
+      - uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98 # v2.4.0
      - run: |
          IMAGE_PLATFORMS=linux/amd64
          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
@@ -69,12 +69,12 @@ jobs:

      # sign container images
      - name: Install cosign
-        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
        with:
          cosign-release: 'v1.13.1'

      - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
+        uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4

      - name: Get digest of image
        run: |
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -0,0 +1,41 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+# IMPORTANT: No checkout actions, scripts, or builds should be added to this workflow. Permissions should always be used
+# with extreme caution.
+permissions:
+  contents: read
+
+# PR updates can happen in quick succession leading to this
+# workflow being trigger a number of times. This limits it
+# to one run per PR.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      # IMPORTANT: Carefully review changes when updating this action. Using the pull_request_target event requires caution.
+      - uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb # v5.0.2
+        with:
+          types: |
+            feat
+            fix
+            docs
+            test
+            ci
+            chore
+            [Bot] docs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,7 +12,7 @@ on:
      - "!release-v0*"

 env:
-  GOLANG_VERSION: '1.19.10'
+  GOLANG_VERSION: '1.18'

 permissions:
  contents: read
@@ -43,7 +43,7 @@ jobs:
      GIT_EMAIL: argoproj@gmail.com
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -147,7 +147,7 @@ jobs:
          echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV

      - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}

@@ -177,10 +177,6 @@ jobs:
        run: |
          set -ue
          make install-codegen-tools-local
-          
-          # We install kustomize in the dist directory
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
-          
          make manifests-local VERSION=${TARGET_VERSION}
          git diff
          git commit manifests/ -m "Bump version to ${TARGET_VERSION}"
@@ -205,7 +201,7 @@ jobs:
        if: ${{ env.DRY_RUN != 'true' }}

      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
+      - uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98 # v2.4.0
      - name: Build and push Docker image for release
        run: |
          set -ue
@@ -219,12 +215,12 @@ jobs:
        if: ${{ env.DRY_RUN != 'true' }}

      - name: Install cosign
-        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
        with:
          cosign-release: 'v1.13.1'

      - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
+        uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4

      - name: Get digest of image
        run: |
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
@@ -31,6 +31,6 @@ jobs:
          git config --global user.email 'ci@argoproj.com'
          git config --global user.name 'CI'
          git add docs/snyk
-          git commit -m "[Bot] Update Snyk reports" --signoff
+          git commit -m "[Bot] docs: Update Snyk reports" --signoff
          git push --set-upstream origin "$pr_branch"
          gh pr create -B master -H "$pr_branch" --title '[Bot] docs: Update Snyk report' --body ''
--- a/6
+++ b/6
@@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.19.10@sha256:83f9f840072d05ad4d90ce4ac7cb2427632d6b89d5ffc558f18f9577ec8188c0 AS builder
+FROM docker.io/library/golang:1.18 AS builder

 RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list

@@ -36,6 +36,8 @@ RUN ./install.sh helm-linux && \
 ####################################################################################################
 FROM $BASE_IMAGE AS argocd-base

+LABEL org.opencontainers.image.source="https://github.com/argoproj/argo-cd"
+
 USER root

 ENV ARGOCD_USER_ID=999
@@ -99,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.19.10@sha256:83f9f840072d05ad4d90ce4ac7cb2427632d6b89d5ffc558f18f9577ec8188c0 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.18 AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

--- a/25
+++ b/25
@@ -64,13 +64,20 @@ else
 DOCKER_SRC_MOUNT="$(PWD):/go/src/github.com/argoproj/argo-cd$(VOLUME_MOUNT)"
 endif

+# User and group IDs to map to the test container
+CONTAINER_UID=$(shell id -u)
+CONTAINER_GID=$(shell id -g)
+
+# Set SUDO to sudo to run privileged commands with sudo
+SUDO?=
+
 # Runs any command in the argocd-test-utils container in server mode
 # Server mode container will start with uid 0 and drop privileges during runtime
 define run-in-test-server
-	docker run --rm -it \
+	$(SUDO) docker run --rm -it \
 		--name argocd-test-server \
-		-u $(shell id -u):$(shell id -g) \
-		-e USER_ID=$(shell id -u) \
+		-u $(CONTAINER_UID):$(CONTAINER_GID) \
+		-e USER_ID=$(CONTAINER_UID) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e GOCACHE=/tmp/go-build-cache \
@@ -98,9 +105,9 @@ endef

 # Runs any command in the argocd-test-utils container in client mode
 define run-in-test-client
-	docker run --rm -it \
+	$(SUDO) docker run --rm -it \
 	  --name argocd-test-client \
-		-u $(shell id -u):$(shell id -g) \
+		-u $(CONTAINER_UID):$(CONTAINER_GID) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) \
@@ -119,7 +126,7 @@ endef

 #
 define exec-in-test-server
-	docker exec -it -u $(shell id -u):$(shell id -g) -e ARGOCD_E2E_RECORD=$(ARGOCD_E2E_RECORD) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
+	$(SUDO) docker exec -it -u $(CONTAINER_UID):$(CONTAINER_GID) -e ARGOCD_E2E_RECORD=$(ARGOCD_E2E_RECORD) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
 endef

 PATH:=$(PATH):$(PWD)/hack
@@ -244,8 +251,8 @@ release-cli: clean-debug build-ui
 .PHONY: test-tools-image
 test-tools-image:
 ifndef SKIP_TEST_TOOLS_IMAGE
-	docker build --build-arg UID=$(shell id -u) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
-	docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
+	$(SUDO) docker build --build-arg UID=$(CONTAINER_UID) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
+	$(SUDO) docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
 endif

 .PHONY: manifests-local
@@ -326,7 +333,7 @@ mod-vendor: test-tools-image
 mod-vendor-local: mod-download-local
 	go mod vendor

-# Deprecated - replace by install-local-tools
+# Deprecated - replace by install-tools-local
 .PHONY: install-lint-tools
 install-lint-tools:
 	./hack/install.sh lint-tools
--- a/README.md
+++ b/README.md
@@ -1,6 +1,17 @@
-[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22) [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack) [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd) [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486) [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+**Releases:**
+[![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo-cd)](https://artifacthub.io/packages/helm/argo/argo-cd)

+**Code:** 
+[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22)
+[![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd?ref=badge_shield)
+
+**Social:**
+[![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+[![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
+
 # Argo CD - Declarative Continuous Delivery for Kubernetes

 ## What is Argo CD?
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 # Defined below are the security contacts for this repo.
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
-# INSTRUCTIONS AT https://argo-cd.readthedocs.io/en/latest/security_considerations/#reporting-vulnerabilities
+# INSTRUCTIONS AT https://github.com/argoproj/argo-cd/security/policy

 alexmt
 edlee2121
--- a/USERS.md
+++ b/USERS.md
@@ -23,7 +23,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Arctiq Inc.](https://www.arctiq.ca)
 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/)
 1. [Axual B.V.](https://axual.com)
-1. [Back Market](https://www.backmarket.com)
 1. [Baloise](https://www.baloise.com)
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
@@ -32,6 +31,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [BigPanda](https://bigpanda.io)
 1. [BioBox Analytics](https://biobox.io)
 1. [BMW Group](https://www.bmwgroup.com/)
+1. [PT Boer Technology (Btech)](https://btech.id/)
 1. [Boozt](https://www.booztgroup.com/)
 1. [Boticario](https://www.boticario.com.br/)
 1. [Bulder Bank](https://bulderbank.no)
@@ -90,7 +90,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [gloat](https://gloat.com/)
 1. [GLOBIS](https://globis.com)
 1. [Glovo](https://www.glovoapp.com)
-1. [GlueOps](https://glueops.dev)
 1. [GMETRI](https://gmetri.com/)
 1. [Gojek](https://www.gojek.io/)
 1. [Greenpass](https://www.greenpass.com.br/)
@@ -109,7 +108,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [imaware](https://imaware.health)
 1. [Indeed](https://indeed.com)
 1. [Index Exchange](https://www.indexexchange.com/)
-1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Joblift](https://joblift.com/)
@@ -160,11 +158,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [OCCMundial](https://occ.com.mx)
 1. [Octadesk](https://octadesk.com)
 1. [omegaUp](https://omegaUp.com)
+1. [Omni](https://omni.se/)
 1. [openEuler](https://openeuler.org)
 1. [openGauss](https://opengauss.org/)
 1. [openLooKeng](https://openlookeng.io)
 1. [OpenSaaS Studio](https://opensaas.studio)
 1. [Opensurvey](https://www.opensurvey.co.kr/)
+1. [OpsMx](https://opsmx.io)
 1. [OpsVerse](https://opsverse.io)
 1. [Optoro](https://www.optoro.com/)
 1. [Orbital Insight](https://orbitalinsight.com/)
@@ -178,6 +178,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Pigment](https://www.gopigment.com/)
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
+1. [Platform9 Systems](https://platform9.com/)
 1. [Polarpoint.io](https://polarpoint.io)
 1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
@@ -190,7 +191,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [RapidAPI](https://www.rapidapi.com/)
 1. [Recreation.gov](https://www.recreation.gov/)
 1. [Red Hat](https://www.redhat.com/)
-1. [Redpill Linpro](https://www.redpill-linpro.com/)
 1. [reev.com](https://www.reev.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rise](https://www.risecard.eu/)
@@ -200,12 +200,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Saildrone](https://www.saildrone.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
 1. [Sap Labs](http://sap.com)
+1. [Sauce Labs](https://saucelabs.com/)
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
 1. [SI Analytics](https://si-analytics.ai)
 1. [Skit](https://skit.ai/)
 1. [Skyscanner](https://www.skyscanner.net/)
-1. [Smart Pension](https://www.smartpension.co.uk/)
 1. [Smilee.io](https://smilee.io)
+1. [Smood.ch](https://www.smood.ch/)
 1. [Snapp](https://snapp.ir/)
 1. [Snyk](https://snyk.io/)
 1. [Softway Medical](https://www.softwaymedical.fr/)
@@ -242,7 +243,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [ungleich.ch](https://ungleich.ch/)
 1. [Unifonic Inc](https://www.unifonic.com/)
 1. [Universidad Mesoamericana](https://www.umes.edu.gt/)
-1. [Urbantz](https://urbantz.com/)
 1. [Viaduct](https://www.viaduct.ai/)
 1. [Vinted](https://vinted.com/)
 1. [Virtuo](https://www.govirtuo.com/)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.6.12
+2.6.0
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -1028,12 +1028,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 		}

 		if currentAppStatus.Status == "Pending" {
-			// check for successful syncs started less than 10s before the Application transitioned to Pending
-			// this covers race conditions where syncs initiated by RollingSync miraculously have a sync time before the transition to Pending state occurred (could be a few seconds)
-			if operationPhaseString == "Succeeded" && app.Status.OperationState.StartedAt.Add(time.Duration(10)*time.Second).After(currentAppStatus.LastTransitionTime.Time) {
-				if !app.Status.OperationState.StartedAt.After(currentAppStatus.LastTransitionTime.Time) {
-					log.Warnf("Application %v was synced less than 10s prior to entering Pending status, we'll assume the AppSet controller triggered this sync and update its status to Progressing", app.Name)
-				}
+			if operationPhaseString == "Succeeded" && app.Status.OperationState.StartedAt.After(currentAppStatus.LastTransitionTime.Time) {
 				log.Infof("Application %v has completed a sync successfully, updating its ApplicationSet status to Progressing", app.Name)
 				currentAppStatus.LastTransitionTime = &now
 				currentAppStatus.Status = "Progressing"
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
@@ -3996,63 +3996,6 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "progresses a pending application with a successful sync <1s ago to progressing",
-			appSet: v1alpha1.ApplicationSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "name",
-					Namespace: "argocd",
-				},
-				Spec: v1alpha1.ApplicationSetSpec{
-					Strategy: &v1alpha1.ApplicationSetStrategy{
-						Type:        "RollingSync",
-						RollingSync: &v1alpha1.ApplicationSetRolloutStrategy{},
-					},
-				},
-				Status: v1alpha1.ApplicationSetStatus{
-					ApplicationStatus: []v1alpha1.ApplicationSetApplicationStatus{
-						{
-							Application: "app1",
-							LastTransitionTime: &metav1.Time{
-								Time: time.Now(),
-							},
-							Message: "",
-							Status:  "Pending",
-							Step:    "1",
-						},
-					},
-				},
-			},
-			apps: []v1alpha1.Application{
-				{
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "app1",
-					},
-					Status: v1alpha1.ApplicationStatus{
-						Health: v1alpha1.HealthStatus{
-							Status: health.HealthStatusDegraded,
-						},
-						OperationState: &v1alpha1.OperationState{
-							Phase: common.OperationSucceeded,
-							StartedAt: metav1.Time{
-								Time: time.Now().Add(time.Duration(-1) * time.Second),
-							},
-						},
-						Sync: v1alpha1.SyncStatus{
-							Status: v1alpha1.SyncStatusCodeSynced,
-						},
-					},
-				},
-			},
-			expectedAppStatus: []v1alpha1.ApplicationSetApplicationStatus{
-				{
-					Application: "app1",
-					Message:     "Application resource completed a sync successfully, updating status from Pending to Progressing.",
-					Status:      "Progressing",
-					Step:        "1",
-				},
-			},
-		},
 		{
 			name: "does not progresses a pending application with an old successful sync to progressing",
 			appSet: argov1alpha1.ApplicationSet{
@@ -4071,7 +4014,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 						{
 							Application: "app1",
 							LastTransitionTime: &metav1.Time{
-								Time: time.Now(),
+								Time: time.Now().Add(time.Duration(-1) * time.Minute),
 							},
 							Message: "Application moved to Pending status, watching for the Application resource to start Progressing.",
 							Status:  "Pending",
@@ -4092,7 +4035,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 						OperationState: &argov1alpha1.OperationState{
 							Phase: common.OperationSucceeded,
 							StartedAt: metav1.Time{
-								Time: time.Now().Add(time.Duration(-11) * time.Second),
+								Time: time.Now().Add(time.Duration(-2) * time.Minute),
 							},
 						},
 						Sync: argov1alpha1.SyncStatus{
--- a/applicationset/controllers/clustereventhandler.go
+++ b/applicationset/controllers/clustereventhandler.go
@@ -2,7 +2,6 @@ package controllers

 import (
 	"context"
-	"fmt"

 	log "github.com/sirupsen/logrus"

@@ -47,6 +46,7 @@ type addRateLimitingInterface interface {
 }

 func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingInterface, object client.Object) {
+
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
 	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
 		return
@@ -73,40 +73,6 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 				foundClusterGenerator = true
 				break
 			}
-
-			if generator.Matrix != nil {
-				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Matrix.Generators)
-				if err != nil {
-					h.Log.
-						WithFields(log.Fields{
-							"namespace": appSet.GetNamespace(),
-							"name":      appSet.GetName(),
-						}).
-						WithError(err).
-						Error("Unable to check if ApplicationSet matrix generators have cluster generator")
-				}
-				if ok {
-					foundClusterGenerator = true
-					break
-				}
-			}
-
-			if generator.Merge != nil {
-				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Merge.Generators)
-				if err != nil {
-					h.Log.
-						WithFields(log.Fields{
-							"namespace": appSet.GetNamespace(),
-							"name":      appSet.GetName(),
-						}).
-						WithError(err).
-						Error("Unable to check if ApplicationSet merge generators have cluster generator")
-				}
-				if ok {
-					foundClusterGenerator = true
-					break
-				}
-			}
 		}
 		if foundClusterGenerator {

@@ -116,42 +82,3 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 		}
 	}
 }
-
-// nestedGeneratorsHaveClusterGenerator iterate over provided nested generators to check if they have a cluster generator.
-func nestedGeneratorsHaveClusterGenerator(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
-	for _, generator := range generators {
-		if ok, err := nestedGeneratorHasClusterGenerator(generator); ok || err != nil {
-			return ok, err
-		}
-	}
-	return false, nil
-}
-
-// nestedGeneratorHasClusterGenerator checks if the provided generator has a cluster generator.
-func nestedGeneratorHasClusterGenerator(nested argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
-	if nested.Clusters != nil {
-		return true, nil
-	}
-
-	if nested.Matrix != nil {
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(nested.Matrix)
-		if err != nil {
-			return false, fmt.Errorf("unable to get nested matrix generator: %w", err)
-		}
-		if nestedMatrix != nil {
-			return nestedGeneratorsHaveClusterGenerator(nestedMatrix.ToMatrixGenerator().Generators)
-		}
-	}
-
-	if nested.Merge != nil {
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(nested.Merge)
-		if err != nil {
-			return false, fmt.Errorf("unable to get nested merge generator: %w", err)
-		}
-		if nestedMerge != nil {
-			return nestedGeneratorsHaveClusterGenerator(nestedMerge.ToMergeGenerator().Generators)
-		}
-	}
-
-	return false, nil
-}
--- a/applicationset/controllers/clustereventhandler_test.go
+++ b/applicationset/controllers/clustereventhandler_test.go
@@ -6,7 +6,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -164,6 +163,7 @@ func TestClusterEventHandler(t *testing.T) {
 				{NamespacedName: types.NamespacedName{Namespace: "another-namespace", Name: "my-app-set"}},
 			},
 		},
+
 		{
 			name: "non-argo cd secret should not match",
 			items: []argov1alpha1.ApplicationSet{
@@ -189,348 +189,6 @@ func TestClusterEventHandler(t *testing.T) {
 			},
 			expectedRequests: []reconcile.Request{},
 		},
-		{
-			name: "a matrix generator with a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Matrix: &argov1alpha1.MatrixGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Clusters: &argov1alpha1.ClusterGenerator{},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{{
-				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
-			}},
-		},
-		{
-			name: "a matrix generator with non cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Matrix: &argov1alpha1.MatrixGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											List: &argov1alpha1.ListGenerator{},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{},
-		},
-		{
-			name: "a matrix generator with a nested matrix generator containing a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Matrix: &argov1alpha1.MatrixGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Matrix: &apiextensionsv1.JSON{
-												Raw: []byte(
-													`{
-														"generators": [
-														  {
-															"clusters": {
-															  "selector": {
-																"matchLabels": {
-																  "argocd.argoproj.io/secret-type": "cluster"
-																}
-															  }
-															}
-														  }
-														]
-													  }`,
-												),
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{{
-				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
-			}},
-		},
-		{
-			name: "a matrix generator with a nested matrix generator containing non cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Matrix: &argov1alpha1.MatrixGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Matrix: &apiextensionsv1.JSON{
-												Raw: []byte(
-													`{
-														"generators": [
-														  {
-															"list": {
-															  "elements": [
-																"a",
-																"b"
-															  ]
-															}
-														  }
-														]
-													  }`,
-												),
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{},
-		},
-		{
-			name: "a merge generator with a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Merge: &argov1alpha1.MergeGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Clusters: &argov1alpha1.ClusterGenerator{},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{{
-				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
-			}},
-		},
-		{
-			name: "a matrix generator with non cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Merge: &argov1alpha1.MergeGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											List: &argov1alpha1.ListGenerator{},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{},
-		},
-		{
-			name: "a merge generator with a nested merge generator containing a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Merge: &argov1alpha1.MergeGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Merge: &apiextensionsv1.JSON{
-												Raw: []byte(
-													`{
-														"generators": [
-														  {
-															"clusters": {
-															  "selector": {
-																"matchLabels": {
-																  "argocd.argoproj.io/secret-type": "cluster"
-																}
-															  }
-															}
-														  }
-														]
-													  }`,
-												),
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{{
-				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
-			}},
-		},
-		{
-			name: "a merge generator with a nested merge generator containing non cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Merge: &argov1alpha1.MergeGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Merge: &apiextensionsv1.JSON{
-												Raw: []byte(
-													`{
-														"generators": [
-														  {
-															"list": {
-															  "elements": [
-																"a",
-																"b"
-															  ]
-															}
-														  }
-														]
-													  }`,
-												),
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{},
-		},
 	}

 	for _, test := range tests {
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@@ -1,179 +0,0 @@
-package controllers
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/argoproj/argo-cd/v2/applicationset/generators"
-	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	dynfake "k8s.io/client-go/dynamic/fake"
-	kubefake "k8s.io/client-go/kubernetes/fake"
-	"k8s.io/client-go/tools/record"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-)
-
-func TestRequeueAfter(t *testing.T) {
-	mockServer := argoCDServiceMock{}
-	ctx := context.Background()
-	scheme := runtime.NewScheme()
-	err := argov1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
-	gvrToListKind := map[schema.GroupVersionResource]string{{
-		Group:    "mallard.io",
-		Version:  "v1",
-		Resource: "ducks",
-	}: "DuckList"}
-	appClientset := kubefake.NewSimpleClientset()
-	k8sClient := fake.NewClientBuilder().Build()
-	duckType := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": "v2quack",
-			"kind":       "Duck",
-			"metadata": map[string]interface{}{
-				"name":      "mightyduck",
-				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "all-species"},
-			},
-			"status": map[string]interface{}{
-				"decisions": []interface{}{
-					map[string]interface{}{
-						"clusterName": "staging-01",
-					},
-					map[string]interface{}{
-						"clusterName": "production-01",
-					},
-				},
-			},
-		},
-	}
-	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
-
-	terminalGenerators := map[string]generators.Generator{
-		"List":                    generators.NewListGenerator(),
-		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
-		"Git":                     generators.NewGitGenerator(mockServer),
-		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}),
-		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
-		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}),
-	}
-
-	nestedGenerators := map[string]generators.Generator{
-		"List":                    terminalGenerators["List"],
-		"Clusters":                terminalGenerators["Clusters"],
-		"Git":                     terminalGenerators["Git"],
-		"SCMProvider":             terminalGenerators["SCMProvider"],
-		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
-		"PullRequest":             terminalGenerators["PullRequest"],
-		"Matrix":                  generators.NewMatrixGenerator(terminalGenerators),
-		"Merge":                   generators.NewMergeGenerator(terminalGenerators),
-	}
-
-	topLevelGenerators := map[string]generators.Generator{
-		"List":                    terminalGenerators["List"],
-		"Clusters":                terminalGenerators["Clusters"],
-		"Git":                     terminalGenerators["Git"],
-		"SCMProvider":             terminalGenerators["SCMProvider"],
-		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
-		"PullRequest":             terminalGenerators["PullRequest"],
-		"Matrix":                  generators.NewMatrixGenerator(nestedGenerators),
-		"Merge":                   generators.NewMergeGenerator(nestedGenerators),
-	}
-
-	client := fake.NewClientBuilder().WithScheme(scheme).Build()
-	r := ApplicationSetReconciler{
-		Client:     client,
-		Scheme:     scheme,
-		Recorder:   record.NewFakeRecorder(0),
-		Generators: topLevelGenerators,
-	}
-
-	type args struct {
-		appset *argov1alpha1.ApplicationSet
-	}
-	tests := []struct {
-		name    string
-		args    args
-		want    time.Duration
-		wantErr assert.ErrorAssertionFunc
-	}{
-		{name: "Cluster", args: args{appset: &argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
-			},
-		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
-		{name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{
-					{Clusters: &argov1alpha1.ClusterGenerator{}},
-					{Merge: &argov1alpha1.MergeGenerator{
-						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
-								Git:      &argov1alpha1.GitGenerator{},
-							},
-						},
-					}},
-				},
-			},
-		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
-		{name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{
-					{Clusters: &argov1alpha1.ClusterGenerator{}},
-					{Matrix: &argov1alpha1.MatrixGenerator{
-						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
-								Git:      &argov1alpha1.GitGenerator{},
-							},
-						},
-					}},
-				},
-			},
-		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
-		{name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}},
-			},
-		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset)
-		})
-	}
-}
-
-type argoCDServiceMock struct {
-	mock *mock.Mock
-}
-
-func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-
-	return args.Get(0).([]string), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, pattern)
-
-	return args.Get(0).(map[string][]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, path)
-
-	return args.Get(0).([]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-	return args.Get(0).([]string), args.Error(1)
-}
--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@@ -51,8 +51,6 @@ func NewClusterGenerator(c client.Client, ctx context.Context, clientset kuberne
 	return g
 }

-// GetRequeueAfter never requeue the cluster generator because the `clusterSecretEventHandler` will requeue the appsets
-// when the cluster secrets change
 func (g *ClusterGenerator) GetRequeueAfter(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) time.Duration {
 	return NoRequeueAfter
 }
--- a/applicationset/generators/generator_spec_processor.go
+++ b/applicationset/generators/generator_spec_processor.go
@@ -2,11 +2,12 @@ package generators

 import (
 	"fmt"
+	"encoding/json"
 	"reflect"

 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	"github.com/jeremywohl/flatten"

+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -24,12 +25,9 @@ type TransformResult struct {
 	Template argoprojiov1alpha1.ApplicationSetTemplate
 }

-// Transform a spec generator to list of paramSets and a template
+//Transform a spec generator to list of paramSets and a template
 func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}) ([]TransformResult, error) {
-	// This is a custom version of the `LabelSelectorAsSelector` that is in k8s.io/apimachinery. This has been copied
-	// verbatim from that package, with the difference that we do not have any restrictions on label values. This is done
-	// so that, among other things, we can match on cluster urls.
-	selector, err := utils.LabelSelectorAsSelector(requestedGenerator.Selector)
+	selector, err := metav1.LabelSelectorAsSelector(requestedGenerator.Selector)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing label selector: %w", err)
 	}
@@ -74,17 +72,8 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 		}
 		var filterParams []map[string]interface{}
 		for _, param := range params {
-			flatParam, err := flattenParameters(param)
-			if err != nil {
-				log.WithError(err).WithField("generator", g).
-					Error("error flattening params")
-				if firstError == nil {
-					firstError = err
-				}
-				continue
-			}

-			if requestedGenerator.Selector != nil && !selector.Matches(labels.Set(flatParam)) {
+			if requestedGenerator.Selector != nil && !selector.Matches(labels.Set(keepOnlyStringValues(param))) {
 				continue
 			}
 			filterParams = append(filterParams, param)
@@ -99,6 +88,18 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 	return res, firstError
 }

+func keepOnlyStringValues(in map[string]interface{}) map[string]string {
+	var out map[string]string = map[string]string{}
+
+	for key, value := range in {
+		if _, ok := value.(string); ok {
+			out[key] = value.(string)
+		}
+	}
+
+	return out
+}
+
 func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, generators map[string]Generator) []Generator {
 	var res []Generator

@@ -121,20 +122,6 @@ func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSet
 	return res
 }

-func flattenParameters(in map[string]interface{}) (map[string]string, error) {
-	flat, err := flatten.Flatten(in, "", flatten.DotStyle)
-	if err != nil {
-		return nil, err
-	}
-
-	out := make(map[string]string, len(flat))
-	for k, v := range flat {
-		out[k] = fmt.Sprintf("%v", v)
-	}
-
-	return out, nil
-}
-
 func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetTemplate argoprojiov1alpha1.ApplicationSetTemplate) (argoprojiov1alpha1.ApplicationSetTemplate, error) {
 	// Make a copy of the value from `GetTemplate()` before merge, rather than copying directly into
 	// the provided parameter (which will touch the original resource object returned by client-go)
@@ -145,15 +132,27 @@ func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.
 	return *dest, err
 }

-// InterpolateGenerator allows interpolating the matrix's 2nd child generator with values from the 1st child generator
+// Currently for Matrix Generator. Allows interpolating the matrix's 2nd child generator with values from the 1st child generator
 // "params" parameter is an array, where each index corresponds to a generator. Each index contains a map w/ that generator's parameters.
 func InterpolateGenerator(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, params map[string]interface{}, useGoTemplate bool) (argoprojiov1alpha1.ApplicationSetGenerator, error) {
-	render := utils.Render{}
-	interpolatedGenerator, err := render.RenderGeneratorParams(requestedGenerator, params, useGoTemplate)
+	interpolatedGenerator := requestedGenerator.DeepCopy()
+	tmplBytes, err := json.Marshal(interpolatedGenerator)
 	if err != nil {
-		log.WithError(err).WithField("interpolatedGenerator", interpolatedGenerator).Error("error interpolating generator with other generator's parameter")
+		log.WithError(err).WithField("requestedGenerator", interpolatedGenerator).Error("error marshalling requested generator for interpolation")
 		return *interpolatedGenerator, err
 	}

+	render := utils.Render{}
+	replacedTmplStr, err := render.Replace(string(tmplBytes), params, useGoTemplate)
+	if err != nil {
+		log.WithError(err).WithField("interpolatedGeneratorString", replacedTmplStr).Error("error interpolating generator with other generator's parameter")
+		return *interpolatedGenerator, err
+	}
+
+	err = json.Unmarshal([]byte(replacedTmplStr), interpolatedGenerator)
+	if err != nil {
+		log.WithError(err).WithField("requestedGenerator", interpolatedGenerator).Error("error unmarshalling requested generator for interpolation")
+		return *interpolatedGenerator, err
+	}
 	return *interpolatedGenerator, nil
 }
--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@@ -6,11 +6,9 @@ import (

 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"

 	"github.com/stretchr/testify/mock"
@@ -94,160 +92,8 @@ func TestMatchValues(t *testing.T) {
 	}
 }

-func TestMatchValuesGoTemplate(t *testing.T) {
-	testCases := []struct {
-		name     string
-		elements []apiextensionsv1.JSON
-		selector *metav1.LabelSelector
-		expected []map[string]interface{}
-	}{
-		{
-			name:     "no filter",
-			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
-			selector: &metav1.LabelSelector{},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
-		},
-		{
-			name:     "nil",
-			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
-			selector: nil,
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
-		},
-		{
-			name:     "values.foo should be foo but is ignore element",
-			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
-			selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					"values.foo": "foo",
-				},
-			},
-			expected: []map[string]interface{}{},
-		},
-		{
-			name:     "values.foo should be bar",
-			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
-			selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					"values.foo": "bar",
-				},
-			},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": map[string]interface{}{"foo": "bar"}}},
-		},
-		{
-			name:     "values.0 should be bar",
-			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":["bar"]}`)}},
-			selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					"values.0": "bar",
-				},
-			},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": []interface{}{"bar"}}},
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			var listGenerator = NewListGenerator()
-			var data = map[string]Generator{
-				"List": listGenerator,
-			}
-
-			applicationSetInfo := argov1alpha1.ApplicationSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "set",
-				},
-				Spec: argov1alpha1.ApplicationSetSpec{
-					GoTemplate: true,
-				},
-			}
-
-			results, err := Transform(argov1alpha1.ApplicationSetGenerator{
-				Selector: testCase.selector,
-				List: &argov1alpha1.ListGenerator{
-					Elements: testCase.elements,
-					Template: emptyTemplate(),
-				}},
-				data,
-				emptyTemplate(),
-				&applicationSetInfo, nil)
-
-			assert.NoError(t, err)
-			assert.ElementsMatch(t, testCase.expected, results[0].Params)
-		})
-	}
-}
-
-func TestTransForm(t *testing.T) {
-	testCases := []struct {
-		name     string
-		selector *metav1.LabelSelector
-		expected []map[string]interface{}
-	}{
-		{
-			name: "server filter",
-			selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{"server": "https://production-01.example.com"},
-			},
-			expected: []map[string]interface{}{{
-				"metadata.annotations.foo.argoproj.io":           "production",
-				"metadata.labels.argocd.argoproj.io/secret-type": "cluster",
-				"metadata.labels.environment":                    "production",
-				"metadata.labels.org":                            "bar",
-				"name":                                           "production_01/west",
-				"nameNormalized":                                 "production-01-west",
-				"server":                                         "https://production-01.example.com",
-			}},
-		},
-		{
-			name: "server filter with long url",
-			selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{"server": "https://some-really-long-url-that-will-exceed-63-characters.com"},
-			},
-			expected: []map[string]interface{}{{
-				"metadata.annotations.foo.argoproj.io":           "production",
-				"metadata.labels.argocd.argoproj.io/secret-type": "cluster",
-				"metadata.labels.environment":                    "production",
-				"metadata.labels.org":                            "bar",
-				"name":                                           "some-really-long-server-url",
-				"nameNormalized":                                 "some-really-long-server-url",
-				"server":                                         "https://some-really-long-url-that-will-exceed-63-characters.com",
-			}},
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			testGenerators := map[string]Generator{
-				"Clusters": getMockClusterGenerator(),
-			}
-
-			applicationSetInfo := argov1alpha1.ApplicationSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "set",
-				},
-				Spec: argov1alpha1.ApplicationSetSpec{},
-			}
-
-			results, err := Transform(
-				argov1alpha1.ApplicationSetGenerator{
-					Selector: testCase.selector,
-					Clusters: &argov1alpha1.ClusterGenerator{
-						Selector: metav1.LabelSelector{},
-						Template: argov1alpha1.ApplicationSetTemplate{},
-						Values:   nil,
-					}},
-				testGenerators,
-				emptyTemplate(),
-				&applicationSetInfo, nil)
-
-			assert.NoError(t, err)
-			assert.ElementsMatch(t, testCase.expected, results[0].Params)
-		})
-	}
-}
-
-func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
-	return argov1alpha1.ApplicationSetTemplate{
+func emptyTemplate() argoprojiov1alpha1.ApplicationSetTemplate {
+	return argoprojiov1alpha1.ApplicationSetTemplate{
 		Spec: argov1alpha1.ApplicationSpec{
 			Project: "project",
 		},
@@ -304,35 +150,8 @@ func getMockClusterGenerator() Generator {
 			},
 			Type: corev1.SecretType("Opaque"),
 		},
-		&corev1.Secret{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       "Secret",
-				APIVersion: "v1",
-			},
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "some-really-long-server-url",
-				Namespace: "namespace",
-				Labels: map[string]string{
-					"argocd.argoproj.io/secret-type": "cluster",
-					"environment":                    "production",
-					"org":                            "bar",
-				},
-				Annotations: map[string]string{
-					"foo.argoproj.io": "production",
-				},
-			},
-			Data: map[string][]byte{
-				"config": []byte("{}"),
-				"name":   []byte("some-really-long-server-url"),
-				"server": []byte("https://some-really-long-url-that-will-exceed-63-characters.com"),
-			},
-			Type: corev1.SecretType("Opaque"),
-		},
 	}
 	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}
 	appClientset := kubefake.NewSimpleClientset(runtimeClusters...)

 	fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
@@ -340,8 +159,8 @@ func getMockClusterGenerator() Generator {
 }

 func getMockGitGenerator() Generator {
-	argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
-	argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+	argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
 	var gitGenerator = NewGitGenerator(argoCDServiceMock)
 	return gitGenerator
 }
@@ -429,60 +248,6 @@ func TestInterpolateGenerator(t *testing.T) {
 		Path: "{{server}}",
 	}

-	requestedGenerator = &argoprojiov1alpha1.ApplicationSetGenerator{
-		Git: &argoprojiov1alpha1.GitGenerator{
-			Files:    append([]argoprojiov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),
-			Template: argoprojiov1alpha1.ApplicationSetTemplate{},
-		},
-	}
-	clusterGeneratorParams := map[string]interface{}{
-		"name": "production_01/west", "server": "https://production-01.example.com",
-	}
-	interpolatedGenerator, err = InterpolateGenerator(requestedGenerator, clusterGeneratorParams, false)
-	if err != nil {
-		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
-		return
-	}
-	assert.Equal(t, "production_01/west", interpolatedGenerator.Git.Files[0].Path)
-	assert.Equal(t, "https://production-01.example.com", interpolatedGenerator.Git.Files[1].Path)
-}
-
-func TestInterpolateGenerator_go(t *testing.T) {
-	requestedGenerator := &argoprojiov1alpha1.ApplicationSetGenerator{
-		Clusters: &argoprojiov1alpha1.ClusterGenerator{
-			Selector: metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					"argocd.argoproj.io/secret-type": "cluster",
-					"path-basename":                  "{{base .path.path}}",
-					"path-zero":                      "{{index .path.segments 0}}",
-					"path-full":                      "{{.path.path}}",
-					"kubernetes.io/environment":      `{{default "foo" .my_label}}`,
-				}},
-		},
-	}
-	gitGeneratorParams := map[string]interface{}{
-		"path": map[string]interface{}{
-			"path":     "p1/p2/app3",
-			"segments": []string{"p1", "p2", "app3"},
-		},
-	}
-	interpolatedGenerator, err := InterpolateGenerator(requestedGenerator, gitGeneratorParams, true)
-	require.NoError(t, err)
-	if err != nil {
-		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
-		return
-	}
-	assert.Equal(t, "app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-basename"])
-	assert.Equal(t, "p1", interpolatedGenerator.Clusters.Selector.MatchLabels["path-zero"])
-	assert.Equal(t, "p1/p2/app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-full"])
-
-	fileNamePath := argoprojiov1alpha1.GitFileGeneratorItem{
-		Path: "{{.name}}",
-	}
-	fileServerPath := argoprojiov1alpha1.GitFileGeneratorItem{
-		Path: "{{.server}}",
-	}
-
 	requestedGenerator = &argoprojiov1alpha1.ApplicationSetGenerator{
 		Git: &argoprojiov1alpha1.GitGenerator{
 			Files:    append([]argoprojiov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),
--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@@ -58,9 +58,9 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic

 	var err error
 	var res []map[string]interface{}
-	if len(appSetGenerator.Git.Directories) != 0 {
+	if appSetGenerator.Git.Directories != nil {
 		res, err = g.generateParamsForGitDirectories(appSetGenerator, appSet.Spec.GoTemplate)
-	} else if len(appSetGenerator.Git.Files) != 0 {
+	} else if appSetGenerator.Git.Files != nil {
 		res, err = g.generateParamsForGitFiles(appSetGenerator, appSet.Spec.GoTemplate)
 	} else {
 		return nil, EmptyAppSetGeneratorError
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@@ -1,6 +1,7 @@
 package generators

 import (
+	"context"
 	"fmt"
 	"testing"

@@ -8,7 +9,6 @@ import (
 	"github.com/stretchr/testify/mock"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

@@ -20,6 +20,33 @@ import (
 // 	return io.NewCloser(func() error { return nil }), c.RepoServerServiceClient, nil
 // }

+type argoCDServiceMock struct {
+	mock *mock.Mock
+}
+
+func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+
+	return args.Get(0).([]string), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, pattern)
+
+	return args.Get(0).(map[string][]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, path)
+
+	return args.Get(0).([]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+	return args.Get(0).([]string), args.Error(1)
+}
+
 func Test_generateParamsFromGitFile(t *testing.T) {
 	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
 foo:
@@ -244,9 +271,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
+			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}

-			argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
@@ -274,7 +301,7 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				assert.Equal(t, testCaseCopy.expected, got)
 			}

-			argoCDServiceMock.Mock.AssertExpectations(t)
+			argoCDServiceMock.mock.AssertExpectations(t)
 		})
 	}
 }
@@ -539,9 +566,9 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
+			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}

-			argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
@@ -570,7 +597,7 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 				assert.Equal(t, testCaseCopy.expected, got)
 			}

-			argoCDServiceMock.Mock.AssertExpectations(t)
+			argoCDServiceMock.mock.AssertExpectations(t)
 		})
 	}

@@ -830,8 +857,8 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
-			argoCDServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+			argoCDServiceMock.mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
@@ -860,7 +887,7 @@ cluster:
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}

-			argoCDServiceMock.Mock.AssertExpectations(t)
+			argoCDServiceMock.mock.AssertExpectations(t)
 		})
 	}
 }
@@ -1179,8 +1206,8 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
-			argoCDServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+			argoCDServiceMock.mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
@@ -1210,7 +1237,7 @@ cluster:
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}

-			argoCDServiceMock.Mock.AssertExpectations(t)
+			argoCDServiceMock.mock.AssertExpectations(t)
 		})
 	}
 }
--- a/applicationset/generators/matrix.go
+++ b/applicationset/generators/matrix.go
@@ -80,13 +80,28 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 }

 func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]interface{}) ([]map[string]interface{}, error) {
-	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
-	if err != nil {
-		return nil, err
+	var matrix *argoprojiov1alpha1.MatrixGenerator
+	if appSetBaseGenerator.Matrix != nil {
+		// Since nested matrix generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
+		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
+		if err != nil {
+			return nil, fmt.Errorf("unable to unmarshall nested matrix generator: %v", err)
+		}
+		if nestedMatrix != nil {
+			matrix = nestedMatrix.ToMatrixGenerator()
+		}
 	}
-	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
-	if err != nil {
-		return nil, err
+
+	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
+	if appSetBaseGenerator.Merge != nil {
+		// Since nested merge generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
+		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
+		if err != nil {
+			return nil, fmt.Errorf("unable to unmarshall nested merge generator: %v", err)
+		}
+		if nestedMerge != nil {
+			mergeGenerator = nestedMerge.ToMergeGenerator()
+		}
 	}

 	t, err := Transform(
@@ -97,8 +112,8 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrixGen,
-			Merge:                   mergeGen,
+			Matrix:                  matrix,
+			Merge:                   mergeGenerator,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -128,15 +143,11 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 	var found bool

 	for _, r := range appSetGenerator.Matrix.Generators {
-		matrixGen, _ := getMatrixGenerator(r)
-		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
 			List:        r.List,
 			Clusters:    r.Clusters,
 			Git:         r.Git,
 			PullRequest: r.PullRequest,
-			Matrix:      matrixGen,
-			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)

@@ -157,17 +168,6 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap

 }

-func getMatrixGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MatrixGenerator, error) {
-	if r.Matrix == nil {
-		return nil, nil
-	}
-	matrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(r.Matrix)
-	if err != nil {
-		return nil, err
-	}
-	return matrix.ToMatrixGenerator(), nil
-}
-
 func (m *MatrixGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Matrix.Template
 }
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@@ -5,7 +5,6 @@ import (
 	"testing"
 	"time"

-	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -17,7 +16,6 @@ import (
 	"github.com/stretchr/testify/mock"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

-	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

@@ -30,7 +28,7 @@ func TestMatrixGenerate(t *testing.T) {
 	}

 	listGenerator := &argoprojiov1alpha1.ListGenerator{
-		Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "Cluster","url": "Url", "templated": "test-{{path.basenameNormalized}}"}`)}},
+		Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "Cluster","url": "Url"}`)}},
 	}

 	testCases := []struct {
@@ -50,8 +48,8 @@ func TestMatrixGenerate(t *testing.T) {
 				},
 			},
 			expected: []map[string]interface{}{
-				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "cluster": "Cluster", "url": "Url", "templated": "test-app1"},
-				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2", "cluster": "Cluster", "url": "Url", "templated": "test-app2"},
+				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "cluster": "Cluster", "url": "Url"},
+				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2", "cluster": "Cluster", "url": "Url"},
 			},
 		},
 		{
@@ -859,72 +857,3 @@ func (g *generatorMock) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Appl
 	return args.Get(0).(time.Duration)

 }
-
-func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
-	// Given a matrix generator over a list generator and a git files generator, the nested git files generator should
-	// be treated as a files generator, and it should produce parameters.
-
-	// This tests for a specific bug where a nested git files generator was being treated as a directory generator. This
-	// happened because, when the matrix generator was being processed, the nested git files generator was being
-	// interpolated by the deeplyReplace function. That function cannot differentiate between a nil slice and an empty
-	// slice. So it was replacing the `Directories` field with an empty slice, which the ApplicationSet controller
-	// interpreted as meaning this was a directory generator, not a files generator.
-
-	// Now instead of checking for nil, we check whether the field is a non-empty slice. This test prevents a regression
-	// of that bug.
-
-	listGeneratorMock := &generatorMock{}
-	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet")).Return([]map[string]interface{}{
-		{"some": "value"},
-	}, nil)
-	listGeneratorMock.On("GetTemplate", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
-
-	gitGeneratorSpec := &argoprojiov1alpha1.GitGenerator{
-		RepoURL: "https://git.example.com",
-		Files: []argoprojiov1alpha1.GitFileGeneratorItem{
-			{Path: "some/path.json"},
-		},
-	}
-
-	repoServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
-	repoServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
-		"some/path.json": []byte("test: content"),
-	}, nil)
-	gitGenerator := NewGitGenerator(repoServiceMock)
-
-	matrixGenerator := NewMatrixGenerator(map[string]Generator{
-		"List": listGeneratorMock,
-		"Git":  gitGenerator,
-	})
-
-	matrixGeneratorSpec := &argoprojiov1alpha1.MatrixGenerator{
-		Generators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
-			{
-				List: &argoprojiov1alpha1.ListGenerator{
-					Elements: []apiextensionsv1.JSON{
-						{
-							Raw: []byte(`{"some": "value"}`),
-						},
-					},
-				},
-			},
-			{
-				Git: gitGeneratorSpec,
-			},
-		},
-	}
-	params, err := matrixGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
-		Matrix: matrixGeneratorSpec,
-	}, &argoprojiov1alpha1.ApplicationSet{})
-	require.NoError(t, err)
-	assert.Equal(t, []map[string]interface{}{{
-		"path":                    "some",
-		"path.basename":           "some",
-		"path.basenameNormalized": "some",
-		"path.filename":           "path.json",
-		"path.filenameNormalized": "path.json",
-		"path[0]":                 "some",
-		"some":                    "value",
-		"test":                    "content",
-	}}, params)
-}
--- a/applicationset/generators/merge.go
+++ b/applicationset/generators/merge.go
@@ -137,13 +137,27 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface

 // getParams get the parameters generated by this generator.
 func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
-	if err != nil {
-		return nil, err
+
+	var matrix *argoprojiov1alpha1.MatrixGenerator
+	if appSetBaseGenerator.Matrix != nil {
+		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
+		if err != nil {
+			return nil, err
+		}
+		if nestedMatrix != nil {
+			matrix = nestedMatrix.ToMatrixGenerator()
+		}
 	}
-	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
-	if err != nil {
-		return nil, err
+
+	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
+	if appSetBaseGenerator.Merge != nil {
+		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
+		if err != nil {
+			return nil, err
+		}
+		if nestedMerge != nil {
+			mergeGenerator = nestedMerge.ToMergeGenerator()
+		}
 	}

 	t, err := Transform(
@@ -154,8 +168,8 @@ func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Applic
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrixGen,
-			Merge:                   mergeGen,
+			Matrix:                  matrix,
+			Merge:                   mergeGenerator,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -183,15 +197,10 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 	var found bool

 	for _, r := range appSetGenerator.Merge.Generators {
-		matrixGen, _ := getMatrixGenerator(r)
-		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:        r.List,
-			Clusters:    r.Clusters,
-			Git:         r.Git,
-			PullRequest: r.PullRequest,
-			Matrix:      matrixGen,
-			Merge:       mergeGen,
+			List:     r.List,
+			Clusters: r.Clusters,
+			Git:      r.Git,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)

@@ -212,17 +221,6 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App

 }

-func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MergeGenerator, error) {
-	if r.Merge == nil {
-		return nil, nil
-	}
-	merge, err := argoprojiov1alpha1.ToNestedMergeGenerator(r.Merge)
-	if err != nil {
-		return nil, err
-	}
-	return merge.ToMergeGenerator(), nil
-}
-
 // GetTemplate gets the Template field for the MergeGenerator.
 func (m *MergeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Merge.Template
--- a/applicationset/services/scm_provider/gitlab.go
+++ b/applicationset/services/scm_provider/gitlab.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"net/http"
 	pathpkg "path"

 	gitlab "github.com/xanzy/go-gitlab"
@@ -145,11 +144,7 @@ func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gi
 	branches := []gitlab.Branch{}
 	// If we don't specifically want to query for all branches, just use the default branch and call it a day.
 	if !g.allBranches {
-		gitlabBranch, resp, err := g.client.Branches.GetBranch(repo.RepositoryId, repo.Branch, nil)
-		// 404s are not an error here, just a normal false.
-		if resp != nil && resp.StatusCode == http.StatusNotFound {
-			return []gitlab.Branch{}, nil
-		}
+		gitlabBranch, _, err := g.client.Branches.GetBranch(repo.RepositoryId, repo.Branch, nil)
 		if err != nil {
 			return nil, err
 		}
@@ -162,10 +157,6 @@ func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gi
 	}
 	for {
 		gitlabBranches, resp, err := g.client.Branches.ListBranches(repo.RepositoryId, opt)
-		// 404s are not an error here, just a normal false.
-		if resp != nil && resp.StatusCode == http.StatusNotFound {
-			return []gitlab.Branch{}, nil
-		}
 		if err != nil {
 			return nil, err
 		}
--- a/applicationset/services/scm_provider/gitlab_test.go
+++ b/applicationset/services/scm_provider/gitlab_test.go
@@ -274,8 +274,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
-		case "/api/v4/projects/27084533/repository/branches/foo":
-			w.WriteHeader(http.StatusNotFound)
 		default:
 			_, err := io.WriteString(w, `[]`)
 			if err != nil {
@@ -393,29 +391,3 @@ func TestGitlabHasPath(t *testing.T) {
 		})
 	}
 }
-
-func TestGitlabGetBranches(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		gitlabMockHandler(t)(w, r)
-	}))
-	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true)
-
-	repo := &Repository{
-		RepositoryId: 27084533,
-		Branch:       "master",
-	}
-	t.Run("branch exists", func(t *testing.T) {
-		repos, err := host.GetBranches(context.Background(), repo)
-		assert.Nil(t, err)
-		assert.Equal(t, repos[0].Branch, "master")
-	})
-
-	repo2 := &Repository{
-		RepositoryId: 27084533,
-		Branch:       "foo",
-	}
-	t.Run("unknown branch", func(t *testing.T) {
-		_, err := host.GetBranches(context.Background(), repo2)
-		assert.NoError(t, err)
-	})
-}
--- a/applicationset/utils/selector.go
+++ b/applicationset/utils/selector.go
@@ -1,261 +0,0 @@
-package utils
-
-import (
-	"fmt"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/selection"
-	"k8s.io/apimachinery/pkg/util/validation"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-	"k8s.io/klog/v2"
-	"sort"
-	"strconv"
-	"strings"
-)
-
-var (
-	unaryOperators = []string{
-		string(selection.Exists), string(selection.DoesNotExist),
-	}
-	binaryOperators = []string{
-		string(selection.In), string(selection.NotIn),
-		string(selection.Equals), string(selection.DoubleEquals), string(selection.NotEquals),
-		string(selection.GreaterThan), string(selection.LessThan),
-	}
-	validRequirementOperators = append(binaryOperators, unaryOperators...)
-)
-
-// Selector represents a label selector.
-type Selector interface {
-	// Matches returns true if this selector matches the given set of labels.
-	Matches(labels.Labels) bool
-
-	// Add adds requirements to the Selector
-	Add(r ...Requirement) Selector
-}
-
-type internalSelector []Requirement
-
-// ByKey sorts requirements by key to obtain deterministic parser
-type ByKey []Requirement
-
-func (a ByKey) Len() int { return len(a) }
-
-func (a ByKey) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
-
-func (a ByKey) Less(i, j int) bool { return a[i].key < a[j].key }
-
-// Matches for a internalSelector returns true if all
-// its Requirements match the input Labels. If any
-// Requirement does not match, false is returned.
-func (s internalSelector) Matches(l labels.Labels) bool {
-	for ix := range s {
-		if matches := s[ix].Matches(l); !matches {
-			return false
-		}
-	}
-	return true
-}
-
-// Add adds requirements to the selector. It copies the current selector returning a new one
-func (s internalSelector) Add(reqs ...Requirement) Selector {
-	ret := make(internalSelector, 0, len(s)+len(reqs))
-	ret = append(ret, s...)
-	ret = append(ret, reqs...)
-	sort.Sort(ByKey(ret))
-	return ret
-}
-
-type nothingSelector struct{}
-
-func (n nothingSelector) Matches(l labels.Labels) bool {
-	return false
-}
-
-func (n nothingSelector) Add(r ...Requirement) Selector {
-	return n
-}
-
-// Nothing returns a selector that matches no labels
-func nothing() Selector {
-	return nothingSelector{}
-}
-
-// Everything returns a selector that matches all labels.
-func everything() Selector {
-	return internalSelector{}
-}
-
-// LabelSelectorAsSelector converts the LabelSelector api type into a struct that implements
-// labels.Selector
-// Note: This function should be kept in sync with the selector methods in pkg/labels/selector.go
-func LabelSelectorAsSelector(ps *v1.LabelSelector) (Selector, error) {
-	if ps == nil {
-		return nothing(), nil
-	}
-	if len(ps.MatchLabels)+len(ps.MatchExpressions) == 0 {
-		return everything(), nil
-	}
-	requirements := make([]Requirement, 0, len(ps.MatchLabels)+len(ps.MatchExpressions))
-	for k, v := range ps.MatchLabels {
-		r, err := newRequirement(k, selection.Equals, []string{v})
-		if err != nil {
-			return nil, err
-		}
-		requirements = append(requirements, *r)
-	}
-	for _, expr := range ps.MatchExpressions {
-		var op selection.Operator
-		switch expr.Operator {
-		case v1.LabelSelectorOpIn:
-			op = selection.In
-		case v1.LabelSelectorOpNotIn:
-			op = selection.NotIn
-		case v1.LabelSelectorOpExists:
-			op = selection.Exists
-		case v1.LabelSelectorOpDoesNotExist:
-			op = selection.DoesNotExist
-		default:
-			return nil, fmt.Errorf("%q is not a valid pod selector operator", expr.Operator)
-		}
-		r, err := newRequirement(expr.Key, op, append([]string(nil), expr.Values...))
-		if err != nil {
-			return nil, err
-		}
-		requirements = append(requirements, *r)
-	}
-	selector := newSelector()
-	selector = selector.Add(requirements...)
-	return selector, nil
-}
-
-// NewSelector returns a nil selector
-func newSelector() Selector {
-	return internalSelector(nil)
-}
-
-func validateLabelKey(k string, path *field.Path) *field.Error {
-	if errs := validation.IsQualifiedName(k); len(errs) != 0 {
-		return field.Invalid(path, k, strings.Join(errs, "; "))
-	}
-	return nil
-}
-
-// NewRequirement is the constructor for a Requirement.
-// If any of these rules is violated, an error is returned:
-// (1) The operator can only be In, NotIn, Equals, DoubleEquals, Gt, Lt, NotEquals, Exists, or DoesNotExist.
-// (2) If the operator is In or NotIn, the values set must be non-empty.
-// (3) If the operator is Equals, DoubleEquals, or NotEquals, the values set must contain one value.
-// (4) If the operator is Exists or DoesNotExist, the value set must be empty.
-// (5) If the operator is Gt or Lt, the values set must contain only one value, which will be interpreted as an integer.
-// (6) The key is invalid due to its length, or sequence
-//
-//	of characters. See validateLabelKey for more details.
-//
-// The empty string is a valid value in the input values set.
-// Returned error, if not nil, is guaranteed to be an aggregated field.ErrorList
-func newRequirement(key string, op selection.Operator, vals []string, opts ...field.PathOption) (*Requirement, error) {
-	var allErrs field.ErrorList
-	path := field.ToPath(opts...)
-	if err := validateLabelKey(key, path.Child("key")); err != nil {
-		allErrs = append(allErrs, err)
-	}
-
-	valuePath := path.Child("values")
-	switch op {
-	case selection.In, selection.NotIn:
-		if len(vals) == 0 {
-			allErrs = append(allErrs, field.Invalid(valuePath, vals, "for 'in', 'notin' operators, values set can't be empty"))
-		}
-	case selection.Equals, selection.DoubleEquals, selection.NotEquals:
-		if len(vals) != 1 {
-			allErrs = append(allErrs, field.Invalid(valuePath, vals, "exact-match compatibility requires one single value"))
-		}
-	case selection.Exists, selection.DoesNotExist:
-		if len(vals) != 0 {
-			allErrs = append(allErrs, field.Invalid(valuePath, vals, "values set must be empty for exists and does not exist"))
-		}
-	case selection.GreaterThan, selection.LessThan:
-		if len(vals) != 1 {
-			allErrs = append(allErrs, field.Invalid(valuePath, vals, "for 'Gt', 'Lt' operators, exactly one value is required"))
-		}
-		for i := range vals {
-			if _, err := strconv.ParseInt(vals[i], 10, 64); err != nil {
-				allErrs = append(allErrs, field.Invalid(valuePath.Index(i), vals[i], "for 'Gt', 'Lt' operators, the value must be an integer"))
-			}
-		}
-	default:
-		allErrs = append(allErrs, field.NotSupported(path.Child("operator"), op, validRequirementOperators))
-	}
-
-	return &Requirement{key: key, operator: op, strValues: vals}, allErrs.ToAggregate()
-}
-
-// Requirement contains values, a key, and an operator that relates the key and values.
-// The zero value of Requirement is invalid.
-// Requirement implements both set based match and exact match
-// Requirement should be initialized via NewRequirement constructor for creating a valid Requirement.
-// +k8s:deepcopy-gen=true
-type Requirement struct {
-	key      string
-	operator selection.Operator
-	// In the majority of cases we have at most one value here.
-	// It is generally faster to operate on a single-element slice
-	// than on a single-element map, so we have a slice here.
-	strValues []string
-}
-
-func (r *Requirement) hasValue(value string) bool {
-	for i := range r.strValues {
-		if r.strValues[i] == value {
-			return true
-		}
-	}
-	return false
-}
-
-func (r *Requirement) Matches(ls labels.Labels) bool {
-	switch r.operator {
-	case selection.In, selection.Equals, selection.DoubleEquals:
-		if !ls.Has(r.key) {
-			return false
-		}
-		return r.hasValue(ls.Get(r.key))
-	case selection.NotIn, selection.NotEquals:
-		if !ls.Has(r.key) {
-			return true
-		}
-		return !r.hasValue(ls.Get(r.key))
-	case selection.Exists:
-		return ls.Has(r.key)
-	case selection.DoesNotExist:
-		return !ls.Has(r.key)
-	case selection.GreaterThan, selection.LessThan:
-		if !ls.Has(r.key) {
-			return false
-		}
-		lsValue, err := strconv.ParseInt(ls.Get(r.key), 10, 64)
-		if err != nil {
-			klog.V(10).Infof("ParseInt failed for value %+v in label %+v, %+v", ls.Get(r.key), ls, err)
-			return false
-		}
-
-		// There should be only one strValue in r.strValues, and can be converted to an integer.
-		if len(r.strValues) != 1 {
-			klog.V(10).Infof("Invalid values count %+v of requirement %#v, for 'Gt', 'Lt' operators, exactly one value is required", len(r.strValues), r)
-			return false
-		}
-
-		var rValue int64
-		for i := range r.strValues {
-			rValue, err = strconv.ParseInt(r.strValues[i], 10, 64)
-			if err != nil {
-				klog.V(10).Infof("ParseInt failed for value %+v in requirement %#v, for 'Gt', 'Lt' operators, the value must be an integer", r.strValues[i], r)
-				return false
-			}
-		}
-		return (r.operator == selection.GreaterThan && lsValue > rValue) || (r.operator == selection.LessThan && lsValue < rValue)
-	default:
-		return false
-	}
-}
--- a/applicationset/utils/test/testutils.go
+++ b/applicationset/utils/test/testutils.go
@@ -1,34 +0,0 @@
-package test
-
-import (
-	"context"
-
-	"github.com/stretchr/testify/mock"
-)
-
-type ArgoCDServiceMock struct {
-	Mock *mock.Mock
-}
-
-func (a ArgoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.Mock.Called(ctx, repoURL, revision)
-
-	return args.Get(0).([]string), args.Error(1)
-}
-
-func (a ArgoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
-	args := a.Mock.Called(ctx, repoURL, revision, pattern)
-
-	return args.Get(0).(map[string][]byte), args.Error(1)
-}
-
-func (a ArgoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
-	args := a.Mock.Called(ctx, repoURL, revision, path)
-
-	return args.Get(0).([]byte), args.Error(1)
-}
-
-func (a ArgoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.Mock.Called(ctx, repoURL, revision)
-	return args.Get(0).([]string), args.Error(1)
-}
--- a/applicationset/utils/utils.go
+++ b/applicationset/utils/utils.go
@@ -96,25 +96,6 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri
 			// specific case time
 			if currentType == "time.Time" {
 				copy.Field(i).Set(original.Field(i))
-			} else if currentType == "Raw.k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" {
-				var unmarshaled interface{}
-				originalBytes := original.Field(i).Bytes()
-				err := json.Unmarshal(originalBytes, &unmarshaled)
-				if err != nil {
-					return fmt.Errorf("failed to unmarshal JSON field: %w", err)
-				}
-				jsonOriginal := reflect.ValueOf(&unmarshaled)
-				jsonCopy := reflect.New(jsonOriginal.Type()).Elem()
-				err = r.deeplyReplace(jsonCopy, jsonOriginal, replaceMap, useGoTemplate)
-				if err != nil {
-					return fmt.Errorf("failed to deeply replace JSON field contents: %w", err)
-				}
-				jsonCopyInterface := jsonCopy.Interface().(*interface{})
-				data, err := json.Marshal(jsonCopyInterface)
-				if err != nil {
-					return fmt.Errorf("failed to marshal templated JSON field: %w", err)
-				}
-				copy.Field(i).Set(reflect.ValueOf(data))
 			} else if err := r.deeplyReplace(copy.Field(i), original.Field(i), replaceMap, useGoTemplate); err != nil {
 				return err
 			}
@@ -193,7 +174,7 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri

 func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *argoappsv1.ApplicationSetSyncPolicy, params map[string]interface{}, useGoTemplate bool) (*argoappsv1.Application, error) {
 	if tmpl == nil {
-		return nil, fmt.Errorf("application template is empty")
+		return nil, fmt.Errorf("application template is empty ")
 	}

 	if len(params) == 0 {
@@ -223,27 +204,6 @@ func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *
 	return replacedTmpl, nil
 }

-func (r *Render) RenderGeneratorParams(gen *argoappsv1.ApplicationSetGenerator, params map[string]interface{}, useGoTemplate bool) (*argoappsv1.ApplicationSetGenerator, error) {
-	if gen == nil {
-		return nil, fmt.Errorf("generator is empty")
-	}
-
-	if len(params) == 0 {
-		return gen, nil
-	}
-
-	original := reflect.ValueOf(gen)
-	copy := reflect.New(original.Type()).Elem()
-
-	if err := r.deeplyReplace(copy, original, params, useGoTemplate); err != nil {
-		return nil, fmt.Errorf("failed to replace parameters in generator: %w", err)
-	}
-
-	replacedGen := copy.Interface().(*argoappsv1.ApplicationSetGenerator)
-
-	return replacedGen, nil
-}
-
 var isTemplatedRegex = regexp.MustCompile(".*{{.*}}.*")

 // Replace executes basic string substitution of a template with replacement values.
--- a/assets/swagger.json
+++ b/assets/swagger.json
@@ -271,16 +271,6 @@
            "description": "the application's namespace.",
            "name": "appNamespace",
            "in": "query"
-          },
-          {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "collectionFormat": "multi",
-            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
-            "name": "project",
-            "in": "query"
          }
        ],
        "responses": {
@@ -595,16 +585,6 @@
            "description": "the application's namespace.",
            "name": "appNamespace",
            "in": "query"
-          },
-          {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "collectionFormat": "multi",
-            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
-            "name": "project",
-            "in": "query"
          }
        ],
        "responses": {
@@ -3690,16 +3670,6 @@
            "description": "the application's namespace.",
            "name": "appNamespace",
            "in": "query"
-          },
-          {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "collectionFormat": "multi",
-            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
-            "name": "project",
-            "in": "query"
          }
        ],
        "responses": {
--- a/cmd/argocd-notification/commands/controller.go
+++ b/cmd/argocd-notification/commands/controller.go
@@ -156,7 +156,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().StringVar(&logFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	command.Flags().IntVar(&metricsPort, "metrics-port", defaultMetricsPort, "Metrics port")
-	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
+	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", common.DefaultRepoServerAddr, "Argo CD repo server address")
 	command.Flags().BoolVar(&argocdRepoServerPlaintext, "argocd-repo-server-plaintext", false, "Use a plaintext client (non-TLS) to connect to repository server")
 	command.Flags().BoolVar(&argocdRepoServerStrictTLS, "argocd-repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
 	command.Flags().StringVar(&configMapName, "config-map-name", "argocd-notifications-cm", "Set notifications ConfigMap name")
--- a/cmd/argocd/commands/admin/cluster.go
+++ b/cmd/argocd/commands/admin/cluster.go
@@ -265,9 +265,7 @@ func runClusterNamespacesCommand(ctx context.Context, clientConfig clientcmd.Cli
 					}
 				}
 			} else {
-				if app.Spec.Destination.Server == cluster.Server {
-					nsSet[app.Spec.Destination.Namespace] = true
-				}
+				nsSet[app.Spec.Destination.Namespace] = true
 			}
 		}
 		var namespaces []string
--- a/cmd/argocd/commands/admin/dashboard.go
+++ b/cmd/argocd/commands/admin/dashboard.go
@@ -9,16 +9,13 @@ import (
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
 	"github.com/argoproj/argo-cd/v2/common"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
-	"github.com/argoproj/argo-cd/v2/util/cache"
-	"github.com/argoproj/argo-cd/v2/util/env"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 )

 func NewDashboardCommand() *cobra.Command {
 	var (
-		port           int
-		address        string
-		compressionStr string
+		port    int
+		address string
 	)
 	cmd := &cobra.Command{
 		Use:   "dashboard",
@@ -26,9 +23,7 @@ func NewDashboardCommand() *cobra.Command {
 		Run: func(cmd *cobra.Command, args []string) {
 			ctx := cmd.Context()

-			compression, err := cache.CompressionTypeFromString(compressionStr)
-			errors.CheckError(err)
-			errors.CheckError(headless.StartLocalServer(ctx, &argocdclient.ClientOptions{Core: true}, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address, compression))
+			errors.CheckError(headless.StartLocalServer(ctx, &argocdclient.ClientOptions{Core: true}, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address))
 			println(fmt.Sprintf("Argo CD UI is available at http://%s:%d", address, port))
 			<-ctx.Done()
 		},
@@ -36,6 +31,5 @@ func NewDashboardCommand() *cobra.Command {
 	initialize.InitCommand(cmd)
 	cmd.Flags().IntVar(&port, "port", common.DefaultPortAPIServer, "Listen on given port")
 	cmd.Flags().StringVar(&address, "address", common.DefaultAddressAPIServer, "Listen on given address")
-	cmd.Flags().StringVar(&compressionStr, "redis-compress", env.StringFromEnv("REDIS_COMPRESSION", string(cache.RedisCompressionNone)), "Enable this if the application controller is configured with redis compression enabled. (possible values: none, gzip)")
 	return cmd
 }
--- a/cmd/argocd/commands/admin/notifications.go
+++ b/cmd/argocd/commands/admin/notifications.go
@@ -64,7 +64,7 @@ func NewNotificationsCommand() *cobra.Command {
 				log.Fatalf("Failed to initialize Argo CD service: %v", err)
 			}
 		})
-	toolsCommand.PersistentFlags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
+	toolsCommand.PersistentFlags().StringVar(&argocdRepoServer, "argocd-repo-server", common.DefaultRepoServerAddr, "Argo CD repo server address")
 	toolsCommand.PersistentFlags().BoolVar(&argocdRepoServerPlaintext, "argocd-repo-server-plaintext", false, "Use a plaintext client (non-TLS) to connect to repository server")
 	toolsCommand.PersistentFlags().BoolVar(&argocdRepoServerStrictTLS, "argocd-repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
 	return toolsCommand
--- a/cmd/argocd/commands/app.go
+++ b/cmd/argocd/commands/app.go
@@ -33,6 +33,7 @@ import (

 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	argocommon "github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/controller"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient/application"
@@ -149,6 +150,9 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 					c.HelpFunc()(c, args)
 					os.Exit(1)
 				}
+				if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+					log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+				}
 				if appNamespace != "" {
 					app.Namespace = appNamespace
 				}
@@ -165,9 +169,7 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.

 				// Get app before creating to see if it is being updated or no change
 				existing, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &app.Name})
-				unwrappedError := grpc.UnwrapGRPCStatus(err).Code()
-				// As part of the fix for CVE-2022-41354, the API will return Permission Denied when an app does not exist.
-				if unwrappedError != codes.NotFound && unwrappedError != codes.PermissionDenied {
+				if grpc.UnwrapGRPCStatus(err).Code() != codes.NotFound {
 					errors.CheckError(err)
 				}

@@ -292,6 +294,10 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			})
 			errors.CheckError(err)

+			if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+			}
+
 			pConn, projIf := headless.NewClientOrDie(clientOpts, c).NewProjectClientOrDie()
 			defer argoio.Close(pConn)
 			proj, err := projIf.Get(ctx, &projectpkg.ProjectQuery{Name: app.Spec.Project})
@@ -619,6 +625,10 @@ func NewApplicationSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			app, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &appName, AppNamespace: &appNs})
 			errors.CheckError(err)

+			if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+			}
+
 			visited := cmdutil.SetAppSpecOptions(c.Flags(), &app.Spec, &appOpts)
 			if visited == 0 {
 				log.Error("Please set at least one option to update")
@@ -683,6 +693,10 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 			app, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &appName, AppNamespace: &appNs})
 			errors.CheckError(err)

+			if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+			}
+
 			source := app.Spec.GetSource()
 			updated, nothingToUnset := unset(&source, opts)
 			if nothingToUnset {
@@ -919,6 +933,10 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			})
 			errors.CheckError(err)

+			if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+			}
+
 			resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{ApplicationName: &appName, AppNamespace: &appNs})
 			errors.CheckError(err)
 			conn, settingsIf := clientset.NewSettingsClientOrDie()
@@ -1003,7 +1021,7 @@ func findandPrintDiff(ctx context.Context, app *argoappv1.Application, resources
 			unstructureds = append(unstructureds, obj)
 		}
 		groupedObjs := groupObjsByKey(unstructureds, liveObjs, app.Spec.Destination.Namespace)
-		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace))
+		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.Name)
 	} else if diffOptions.serversideRes != nil {
 		var unstructureds []*unstructured.Unstructured
 		for _, mfst := range diffOptions.serversideRes.Manifests {
@@ -1012,7 +1030,7 @@ func findandPrintDiff(ctx context.Context, app *argoappv1.Application, resources
 			unstructureds = append(unstructureds, obj)
 		}
 		groupedObjs := groupObjsByKey(unstructureds, liveObjs, app.Spec.Destination.Namespace)
-		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace))
+		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.Name)
 	} else {
 		for i := range resources.Items {
 			res := resources.Items[i]
@@ -1283,6 +1301,17 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			if cluster != "" {
 				appList = argo.FilterByCluster(appList, cluster)
 			}
+			var appsWithDeprecatedPlugins []string
+			for _, app := range appList {
+				if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+					appsWithDeprecatedPlugins = append(appsWithDeprecatedPlugins, app.Name)
+				}
+			}
+
+			if len(appsWithDeprecatedPlugins) > 0 {
+				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+				log.Warnf("The following Applications use deprecated plugins: %s", strings.Join(appsWithDeprecatedPlugins, ", "))
+			}

 			switch output {
 			case "yaml", "json":
@@ -1347,6 +1376,7 @@ const (
 	resourceFieldCount                  = 3
 	resourceFieldNamespaceDelimiter     = "/"
 	resourceFieldNameWithNamespaceCount = 2
+	resourceExcludeIndicator            = "!"
 )

 // resource is GROUP:KIND:NAMESPACE/NAME or GROUP:KIND:NAME
@@ -1371,6 +1401,12 @@ func parseSelectedResources(resources []string) ([]*argoappv1.SyncOperationResou
 	}

 	for _, resource := range resources {
+		isExcluded := false
+		// check if the resource flag starts with a '!'
+		if strings.HasPrefix(resource, resourceExcludeIndicator) {
+			resource = strings.TrimPrefix(resource, resourceExcludeIndicator)
+			isExcluded = true
+		}
 		fields := strings.Split(resource, resourceFieldDelimiter)
 		if len(fields) != resourceFieldCount {
 			return nil, fmt.Errorf("Resource should have GROUP%sKIND%sNAME, but instead got: %s", resourceFieldDelimiter, resourceFieldDelimiter, resource)
@@ -1384,6 +1420,7 @@ func parseSelectedResources(resources []string) ([]*argoappv1.SyncOperationResou
 			Kind:      fields[1],
 			Name:      name,
 			Namespace: namespace,
+			Exclude:   isExcluded,
 		})
 	}
 	return selectedResources, nil
@@ -1418,6 +1455,16 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
  # Wait for multiple apps
  argocd app wait my-app other-app

+  # Wait for apps by resource
+  # Resource should be formatted as GROUP:KIND:NAME. If no GROUP is specified then :KIND:NAME.
+  argocd app wait my-app --resource :Service:my-service
+  argocd app wait my-app --resource argoproj.io:Rollout:my-rollout
+  argocd app wait my-app --resource '!apps:Deployment:my-service'
+  argocd app wait my-app --resource apps:Deployment:my-service --resource :Service:my-service
+  argocd app wait my-app --resource '!*:Service:*'
+  # Specify namespace if the application has resources with the same name in different namespaces
+  argocd app wait my-app --resource argoproj.io:Rollout:my-namespace/my-rollout
+
  # Wait for apps by label, in this example we waiting for apps that are children of another app (aka app-of-apps)
  argocd app wait -l app.kubernetes.io/instance=my-app
  argocd app wait -l app.kubernetes.io/instance!=my-app
@@ -1446,7 +1493,7 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 				}
 			}
 			for _, appName := range appNames {
-				_, _, err := waitOnApplicationStatus(ctx, acdClient, appName, timeout, watch, selectedResources)
+				_, err := waitOnApplicationStatus(ctx, acdClient, appName, timeout, watch, selectedResources)
 				errors.CheckError(err)
 			}
 		},
@@ -1456,7 +1503,7 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&watch.suspended, "suspended", false, "Wait for suspended")
 	command.Flags().BoolVar(&watch.degraded, "degraded", false, "Wait for degraded")
 	command.Flags().StringVarP(&selector, "selector", "l", "", "Wait for apps by label. Supports '=', '==', '!=', in, notin, exists & not exists. Matching apps must satisfy all of the specified label constraints.")
-	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%sKIND%sNAME. Fields may be blank. This option may be specified repeatedly", resourceFieldDelimiter, resourceFieldDelimiter))
+	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%[1]sKIND%[1]sNAME or %[2]sGROUP%[1]sKIND%[1]sNAME. Fields may be blank and '*' can be used. This option may be specified repeatedly", resourceFieldDelimiter, resourceExcludeIndicator))
 	command.Flags().BoolVar(&watch.operation, "operation", false, "Wait for pending operations")
 	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
 	return command
@@ -1516,6 +1563,9 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
  # Resource should be formatted as GROUP:KIND:NAME. If no GROUP is specified then :KIND:NAME
  argocd app sync my-app --resource :Service:my-service
  argocd app sync my-app --resource argoproj.io:Rollout:my-rollout
+  argocd app sync my-app --resource '!apps:Deployment:my-service'
+  argocd app sync my-app --resource apps:Deployment:my-service --resource :Service:my-service
+  argocd app sync my-app --resource '!*:Service:*'
  # Specify namespace if the application has resources with the same name in different namespaces
  argocd app sync my-app --resource argoproj.io:Rollout:my-namespace/my-rollout`,
 		Run: func(c *cobra.Command, args []string) {
@@ -1611,7 +1661,19 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					return
 				}

+				// filters out only those resources that needs to be synced
+				filteredResources := filterAppResources(app, selectedResources)
+
+				// if resources are provided and no app resources match, then return error
+				if len(resources) > 0 && len(filteredResources) == 0 {
+					log.Fatalf("No matching app resources found for resource filter: %v", strings.Join(resources, ", "))
+				}
+
 				if local != "" {
+					if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+						log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+					}
+
 					if app.Spec.SyncPolicy != nil && app.Spec.SyncPolicy.Automated != nil && !dryRun {
 						log.Fatal("Cannot use local sync when Automatic Sync Policy is enabled except with --dry-run")
 					}
@@ -1657,7 +1719,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					AppNamespace: &appNs,
 					DryRun:       &dryRun,
 					Revision:     &revision,
-					Resources:    selectedResources,
+					Resources:    filteredResources,
 					Prune:        &prune,
 					Manifests:    localObjsStrings,
 					Infos:        getInfos(infos),
@@ -1685,6 +1747,10 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					}
 				}
 				if diffChanges {
+					if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+						log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+					}
+
 					resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{
 						ApplicationName: &appName,
 						AppNamespace:    &appNs,
@@ -1712,15 +1778,15 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 				errors.CheckError(err)

 				if !async {
-					app, opState, err := waitOnApplicationStatus(ctx, acdClient, appQualifiedName, timeout, watchOpts{operation: true}, selectedResources)
+					app, err := waitOnApplicationStatus(ctx, acdClient, appQualifiedName, timeout, watchOpts{operation: true}, selectedResources)
 					errors.CheckError(err)

 					if !dryRun {
-						if !opState.Phase.Successful() {
-							log.Fatalf("Operation has completed with phase: %s", opState.Phase)
+						if !app.Status.OperationState.Phase.Successful() {
+							log.Fatalf("Operation has completed with phase: %s", app.Status.OperationState.Phase)
 						} else if len(selectedResources) == 0 && app.Status.Sync.Status != argoappv1.SyncStatusCodeSynced {
 							// Only get resources to be pruned if sync was application-wide and final status is not synced
-							pruningRequired := opState.SyncResult.Resources.PruningRequired()
+							pruningRequired := app.Status.OperationState.SyncResult.Resources.PruningRequired()
 							if pruningRequired > 0 {
 								log.Fatalf("%d resources require pruning", pruningRequired)
 							}
@@ -1733,7 +1799,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&dryRun, "dry-run", false, "Preview apply without affecting cluster")
 	command.Flags().BoolVar(&prune, "prune", false, "Allow deleting unexpected resources")
 	command.Flags().StringVar(&revision, "revision", "", "Sync to a specific revision. Preserves parameter overrides")
-	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%sKIND%sNAME. Fields may be blank. This option may be specified repeatedly", resourceFieldDelimiter, resourceFieldDelimiter))
+	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%[1]sKIND%[1]sNAME or %[2]sGROUP%[1]sKIND%[1]sNAME. Fields may be blank and '*' can be used. This option may be specified repeatedly", resourceFieldDelimiter, resourceExcludeIndicator))
 	command.Flags().StringVarP(&selector, "selector", "l", "", "Sync apps that match this label. Supports '=', '==', '!=', in, notin, exists & not exists. Matching apps must satisfy all of the specified label constraints.")
 	command.Flags().StringArrayVar(&labels, "label", []string{}, "Sync only specific resources with a label. This option may be specified repeatedly.")
 	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
@@ -1858,15 +1924,9 @@ func getResourceStates(app *argoappv1.Application, selectedResources []*argoappv
 	}
 	// filter out not selected resources
 	if len(selectedResources) > 0 {
-		r := []argoappv1.SyncOperationResource{}
-		for _, res := range selectedResources {
-			if res != nil {
-				r = append(r, *res)
-			}
-		}
 		for i := len(states) - 1; i >= 0; i-- {
 			res := states[i]
-			if !argo.ContainsSyncResource(res.Name, res.Namespace, schema.GroupVersionKind{Group: res.Group, Kind: res.Kind}, r) {
+			if !argo.IncludeResource(res.Name, res.Namespace, schema.GroupVersionKind{Group: res.Group, Kind: res.Kind}, selectedResources) {
 				states = append(states[:i], states[i+1:]...)
 			}
 		}
@@ -1874,6 +1934,26 @@ func getResourceStates(app *argoappv1.Application, selectedResources []*argoappv
 	return states
 }

+// filterAppResources selects the app resources that match atleast one of the resource filters.
+func filterAppResources(app *argoappv1.Application, selectedResources []*argoappv1.SyncOperationResource) []*argoappv1.SyncOperationResource {
+	var filteredResources []*argoappv1.SyncOperationResource
+	if app != nil && len(selectedResources) > 0 {
+		for i := range app.Status.Resources {
+			appResource := app.Status.Resources[i]
+			if (argo.IncludeResource(appResource.Name, appResource.Namespace,
+				schema.GroupVersionKind{Group: appResource.Group, Kind: appResource.Kind}, selectedResources)) {
+				filteredResources = append(filteredResources, &argoappv1.SyncOperationResource{
+					Group:     appResource.Group,
+					Kind:      appResource.Kind,
+					Name:      appResource.Name,
+					Namespace: appResource.Namespace,
+				})
+			}
+		}
+	}
+	return filteredResources
+}
+
 func groupResourceStates(app *argoappv1.Application, selectedResources []*argoappv1.SyncOperationResource) map[string]*resourceState {
 	resStates := make(map[string]*resourceState)
 	for _, result := range getResourceStates(app, selectedResources) {
@@ -1920,10 +2000,7 @@ func checkResourceStatus(watch watchOpts, healthStatus string, syncStatus string

 const waitFormatString = "%s\t%5s\t%10s\t%10s\t%20s\t%8s\t%7s\t%10s\t%s\n"

-// waitOnApplicationStatus watches an application and blocks until either the desired watch conditions
-// are fulfiled or we reach the timeout. Returns the app once desired conditions have been filled.
-// Additionally return the operationState at time of fulfilment (which may be different than returned app).
-func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client, appName string, timeout uint, watch watchOpts, selectedResources []*argoappv1.SyncOperationResource) (*argoappv1.Application, *argoappv1.OperationState, error) {
+func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client, appName string, timeout uint, watch watchOpts, selectedResources []*argoappv1.SyncOperationResource) (*argoappv1.Application, error) {
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()

@@ -1981,20 +2058,10 @@ func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client,
 		AppNamespace: &appNs,
 	})
 	errors.CheckError(err)
-
-	// printFinalStatus() will refresh and update the app object, potentially causing the app's
-	// status.operationState to be different than the version when we break out of the event loop.
-	// This means the app.status is unreliable for determining the final state of the operation.
-	// finalOperationState captures the operationState as it was seen when we met the conditions of
-	// the wait, so the caller can rely on it to determine the outcome of the operation.
-	// See: https://github.com/argoproj/argo-cd/issues/5592
-	finalOperationState := app.Status.OperationState
-
 	appEventCh := acdClient.WatchApplicationWithRetry(ctx, appName, app.ResourceVersion)
 	for appEvent := range appEventCh {
 		app = &appEvent.Application

-		finalOperationState = app.Status.OperationState
 		operationInProgress := false
 		// consider the operation is in progress
 		if app.Operation != nil {
@@ -2032,7 +2099,7 @@ func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client,

 		if selectedResourcesAreReady && (!operationInProgress || !watch.operation) {
 			app = printFinalStatus(app)
-			return app, finalOperationState, nil
+			return app, nil
 		}

 		newStates := groupResourceStates(app, selectedResources)
@@ -2042,7 +2109,7 @@ func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client,
 			if prevState, found := prevStates[stateKey]; found {
 				if watch.health && prevState.Health != string(health.HealthStatusUnknown) && prevState.Health != string(health.HealthStatusDegraded) && newState.Health == string(health.HealthStatusDegraded) {
 					_ = printFinalStatus(app)
-					return nil, finalOperationState, fmt.Errorf("application '%s' health state has transitioned from %s to %s", appName, prevState.Health, newState.Health)
+					return nil, fmt.Errorf("application '%s' health state has transitioned from %s to %s", appName, prevState.Health, newState.Health)
 				}
 				doPrint = prevState.Merge(newState)
 			} else {
@@ -2056,7 +2123,7 @@ func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client,
 		_ = w.Flush()
 	}
 	_ = printFinalStatus(app)
-	return nil, finalOperationState, fmt.Errorf("timed out (%ds) waiting for app %q match desired state", timeout, appName)
+	return nil, fmt.Errorf("timed out (%ds) waiting for app %q match desired state", timeout, appName)
 }

 // setParameterOverrides updates an existing or appends a new parameter override in the application
@@ -2141,6 +2208,10 @@ func NewApplicationHistoryCommand(clientOpts *argocdclient.ClientOptions) *cobra
 			})
 			errors.CheckError(err)

+			if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+			}
+
 			if output == "id" {
 				printApplicationHistoryIds(app.Status.History)
 			} else {
@@ -2201,6 +2272,10 @@ func NewApplicationRollbackCommand(clientOpts *argocdclient.ClientOptions) *cobr
 			})
 			errors.CheckError(err)

+			if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+			}
+
 			depInfo, err := findRevisionHistory(app, int64(depID))
 			errors.CheckError(err)

@@ -2212,7 +2287,7 @@ func NewApplicationRollbackCommand(clientOpts *argocdclient.ClientOptions) *cobr
 			})
 			errors.CheckError(err)

-			_, _, err = waitOnApplicationStatus(ctx, acdClient, app.QualifiedName(), timeout, watchOpts{
+			_, err = waitOnApplicationStatus(ctx, acdClient, app.QualifiedName(), timeout, watchOpts{
 				operation: true,
 			}, nil)
 			errors.CheckError(err)
@@ -2284,6 +2359,10 @@ func NewApplicationManifestsCommand(clientOpts *argocdclient.ClientOptions) *cob
 					app, err := appIf.Get(context.Background(), &applicationpkg.ApplicationQuery{Name: &appName})
 					errors.CheckError(err)

+					if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+						log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+					}
+
 					settingsConn, settingsIf := clientset.NewSettingsClientOrDie()
 					defer argoio.Close(settingsConn)
 					argoSettings, err := settingsIf.Get(context.Background(), &settingspkg.SettingsQuery{})
@@ -2383,6 +2462,10 @@ func NewApplicationEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			})
 			errors.CheckError(err)

+			if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
+				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
+			}
+
 			appData, err := json.Marshal(app.Spec)
 			errors.CheckError(err)
 			appData, err = yaml.JSONToYAML(appData)
--- a/cmd/argocd/commands/app_test.go
+++ b/cmd/argocd/commands/app_test.go
@@ -904,11 +904,220 @@ func Test_unset_nothingToUnset(t *testing.T) {
 	}
 }

+func TestFilterAppResources(t *testing.T) {
+	// App resources
+	var (
+		appReplicaSet1 = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name1",
+		}
+		appReplicaSet2 = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name2",
+		}
+		appJob = v1alpha1.ResourceStatus{
+			Group:     "batch",
+			Kind:      "Job",
+			Namespace: "default",
+			Name:      "job-name",
+		}
+		appService1 = v1alpha1.ResourceStatus{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name1",
+		}
+		appService2 = v1alpha1.ResourceStatus{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name2",
+		}
+		appDeployment = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "Deployment",
+			Namespace: "default",
+			Name:      "deployment-name",
+		}
+	)
+	app := v1alpha1.Application{
+		Status: v1alpha1.ApplicationStatus{
+			Resources: []v1alpha1.ResourceStatus{
+				appReplicaSet1, appReplicaSet2, appJob, appService1, appService2, appDeployment},
+		},
+	}
+	// Resource filters
+	var (
+		blankValues = argoappv1.SyncOperationResource{
+			Group:     "",
+			Kind:      "",
+			Name:      "",
+			Namespace: "",
+			Exclude:   false}
+		// *:*:*
+		includeAllResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "*",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   false}
+		// !*:*:*
+		excludeAllResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "*",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   true}
+		// *:Service:*
+		includeAllServiceResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "Service",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   false}
+		// !*:Service:*
+		excludeAllServiceResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "Service",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   true}
+		// apps:ReplicaSet:replicaSet-name1
+		includeReplicaSet1Resource = argoappv1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Name:      "replicaSet-name1",
+			Namespace: "",
+			Exclude:   false}
+		// !apps:ReplicaSet:replicaSet-name2
+		excludeReplicaSet2Resource = argoappv1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Name:      "replicaSet-name2",
+			Namespace: "",
+			Exclude:   true}
+	)
+
+	// Filtered resources
+	var (
+		replicaSet1 = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name1",
+		}
+		replicaSet2 = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name2",
+		}
+		job = v1alpha1.SyncOperationResource{
+			Group:     "batch",
+			Kind:      "Job",
+			Namespace: "default",
+			Name:      "job-name",
+		}
+		service1 = v1alpha1.SyncOperationResource{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name1",
+		}
+		service2 = v1alpha1.SyncOperationResource{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name2",
+		}
+		deployment = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "Deployment",
+			Namespace: "default",
+			Name:      "deployment-name",
+		}
+	)
+	tests := []struct {
+		testName          string
+		selectedResources []*argoappv1.SyncOperationResource
+		expectedResult    []*argoappv1.SyncOperationResource
+	}{
+		//--resource apps:ReplicaSet:replicaSet-name1 --resource *:Service:*
+		{testName: "Include ReplicaSet replicaSet-name1 resouce and all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllServiceResources, &includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &service1, &service2},
+		},
+		//--resource apps:ReplicaSet:replicaSet-name1 --resource !*:Service:*
+		{testName: "Include ReplicaSet replicaSet-name1 resouce and exclude all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllServiceResources, &includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &deployment},
+		},
+		// --resource !apps:ReplicaSet:replicaSet-name2 --resource !*:Service:*
+		{testName: "Exclude ReplicaSet replicaSet-name2 resouce and all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeReplicaSet2Resource, &excludeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &service1, &service2, &deployment},
+		},
+		// --resource !apps:ReplicaSet:replicaSet-name2
+		{testName: "Exclude ReplicaSet replicaSet-name2 resouce",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeReplicaSet2Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &job, &service1, &service2, &deployment},
+		},
+		// --resource apps:ReplicaSet:replicaSet-name1
+		{testName: "Include ReplicaSet replicaSet-name1 resouce",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1},
+		},
+		// --resource !*:Service:*
+		{testName: "Exclude Service resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &deployment},
+		},
+		// --resource *:Service:*
+		{testName: "Include Service resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&service1, &service2},
+		},
+		// --resource !*:*:*
+		{testName: "Exclude all resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllResources},
+			expectedResult:    nil,
+		},
+		// --resource *:*:*
+		{testName: "Include all resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &service1, &service2, &deployment},
+		},
+		{testName: "No Filters",
+			selectedResources: []*argoappv1.SyncOperationResource{&blankValues},
+			expectedResult:    nil,
+		},
+		{testName: "Empty Filter",
+			selectedResources: []*argoappv1.SyncOperationResource{},
+			expectedResult:    nil,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.testName, func(t *testing.T) {
+			filteredResources := filterAppResources(&app, test.selectedResources)
+			assert.Equal(t, test.expectedResult, filteredResources)
+		})
+	}
+}
+
 func TestParseSelectedResources(t *testing.T) {
-	resources := []string{"v1alpha:Application:test", "v1alpha:Application:namespace/test"}
+	resources := []string{"v1alpha:Application:test",
+		"v1alpha:Application:namespace/test",
+		"!v1alpha:Application:test",
+		"apps:Deployment:default/test",
+		"!*:*:*"}
 	operationResources, err := parseSelectedResources(resources)
 	assert.NoError(t, err)
-	assert.Len(t, operationResources, 2)
+	assert.Len(t, operationResources, 5)
 	assert.Equal(t, *operationResources[0], v1alpha1.SyncOperationResource{
 		Namespace: "",
 		Name:      "test",
@@ -921,6 +1130,27 @@ func TestParseSelectedResources(t *testing.T) {
 		Kind:      "Application",
 		Group:     "v1alpha",
 	})
+	assert.Equal(t, *operationResources[2], v1alpha1.SyncOperationResource{
+		Namespace: "",
+		Name:      "test",
+		Kind:      "Application",
+		Group:     "v1alpha",
+		Exclude:   true,
+	})
+	assert.Equal(t, *operationResources[3], v1alpha1.SyncOperationResource{
+		Namespace: "default",
+		Name:      "test",
+		Kind:      "Deployment",
+		Group:     "apps",
+		Exclude:   false,
+	})
+	assert.Equal(t, *operationResources[4], v1alpha1.SyncOperationResource{
+		Namespace: "",
+		Name:      "*",
+		Kind:      "*",
+		Group:     "*",
+		Exclude:   true,
+	})
 }

 func TestParseSelectedResourcesIncorrect(t *testing.T) {
--- a/cmd/argocd/commands/applicationset.go
+++ b/cmd/argocd/commands/applicationset.go
@@ -343,19 +343,16 @@ func printAppSetSummaryTable(appSet *arogappsetv1.ApplicationSet) {
 	fmt.Printf(printOpFmtStr, "Path:", source.Path)
 	printAppSourceDetails(&source)

-	var (
-		syncPolicyStr string
-		syncPolicy = appSet.Spec.Template.Spec.SyncPolicy
-	)
-	if syncPolicy != nil && syncPolicy.Automated != nil {
-		syncPolicyStr = "Automated"
-		if syncPolicy.Automated.Prune {
-			syncPolicyStr += " (Prune)"
+	var syncPolicy string
+	if appSet.Spec.SyncPolicy != nil && appSet.Spec.Template.Spec.SyncPolicy.Automated != nil {
+		syncPolicy = "Automated"
+		if appSet.Spec.Template.Spec.SyncPolicy.Automated.Prune {
+			syncPolicy += " (Prune)"
 		}
 	} else {
-		syncPolicyStr = "<none>"
+		syncPolicy = "<none>"
 	}
-	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicyStr)
+	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicy)

 }

--- a/cmd/argocd/commands/applicationset_test.go
+++ b/cmd/argocd/commands/applicationset_test.go
@@ -1,8 +1,6 @@
 package commands

 import (
-	"io/ioutil"
-	"os"
 	"testing"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -70,124 +68,3 @@ func TestPrintApplicationSetTable(t *testing.T) {
 	expectation := "NAME      NAMESPACE  PROJECT  SYNCPOLICY  CONDITIONS\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\n"
 	assert.Equal(t, expectation, output)
 }
-
-func TestPrintAppSetSummaryTable(t *testing.T) {
-	baseAppSet := &arogappsetv1.ApplicationSet{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "app-name",
-		},
-		Spec: arogappsetv1.ApplicationSetSpec{
-			Generators: []arogappsetv1.ApplicationSetGenerator{
-				arogappsetv1.ApplicationSetGenerator{
-					Git: &arogappsetv1.GitGenerator{
-						RepoURL:  "https://github.com/argoproj/argo-cd.git",
-						Revision: "head",
-						Directories: []arogappsetv1.GitDirectoryGeneratorItem{
-							arogappsetv1.GitDirectoryGeneratorItem{
-								Path: "applicationset/examples/git-generator-directory/cluster-addons/*",
-							},
-						},
-					},
-				},
-			},
-			Template: arogappsetv1.ApplicationSetTemplate{
-				Spec: v1alpha1.ApplicationSpec{
-					Project: "default",
-				},
-			},
-		},
-		Status: arogappsetv1.ApplicationSetStatus{
-			Conditions: []arogappsetv1.ApplicationSetCondition{
-				arogappsetv1.ApplicationSetCondition{
-					Status: v1alpha1.ApplicationSetConditionStatusTrue,
-					Type:   arogappsetv1.ApplicationSetConditionResourcesUpToDate,
-				},
-			},
-		},
-	}
-
-	appsetSpecSyncPolicy := baseAppSet.DeepCopy()
-	appsetSpecSyncPolicy.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
-		PreserveResourcesOnDeletion: true,
-	}
-
-	appSetTemplateSpecSyncPolicy := baseAppSet.DeepCopy()
-	appSetTemplateSpecSyncPolicy.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
-		Automated: &arogappsetv1.SyncPolicyAutomated{
-			SelfHeal: true,
-		},
-	}
-
-	appSetBothSyncPolicies := baseAppSet.DeepCopy()
-	appSetBothSyncPolicies.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
-		PreserveResourcesOnDeletion: true,
-	}
-	appSetBothSyncPolicies.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
-		Automated: &arogappsetv1.SyncPolicyAutomated{
-			SelfHeal: true,
-		},
-	}
-
-	for _, tt := range []struct {
-		name           string
-		appSet         *arogappsetv1.ApplicationSet
-		expectedOutput string
-	}{
-		{
-			name:   "appset with only spec.syncPolicy set",
-			appSet: appsetSpecSyncPolicy,
-			expectedOutput: `Name:               app-name
-Project:            default
-Server:             
-Namespace:          
-Repo:               
-Target:             
-Path:               
-SyncPolicy:         <none>
-`,
-		},
-		{
-			name:   "appset with only spec.template.spec.syncPolicy set",
-			appSet: appSetTemplateSpecSyncPolicy,
-			expectedOutput: `Name:               app-name
-Project:            default
-Server:             
-Namespace:          
-Repo:               
-Target:             
-Path:               
-SyncPolicy:         Automated
-`,
-		},
-		{
-			name:   "appset with both spec.SyncPolicy and spec.template.spec.syncPolicy set",
-			appSet: appSetBothSyncPolicies,
-			expectedOutput: `Name:               app-name
-Project:            default
-Server:             
-Namespace:          
-Repo:               
-Target:             
-Path:               
-SyncPolicy:         Automated
-`,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			oldStdout := os.Stdout
-			defer func() {
-				os.Stdout = oldStdout
-			}()
-
-			r, w, _ := os.Pipe()
-			os.Stdout = w
-
-			printAppSetSummaryTable(tt.appSet)
-			w.Close()
-
-			out, err := ioutil.ReadAll(r)
-			assert.NoError(t, err)
-			assert.Equal(t, tt.expectedOutput, string(out))
-		})
-	}
-}
--- a/cmd/argocd/commands/cluster.go
+++ b/cmd/argocd/commands/cluster.go
@@ -27,6 +27,17 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/text/label"
 )

+const (
+	// type of the cluster ID is 'name'
+	clusterIdTypeName = "name"
+	// cluster field is 'name'
+	clusterFieldName = "name"
+	// cluster field is 'namespaces'
+	clusterFieldNamespaces = "namespaces"
+	// indicates managing all namespaces
+	allNamespaces = "*"
+)
+
 // NewClusterCommand returns a new instance of an `argocd cluster` command
 func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientcmd.PathOptions) *cobra.Command {
 	var command = &cobra.Command{
@@ -47,7 +58,10 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc

  # Remove a target cluster context from ArgoCD
  argocd cluster rm example-cluster
-`,
+
+  # Set a target cluster context from ArgoCD
+  argocd cluster set CLUSTER_NAME --name new-cluster-name --namespace '*'
+  argocd cluster set CLUSTER_NAME --name new-cluster-name --namespace namespace-one --namespace namespace-two`,
 	}

 	command.AddCommand(NewClusterAddCommand(clientOpts, pathOpts))
@@ -55,6 +69,7 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 	command.AddCommand(NewClusterListCommand(clientOpts))
 	command.AddCommand(NewClusterRemoveCommand(clientOpts, pathOpts))
 	command.AddCommand(NewClusterRotateAuthCommand(clientOpts))
+	command.AddCommand(NewClusterSetCommand(clientOpts))
 	return command
 }

@@ -185,6 +200,72 @@ func getRestConfig(pathOpts *clientcmd.PathOptions, ctxName string) (*rest.Confi
 	return conf, nil
 }

+// NewClusterSetCommand returns a new instance of an `argocd cluster set` command
+func NewClusterSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		clusterOptions cmdutil.ClusterOptions
+		clusterName    string
+	)
+	var command = &cobra.Command{
+		Use:   "set NAME",
+		Short: "Set cluster information",
+		Example: `  # Set cluster information
+  argocd cluster set CLUSTER_NAME --name new-cluster-name --namespace '*'
+  argocd cluster set CLUSTER_NAME --name new-cluster-name --namespace namespace-one --namespace namespace-two`,
+		Run: func(c *cobra.Command, args []string) {
+			ctx := c.Context()
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			// name of the cluster whose fields have to be updated.
+			clusterName = args[0]
+			conn, clusterIf := headless.NewClientOrDie(clientOpts, c).NewClusterClientOrDie()
+			defer io.Close(conn)
+			// checks the fields that needs to be updated
+			updatedFields := checkFieldsToUpdate(clusterOptions)
+			namespaces := clusterOptions.Namespaces
+			// check if all namespaces have to be considered
+			if len(namespaces) == 1 && strings.EqualFold(namespaces[0], allNamespaces) {
+				namespaces[0] = ""
+			}
+			if updatedFields != nil {
+				clusterUpdateRequest := clusterpkg.ClusterUpdateRequest{
+					Cluster: &argoappv1.Cluster{
+						Name:       clusterOptions.Name,
+						Namespaces: namespaces,
+					},
+					UpdatedFields: updatedFields,
+					Id: &clusterpkg.ClusterID{
+						Type:  clusterIdTypeName,
+						Value: clusterName,
+					},
+				}
+				_, err := clusterIf.Update(ctx, &clusterUpdateRequest)
+				errors.CheckError(err)
+				fmt.Printf("Cluster '%s' updated.\n", clusterName)
+			} else {
+				fmt.Print("Specify the cluster field to be updated.\n")
+			}
+		},
+	}
+	command.Flags().StringVar(&clusterOptions.Name, "name", "", "Overwrite the cluster name")
+	command.Flags().StringArrayVar(&clusterOptions.Namespaces, "namespace", nil, "List of namespaces which are allowed to manage. Specify '*' to manage all namespaces")
+	return command
+}
+
+// checkFieldsToUpdate returns the fields that needs to be updated
+func checkFieldsToUpdate(clusterOptions cmdutil.ClusterOptions) []string {
+	var updatedFields []string
+	if clusterOptions.Name != "" {
+		updatedFields = append(updatedFields, clusterFieldName)
+	}
+	if clusterOptions.Namespaces != nil {
+		updatedFields = append(updatedFields, clusterFieldNamespaces)
+	}
+	return updatedFields
+}
+
 // NewClusterGetCommand returns a new instance of an `argocd cluster get` command
 func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
--- a/cmd/argocd/commands/completion.go
+++ b/cmd/argocd/commands/completion.go
@@ -146,6 +146,7 @@ __argocd_custom_func() {
 			;;
 		argocd_cluster_get | \
 		argocd_cluster_rm | \
+		argocd_cluster_set | \
 		argocd_login | \
 		argocd_cluster_add)
 			__argocd_list_servers
--- a/cmd/argocd/commands/headless/headless.go
+++ b/cmd/argocd/commands/headless/headless.go
@@ -38,12 +38,11 @@ import (
 )

 type forwardCacheClient struct {
-	namespace   string
-	context     string
-	init        sync.Once
-	client      cache.CacheClient
-	compression cache.RedisCompressionType
-	err         error
+	namespace string
+	context   string
+	init      sync.Once
+	client    cache.CacheClient
+	err       error
 }

 func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error) error {
@@ -59,7 +58,7 @@ func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error)
 		}

 		redisClient := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", redisPort)})
-		c.client = cache.NewRedisCache(redisClient, time.Hour, c.compression)
+		c.client = cache.NewRedisCache(redisClient, time.Hour, cache.RedisCompressionNone)
 	})
 	if c.err != nil {
 		return c.err
@@ -140,7 +139,7 @@ func testAPI(ctx context.Context, clientOpts *apiclient.ClientOptions) error {

 // StartLocalServer allows executing command in a headless mode: on the fly starts Argo CD API server and
 // changes provided client options to use started API server port
-func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions, ctxStr string, port *int, address *string, compression cache.RedisCompressionType) error {
+func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions, ctxStr string, port *int, address *string) error {
 	flags := pflag.NewFlagSet("tmp", pflag.ContinueOnError)
 	clientConfig := cli.AddKubectlFlagsToSet(flags)
 	startInProcessAPI := clientOpts.Core
@@ -201,7 +200,7 @@ func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions,
 	if err != nil {
 		return err
 	}
-	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr, compression: compression}), time.Hour)
+	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr}), time.Hour)
 	srv := server.NewServer(ctx, server.ArgoCDServerOpts{
 		EnableGZip:           false,
 		Namespace:            namespace,
@@ -244,7 +243,7 @@ func NewClientOrDie(opts *apiclient.ClientOptions, c *cobra.Command) apiclient.C
 	ctx := c.Context()

 	ctxStr := initialize.RetrieveContextIfChanged(c.Flag("context"))
-	err := StartLocalServer(ctx, opts, ctxStr, nil, nil, cache.RedisCompressionNone)
+	err := StartLocalServer(ctx, opts, ctxStr, nil, nil)
 	if err != nil {
 		log.Fatal(err)
 	}
--- a/cmd/argocd/commands/login.go
+++ b/cmd/argocd/commands/login.go
@@ -12,7 +12,7 @@ import (
 	"strings"
 	"time"

-	"github.com/coreos/go-oidc"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v4"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
--- a/cmd/argocd/commands/relogin.go
+++ b/cmd/argocd/commands/relogin.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"os"

-	"github.com/coreos/go-oidc"
+	"github.com/coreos/go-oidc/v3/oidc"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

--- a/cmd/argocd/commands/repo.go
+++ b/cmd/argocd/commands/repo.go
@@ -3,7 +3,6 @@ package commands
 import (
 	"fmt"
 	"os"
-	"strconv"
 	"text/tabwriter"

 	log "github.com/sirupsen/logrus"
@@ -251,12 +250,15 @@ func printRepoTable(repos appsv1.Repositories) {
 	_, _ = fmt.Fprintf(w, "TYPE\tNAME\tREPO\tINSECURE\tOCI\tLFS\tCREDS\tSTATUS\tMESSAGE\tPROJECT\n")
 	for _, r := range repos {
 		var hasCreds string
-		if r.InheritedCreds {
-			hasCreds = "inherited"
+		if !r.HasCredentials() {
+			hasCreds = "false"
 		} else {
-			hasCreds = strconv.FormatBool(r.HasCredentials())
+			if r.InheritedCreds {
+				hasCreds = "inherited"
+			} else {
+				hasCreds = "true"
+			}
 		}
-
 		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%v\t%v\t%v\t%s\t%s\t%s\t%s\n", r.Type, r.Name, r.Repo, r.IsInsecure(), r.EnableOCI, r.EnableLFS, hasCreds, r.ConnectionState.Status, r.ConnectionState.Message, r.Project)
 	}
 	_ = w.Flush()
@@ -309,7 +311,7 @@ func NewRepoListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		},
 	}
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|url")
-	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status")
+	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status , must be one of: 'hard'")
 	return command
 }

@@ -360,6 +362,6 @@ func NewRepoGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		},
 	}
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|url")
-	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status")
+	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status , must be one of: 'hard'")
 	return command
 }
--- a/cmd/util/project.go
+++ b/cmd/util/project.go
@@ -138,10 +138,7 @@ func readProjFromURI(fileURL string, proj *v1alpha1.AppProject) error {
 	} else {
 		err = config.UnmarshalRemoteFile(fileURL, &proj)
 	}
-	if err != nil {
-		return fmt.Errorf("error reading proj from uri: %w", err)
-	}
-	return nil
+	return fmt.Errorf("error reading proj from uri: %w", err)
 }

 func SetProjSpecOptions(flags *pflag.FlagSet, spec *v1alpha1.AppProjectSpec, projOpts *ProjectOpts) int {
--- a/cmpserver/plugin/plugin.go
+++ b/cmpserver/plugin/plugin.go
@@ -9,10 +9,8 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"time"
-	"unicode"

 	"github.com/argoproj/pkg/rand"

@@ -24,7 +22,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/io/files"

 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
-	"github.com/cyphar/filepath-securejoin"
 	"github.com/mattn/go-zglob"
 	log "github.com/sirupsen/logrus"
 )
@@ -76,8 +73,9 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	}
 	logCtx := log.WithFields(log.Fields{"execID": execId})

-	argsToLog := getCommandArgsToLog(cmd)
-	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(argsToLog)
+	// log in a way we can copy-and-paste into a terminal
+	args := strings.Join(cmd.Args, " ")
+	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(args)

 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
@@ -108,7 +106,7 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	logCtx.WithFields(log.Fields{"duration": duration}).Debug(output)

 	if err != nil {
-		err := newCmdError(argsToLog, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
+		err := newCmdError(args, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
 		logCtx.Error(err.Error())
 		return strings.TrimSuffix(output, "\n"), err
 	}
@@ -116,28 +114,6 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	return strings.TrimSuffix(output, "\n"), nil
 }

-// getCommandArgsToLog represents the given command in a way that we can copy-and-paste into a terminal
-func getCommandArgsToLog(cmd *exec.Cmd) string {
-	var argsToLog []string
-	for _, arg := range cmd.Args {
-		containsSpace := false
-		for _, r := range arg {
-			if unicode.IsSpace(r) {
-				containsSpace = true
-				break
-			}
-		}
-		if containsSpace {
-			// add quotes and escape any internal quotes
-			argsToLog = append(argsToLog, strconv.Quote(arg))
-		} else {
-			argsToLog = append(argsToLog, arg)
-		}
-	}
-	args := strings.Join(argsToLog, " ")
-	return args
-}
-
 type CmdError struct {
 	Args   string
 	Stderr string
@@ -177,7 +153,7 @@ func getTempDirMustCleanup(baseDir string) (workDir string, cleanup func(), err
 		if err := os.RemoveAll(workDir); err != nil {
 			log.WithFields(map[string]interface{}{
 				common.SecurityField:    common.SecurityHigh,
-				common.SecurityCWEField: common.SecurityCWEIncompleteCleanup,
+				common.SecurityCWEField: 459,
 			}).Errorf("Failed to clean up temp directory: %s", err)
 		}
 	}
@@ -297,7 +273,7 @@ func (s *Service) matchRepositoryGeneric(stream MatchRepositoryStream) error {
 		return fmt.Errorf("match repository error receiving stream: %w", err)
 	}

-	isSupported, isDiscoveryEnabled, err := s.matchRepository(bufferedCtx, workDir, metadata.GetEnv(), metadata.GetAppRelPath())
+	isSupported, isDiscoveryEnabled, err := s.matchRepository(bufferedCtx, workDir, metadata.GetEnv())
 	if err != nil {
 		return fmt.Errorf("match repository error: %w", err)
 	}
@@ -310,20 +286,12 @@ func (s *Service) matchRepositoryGeneric(stream MatchRepositoryStream) error {
 	return nil
 }

-func (s *Service) matchRepository(ctx context.Context, workdir string, envEntries []*apiclient.EnvEntry, appRelPath string) (isSupported bool, isDiscoveryEnabled bool, err error) {
+func (s *Service) matchRepository(ctx context.Context, workdir string, envEntries []*apiclient.EnvEntry) (isSupported bool, isDiscoveryEnabled bool, err error) {
 	config := s.initConstants.PluginConfig

-	appPath, err := securejoin.SecureJoin(workdir, appRelPath)
-	if err != nil {
-		log.WithFields(map[string]interface{}{
-			common.SecurityField:    common.SecurityHigh,
-			common.SecurityCWEField: common.SecurityCWEIncompleteCleanup,
-		}).Errorf("error joining workdir %q and appRelPath %q: %v", workdir, appRelPath, err)
-	}
-
 	if config.Spec.Discover.FileName != "" {
 		log.Debugf("config.Spec.Discover.FileName is provided")
-		pattern := filepath.Join(appPath, config.Spec.Discover.FileName)
+		pattern := filepath.Join(workdir, config.Spec.Discover.FileName)
 		matches, err := filepath.Glob(pattern)
 		if err != nil {
 			e := fmt.Errorf("error finding filename match for pattern %q: %w", pattern, err)
@@ -335,7 +303,7 @@ func (s *Service) matchRepository(ctx context.Context, workdir string, envEntrie

 	if config.Spec.Discover.Find.Glob != "" {
 		log.Debugf("config.Spec.Discover.Find.Glob is provided")
-		pattern := filepath.Join(appPath, config.Spec.Discover.Find.Glob)
+		pattern := filepath.Join(workdir, config.Spec.Discover.Find.Glob)
 		// filepath.Glob doesn't have '**' support hence selecting third-party lib
 		// https://github.com/golang/go/issues/11862
 		matches, err := zglob.Glob(pattern)
@@ -351,7 +319,7 @@ func (s *Service) matchRepository(ctx context.Context, workdir string, envEntrie
 	if len(config.Spec.Discover.Find.Command.Command) > 0 {
 		log.Debugf("Going to try runCommand.")
 		env := append(os.Environ(), environ(envEntries)...)
-		find, err := runCommand(ctx, config.Spec.Discover.Find.Command, appPath, env)
+		find, err := runCommand(ctx, config.Spec.Discover.Find.Command, workdir, env)
 		if err != nil {
 			return false, true, fmt.Errorf("error running find command: %w", err)
 		}
@@ -387,7 +355,7 @@ func (s *Service) GetParametersAnnouncement(stream apiclient.ConfigManagementPlu
 		return fmt.Errorf("illegal appPath: out of workDir bound")
 	}

-	repoResponse, err := getParametersAnnouncement(bufferedCtx, appPath, s.initConstants.PluginConfig.Spec.Parameters.Static, s.initConstants.PluginConfig.Spec.Parameters.Dynamic, metadata.GetEnv())
+	repoResponse, err := getParametersAnnouncement(bufferedCtx, appPath, s.initConstants.PluginConfig.Spec.Parameters.Static, s.initConstants.PluginConfig.Spec.Parameters.Dynamic)
 	if err != nil {
 		return fmt.Errorf("get parameters announcement error: %w", err)
 	}
@@ -399,12 +367,11 @@ func (s *Service) GetParametersAnnouncement(stream apiclient.ConfigManagementPlu
 	return nil
 }

-func getParametersAnnouncement(ctx context.Context, appDir string, announcements []*repoclient.ParameterAnnouncement, command Command, envEntries []*apiclient.EnvEntry) (*apiclient.ParametersAnnouncementResponse, error) {
+func getParametersAnnouncement(ctx context.Context, appDir string, announcements []*repoclient.ParameterAnnouncement, command Command) (*apiclient.ParametersAnnouncementResponse, error) {
 	augmentedAnnouncements := announcements

 	if len(command.Command) > 0 {
-		env := append(os.Environ(), environ(envEntries)...)
-		stdout, err := runCommand(ctx, command, appDir, env)
+		stdout, err := runCommand(ctx, command, appDir, os.Environ())
 		if err != nil {
 			return nil, fmt.Errorf("error executing dynamic parameter output command: %w", err)
 		}
--- a/cmpserver/plugin/plugin_test.go
+++ b/cmpserver/plugin/plugin_test.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"os/exec"
 	"path"
 	"path/filepath"
 	"testing"
@@ -100,7 +99,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.NoError(t, err)
@@ -115,7 +114,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.NoError(t, err)
@@ -130,7 +129,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		_, _, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		_, _, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.ErrorContains(t, err, "syntax error")
@@ -145,7 +144,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.NoError(t, err)
@@ -162,7 +161,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.NoError(t, err)
@@ -179,7 +178,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		_, _, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		_, _, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.ErrorContains(t, err, "error finding glob match for pattern")
@@ -196,7 +195,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.NoError(t, err)
@@ -215,7 +214,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 		// then
 		assert.NoError(t, err)
 		assert.False(t, match)
@@ -233,7 +232,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.NoError(t, err)
@@ -253,7 +252,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.NoError(t, err)
@@ -272,7 +271,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.Error(t, err)
@@ -285,7 +284,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))

 		// when
-		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env, ".")
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)

 		// then
 		assert.NoError(t, err)
@@ -381,7 +380,7 @@ func Test_getParametersAnnouncement_empty_command(t *testing.T) {
 		Command: []string{"echo"},
 		Args:    []string{`[]`},
 	}
-	res, err := getParametersAnnouncement(context.Background(), "", *static, command, []*apiclient.EnvEntry{})
+	res, err := getParametersAnnouncement(context.Background(), "", *static, command)
 	require.NoError(t, err)
 	assert.Equal(t, []*repoclient.ParameterAnnouncement{{Name: "static-a"}, {Name: "static-b"}}, res.ParameterAnnouncements)
 }
@@ -395,7 +394,7 @@ func Test_getParametersAnnouncement_no_command(t *testing.T) {
 	err := yaml.Unmarshal([]byte(staticYAML), static)
 	require.NoError(t, err)
 	command := Command{}
-	res, err := getParametersAnnouncement(context.Background(), "", *static, command, []*apiclient.EnvEntry{})
+	res, err := getParametersAnnouncement(context.Background(), "", *static, command)
 	require.NoError(t, err)
 	assert.Equal(t, []*repoclient.ParameterAnnouncement{{Name: "static-a"}, {Name: "static-b"}}, res.ParameterAnnouncements)
 }
@@ -412,7 +411,7 @@ func Test_getParametersAnnouncement_static_and_dynamic(t *testing.T) {
 		Command: []string{"echo"},
 		Args:    []string{`[{"name": "dynamic-a"}, {"name": "dynamic-b"}]`},
 	}
-	res, err := getParametersAnnouncement(context.Background(), "", *static, command, []*apiclient.EnvEntry{})
+	res, err := getParametersAnnouncement(context.Background(), "", *static, command)
 	require.NoError(t, err)
 	expected := []*repoclient.ParameterAnnouncement{
 		{Name: "dynamic-a"},
@@ -428,7 +427,7 @@ func Test_getParametersAnnouncement_invalid_json(t *testing.T) {
 		Command: []string{"echo"},
 		Args:    []string{`[`},
 	}
-	_, err := getParametersAnnouncement(context.Background(), "", []*repoclient.ParameterAnnouncement{}, command, []*apiclient.EnvEntry{})
+	_, err := getParametersAnnouncement(context.Background(), "", []*repoclient.ParameterAnnouncement{}, command)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "unexpected end of JSON input")
 }
@@ -438,7 +437,7 @@ func Test_getParametersAnnouncement_bad_command(t *testing.T) {
 		Command: []string{"exit"},
 		Args:    []string{"1"},
 	}
-	_, err := getParametersAnnouncement(context.Background(), "", []*repoclient.ParameterAnnouncement{}, command, []*apiclient.EnvEntry{})
+	_, err := getParametersAnnouncement(context.Background(), "", []*repoclient.ParameterAnnouncement{}, command)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "error executing dynamic parameter output command")
 }
@@ -730,17 +729,16 @@ func TestService_GetParametersAnnouncement(t *testing.T) {
 	require.NoError(t, err)

 	t.Run("successful response", func(t *testing.T) {
-		s, err := NewMockParametersAnnouncementStream("./testdata/kustomize", "./testdata/kustomize", []string{"MUST_BE_SET=yep"})
+		s, err := NewMockParametersAnnouncementStream("./testdata/kustomize", "./testdata/kustomize", nil)
 		require.NoError(t, err)
 		err = service.GetParametersAnnouncement(s)
 		require.NoError(t, err)
 		require.NotNil(t, s.response)
-		require.Len(t, s.response.ParameterAnnouncements, 2)
-		assert.Equal(t, repoclient.ParameterAnnouncement{Name: "dynamic-test-param", String_: "yep"}, *s.response.ParameterAnnouncements[0])
-		assert.Equal(t, repoclient.ParameterAnnouncement{Name: "test-param", String_: "test-value"}, *s.response.ParameterAnnouncements[1])
+		require.Len(t, s.response.ParameterAnnouncements, 1)
+		assert.Equal(t, repoclient.ParameterAnnouncement{Name: "test-param", String_: "test-value"}, *s.response.ParameterAnnouncements[0])
 	})
 	t.Run("out of bounds app", func(t *testing.T) {
-		s, err := NewMockParametersAnnouncementStream("./testdata/kustomize", "./testdata/kustomize", []string{"MUST_BE_SET=yep"})
+		s, err := NewMockParametersAnnouncementStream("./testdata/kustomize", "./testdata/kustomize", nil)
 		require.NoError(t, err)
 		// set a malicious app path on the metadata
 		s.metadataRequest.Request.(*apiclient.AppStreamRequest_Metadata).Metadata.AppRelPath = "../out-of-bounds"
@@ -748,38 +746,4 @@ func TestService_GetParametersAnnouncement(t *testing.T) {
 		require.ErrorContains(t, err, "illegal appPath")
 		require.Nil(t, s.response)
 	})
-	t.Run("fails when script fails", func(t *testing.T) {
-		s, err := NewMockParametersAnnouncementStream("./testdata/kustomize", "./testdata/kustomize", []string{"WRONG_ENV_VAR=oops"})
-		require.NoError(t, err)
-		err = service.GetParametersAnnouncement(s)
-		require.ErrorContains(t, err, "error executing dynamic parameter output command")
-		require.Nil(t, s.response)
-	})
-}
-
-func Test_getCommandArgsToLog(t *testing.T) {
-	testCases := []struct {
-		name     string
-		args     []string
-		expected string
-	}{
-		{
-			name:     "no spaces",
-			args:     []string{"sh", "-c", "cat"},
-			expected: "sh -c cat",
-		},
-		{
-			name:     "spaces",
-			args:     []string{"sh", "-c", `echo "hello world"`},
-			expected: `sh -c "echo \"hello world\""`,
-		},
-	}
-
-	for _, tc := range testCases {
-		tcc := tc
-		t.Run(tcc.name, func(t *testing.T) {
-			t.Parallel()
-			assert.Equal(t, tcc.expected, getCommandArgsToLog(exec.Command(tcc.args[0], tcc.args[1:]...)))
-		})
-	}
 }
--- a/cmpserver/plugin/testdata/kustomize/config/plugin.yaml
+++ b/cmpserver/plugin/testdata/kustomize/config/plugin.yaml
@@ -5,15 +5,9 @@ metadata:
 spec:
  version: v1.0
  init:
-    command: [sh, -c]
-    args:
-    - |
-      kustomize version
+    command: [kustomize, version]
  generate:
-    command: [sh, -c]
-    args:
-    - |
-      kustomize build
+    command: [sh, -c, "kustomize build"]
  discover:
    find:
      command: [sh, -c, find . -name kustomization.yaml]
@@ -22,12 +16,3 @@ spec:
    static:
      - name: test-param
        string: test-value
-    dynamic:
-      command: [sh, -c]
-      args:
-        - |
-          # Make sure env vars are making it to the plugin.
-          if [ -z "$MUST_BE_SET" ]; then
-            exit 1
-          fi
-          echo "[{\"name\": \"dynamic-test-param\", \"string\": \"$MUST_BE_SET\"}]"
--- a/common/common.go
+++ b/common/common.go
@@ -8,8 +8,6 @@ import (
 	"time"

 	"github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )

 // Default service addresses and URLS of Argo CD internal services
@@ -225,7 +223,13 @@ const (
 	// DefaultCMPWorkDirName defines the work directory name used by the cmp-server
 	DefaultCMPWorkDirName = "_cmp_server"

-	ConfigMapPluginDeprecationWarning = "argocd-cm plugins are deprecated, and support will be removed in v2.7. Upgrade your plugin to be installed via sidecar. https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/"
+	ConfigMapPluginDeprecationWarning = "argocd-cm plugins are deprecated, and support will be removed in v2.6. Upgrade your plugin to be installed via sidecar. https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/"
+
+	ConfigMapPluginCLIDeprecationWarning = "spec.plugin.name is set, which means this Application uses a plugin installed in the " +
+		"argocd-cm ConfigMap. Installing plugins via that ConfigMap is deprecated in Argo CD v2.5. " +
+		"Starting in Argo CD v2.6, this Application will fail to sync. Contact your Argo CD admin " +
+		"to make sure an upgrade plan is in place. More info: " +
+		"https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.4-2.5/"
 )

 const (
@@ -305,21 +309,16 @@ const (

 // Security severity logging
 const (
-	SecurityField = "security"
-	// SecurityCWEField is the logs field for the CWE associated with a log line. CWE stands for Common Weakness Enumeration. See https://cwe.mitre.org/
-	SecurityCWEField                          = "CWE"
-	SecurityCWEIncompleteCleanup              = 459
-	SecurityCWEMissingReleaseOfFileDescriptor = 775
-	SecurityEmergency                         = 5 // Indicates unmistakably malicious events that should NEVER occur accidentally and indicates an active attack (i.e. brute forcing, DoS)
-	SecurityCritical                          = 4 // Indicates any malicious or exploitable event that had a side effect (i.e. secrets being left behind on the filesystem)
-	SecurityHigh                              = 3 // Indicates likely malicious events but one that had no side effects or was blocked (i.e. out of bounds symlinks in repos)
-	SecurityMedium                            = 2 // Could indicate malicious events, but has a high likelihood of being user/system error (i.e. access denied)
-	SecurityLow                               = 1 // Unexceptional entries (i.e. successful access logs)
+	SecurityField     = "security"
+	SecurityCWEField  = "CWE"
+	SecurityEmergency = 5 // Indicates unmistakably malicious events that should NEVER occur accidentally and indicates an active attack (i.e. brute forcing, DoS)
+	SecurityCritical  = 4 // Indicates any malicious or exploitable event that had a side effect (i.e. secrets being left behind on the filesystem)
+	SecurityHigh      = 3 // Indicates likely malicious events but one that had no side effects or was blocked (i.e. out of bounds symlinks in repos)
+	SecurityMedium    = 2 // Could indicate malicious events, but has a high likelihood of being user/system error (i.e. access denied)
+	SecurityLow       = 1 // Unexceptional entries (i.e. successful access logs)
 )

 // Common error messages
 const TokenVerificationError = "failed to verify the token"

 var TokenVerificationErr = errors.New(TokenVerificationError)
-
-var PermissionDeniedAPIError = status.Error(codes.PermissionDenied, "permission denied")
--- a/controller/appcontroller.go
+++ b/controller/appcontroller.go
@@ -417,7 +417,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 	nodes := make([]appv1.ResourceNode, 0)
 	proj, err := ctrl.getAppProj(a)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get project: %w", err)
 	}

 	orphanedNodesMap := make(map[kube.ResourceKey]appv1.ResourceNode)
@@ -425,7 +425,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 	if proj.Spec.OrphanedResources != nil {
 		orphanedNodesMap, err = ctrl.stateCache.GetNamespaceTopLevelResources(a.Spec.Destination.Server, a.Spec.Destination.Namespace)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to get namespace top-level resources: %w", err)
 		}
 		warnOrphaned = proj.Spec.OrphanedResources.IsWarn()
 	}
@@ -435,12 +435,12 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 		var live = &unstructured.Unstructured{}
 		err := json.Unmarshal([]byte(managedResource.LiveState), &live)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to unmarshal live state of managed resources: %w", err)
 		}
 		var target = &unstructured.Unstructured{}
 		err = json.Unmarshal([]byte(managedResource.TargetState), &target)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to unmarshal target state of managed resources: %w", err)
 		}

 		if live == nil {
@@ -456,7 +456,11 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 		} else {
 			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, kube.GetResourceKey(live), func(child appv1.ResourceNode, appName string) bool {
 				permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination, func(project string) ([]*appv1.Cluster, error) {
-					return ctrl.db.GetProjectClusters(context.TODO(), project)
+					clusters, err := ctrl.db.GetProjectClusters(context.TODO(), project)
+					if err != nil {
+						return nil, fmt.Errorf("failed to get project clusters: %w", err)
+					}
+					return clusters, nil
 				})
 				if !permitted {
 					return false
@@ -465,7 +469,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 				return true
 			})
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("failed to iterate resource hierarchy: %w", err)
 			}
 		}
 	}
@@ -514,7 +518,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed

 	hosts, err := ctrl.getAppHosts(a, nodes)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get app hosts: %w", err)
 	}
 	return &appv1.ApplicationTree{Nodes: nodes, OrphanedNodes: orphanedNodes, Hosts: hosts}, nil
 }
@@ -1356,7 +1360,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		} else {
 			var tree *appv1.ApplicationTree
 			if tree, err = ctrl.getResourceTree(app, managedResources); err == nil {
-				app.Status.Summary = tree.GetSummary()
+				app.Status.Summary = tree.GetSummary(app)
 				if err := ctrl.cache.SetAppResourcesTree(app.InstanceName(ctrl.namespace), tree); err != nil {
 					logCtx.Errorf("Failed to cache resources tree: %v", err)
 					return
@@ -1430,7 +1434,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	if err != nil {
 		logCtx.Errorf("Failed to cache app resources: %v", err)
 	} else {
-		app.Status.Summary = tree.GetSummary()
+		app.Status.Summary = tree.GetSummary(app)
 	}

 	if project.Spec.SyncWindows.Matches(app).CanSync(false) {
@@ -1469,13 +1473,6 @@ func resourceStatusKey(res appv1.ResourceStatus) string {
 	return strings.Join([]string{res.Group, res.Kind, res.Namespace, res.Name}, "/")
 }

-func currentSourceEqualsSyncedSource(app *appv1.Application) bool {
-	if app.Spec.HasMultipleSources() {
-		return app.Spec.Sources.Equals(app.Status.Sync.ComparedTo.Sources)
-	}
-	return app.Spec.Source.Equals(app.Status.Sync.ComparedTo.Source)
-}
-
 // needRefreshAppStatus answers if application status needs to be refreshed.
 // Returns true if application never been compared, has changed or comparison result has expired.
 // Additionally returns whether full refresh was requested or not.
@@ -1494,12 +1491,14 @@ func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application,
 		refreshType = requestedType
 		reason = fmt.Sprintf("%s refresh requested", refreshType)
 	} else {
-		if !currentSourceEqualsSyncedSource(app) {
+		if app.Spec.HasMultipleSources() {
+			if (len(app.Spec.Sources) != len(app.Status.Sync.ComparedTo.Sources)) || !reflect.DeepEqual(app.Spec.Sources, app.Status.Sync.ComparedTo.Sources) {
+				reason = "atleast one of the spec.sources differs"
+				compareWith = CompareWithLatestForceResolve
+			}
+		} else if !app.Spec.Source.Equals(app.Status.Sync.ComparedTo.Source) {
 			reason = "spec.source differs"
 			compareWith = CompareWithLatestForceResolve
-			if app.Spec.HasMultipleSources() {
-				reason = "at least one of the spec.sources differs"
-			}
 		} else if hardExpired || softExpired {
 			// The commented line below mysteriously crashes if app.Status.ReconciledAt is nil
 			// reason = fmt.Sprintf("comparison expired. reconciledAt: %v, expiry: %v", app.Status.ReconciledAt, statusRefreshTimeout)
--- a/controller/appcontroller_test.go
+++ b/controller/appcontroller_test.go
@@ -50,7 +50,6 @@ type namespacedResource struct {
 type fakeData struct {
 	apps                   []runtime.Object
 	manifestResponse       *apiclient.ManifestResponse
-	manifestResponses      []*apiclient.ManifestResponse
 	managedLiveObjs        map[kube.ResourceKey]*unstructured.Unstructured
 	namespacedResources    map[kube.ResourceKey]namespacedResource
 	configMapData          map[string]string
@@ -66,15 +65,7 @@ func newFakeController(data *fakeData) *ApplicationController {

 	// Mock out call to GenerateManifest
 	mockRepoClient := mockrepoclient.RepoServerServiceClient{}
-
-	if len(data.manifestResponses) > 0 {
-		for _, response := range data.manifestResponses {
-			mockRepoClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(response, nil).Once()
-		}
-	} else {
-		mockRepoClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(data.manifestResponse, nil)
-	}
-
+	mockRepoClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(data.manifestResponse, nil)
 	mockRepoClientset := mockrepoclient.Clientset{RepoServerServiceClient: &mockRepoClient}

 	secret := corev1.Secret{
@@ -218,64 +209,6 @@ status:
        repoURL: https://github.com/argoproj/argocd-example-apps.git
 `

-var fakeMultiSourceApp = `
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  uid: "123"
-  name: my-app
-  namespace: ` + test.FakeArgoCDNamespace + `
-spec:
-  destination:
-    namespace: ` + test.FakeDestNamespace + `
-    server: https://localhost:6443
-  project: default
-  sources:
-  - path: some/path
-    helm:
-      valueFiles:
-      - $values_test/values.yaml
-    repoURL: https://github.com/argoproj/argocd-example-apps.git
-  - path: some/other/path
-    repoURL: https://github.com/argoproj/argocd-example-apps-fake.git
-  - ref: values_test
-    repoURL: https://github.com/argoproj/argocd-example-apps-fake-ref.git
-  syncPolicy:
-    automated: {}
-status:
-  operationState:
-    finishedAt: 2018-09-21T23:50:29Z
-    message: successfully synced
-    operation:
-      sync:
-        revisions:
-        - HEAD
-        - HEAD
-        - HEAD
-    phase: Succeeded
-    startedAt: 2018-09-21T23:50:25Z
-    syncResult:
-      resources:
-      - kind: RoleBinding
-        message: |-
-          rolebinding.rbac.authorization.k8s.io/always-outofsync reconciled
-          rolebinding.rbac.authorization.k8s.io/always-outofsync configured
-        name: always-outofsync
-        namespace: default
-        status: Synced
-      revisions: 
-      - aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-      - bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
-      - cccccccccccccccccccccccccccccccccccccccc
-      sources:
-      - path: some/path
-        repoURL: https://github.com/argoproj/argocd-example-apps.git
-      - path: some/other/path
-        repoURL: https://github.com/argoproj/argocd-example-apps-fake.git
-      - path: some/other/path
-        repoURL: https://github.com/argoproj/argocd-example-apps-fake-ref.git
-`
-
 var fakeAppWithDestName = `
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -330,10 +263,6 @@ func newFakeApp() *argoappv1.Application {
 	return createFakeApp(fakeApp)
 }

-func newFakeMultiSourceApp() *argoappv1.Application {
-	return createFakeApp(fakeMultiSourceApp)
-}
-
 func newFakeAppWithDestMismatch() *argoappv1.Application {
 	return createFakeApp(fakeAppWithDestMismatch)
 }
@@ -928,133 +857,101 @@ func TestSetOperationStateOnDeletedApp(t *testing.T) {
 }

 func TestNeedRefreshAppStatus(t *testing.T) {
-	testCases := []struct {
-		name string
-		app  *argoappv1.Application
-	}{
-		{
-			name: "single-source app",
-			app:  newFakeApp(),
-		},
-		{
-			name: "multi-source app",
-			app:  newFakeMultiSourceApp(),
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{}})
+
+	app := newFakeApp()
+	now := metav1.Now()
+	app.Status.ReconciledAt = &now
+	app.Status.Sync = argoappv1.SyncStatus{
+		Status: argoappv1.SyncStatusCodeSynced,
+		ComparedTo: argoappv1.ComparedTo{
+			Source:      app.Spec.GetSource(),
+			Destination: app.Spec.Destination,
 		},
 	}

-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			ctrl := newFakeController(&fakeData{apps: []runtime.Object{}})
-			app := tc.app
-			now := metav1.Now()
-			app.Status.ReconciledAt = &now
+	// no need to refresh just reconciled application
+	needRefresh, _, _ := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+	assert.False(t, needRefresh)

-			app.Status.Sync = argoappv1.SyncStatus{
-				Status: argoappv1.SyncStatusCodeSynced,
-				ComparedTo: argoappv1.ComparedTo{
-					Destination: app.Spec.Destination,
-				},
-			}
+	// refresh app using the 'deepest' requested comparison level
+	ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+	ctrl.requestAppRefresh(app.Name, ComparisonWithNothing.Pointer(), nil)

-			if app.Spec.HasMultipleSources() {
-				app.Status.Sync.ComparedTo.Sources = app.Spec.Sources
-			} else {
-				app.Status.Sync.ComparedTo.Source = app.Spec.GetSource()
-			}
+	needRefresh, refreshType, compareWith := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+	assert.True(t, needRefresh)
+	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+	assert.Equal(t, CompareWithRecent, compareWith)

-			// no need to refresh just reconciled application
-			needRefresh, _, _ := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-			assert.False(t, needRefresh)
+	// refresh application which status is not reconciled using latest commit
+	app.Status.Sync = argoappv1.SyncStatus{Status: argoappv1.SyncStatusCodeUnknown}

-			// refresh app using the 'deepest' requested comparison level
-			ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
-			ctrl.requestAppRefresh(app.Name, ComparisonWithNothing.Pointer(), nil)
+	needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+	assert.True(t, needRefresh)
+	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+	assert.Equal(t, CompareWithLatestForceResolve, compareWith)

-			needRefresh, refreshType, compareWith := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-			assert.True(t, needRefresh)
-			assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-			assert.Equal(t, CompareWithRecent, compareWith)
+	{
+		// refresh app using the 'latest' level if comparison expired
+		app := app.DeepCopy()
+		ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Minute, 2*time.Hour)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
+	}

-			// refresh application which status is not reconciled using latest commit
-			app.Status.Sync = argoappv1.SyncStatus{Status: argoappv1.SyncStatusCodeUnknown}
+	{
+		// refresh app using the 'latest' level if comparison expired for hard refresh
+		app := app.DeepCopy()
+		app.Status.Sync = argoappv1.SyncStatus{
+			Status: argoappv1.SyncStatusCodeSynced,
+			ComparedTo: argoappv1.ComparedTo{
+				Source:      app.Spec.GetSource(),
+				Destination: app.Spec.Destination,
+			},
+		}
+		ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 2*time.Hour, 1*time.Minute)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
+	}

-			needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-			assert.True(t, needRefresh)
-			assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-			assert.Equal(t, CompareWithLatestForceResolve, compareWith)
+	{
+		app := app.DeepCopy()
+		// execute hard refresh if app has refresh annotation
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		app.Annotations = map[string]string{
+			v1alpha1.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
+		}
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
+		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
+	}

-			t.Run("refresh app using the 'latest' level if comparison expired", func(t *testing.T) {
-				app := app.DeepCopy()
-				ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
-				reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
-				app.Status.ReconciledAt = &reconciledAt
-				needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Minute, 2*time.Hour)
-				assert.True(t, needRefresh)
-				assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-				assert.Equal(t, CompareWithLatestForceResolve, compareWith)
-			})
+	{
+		app := app.DeepCopy()
+		// ensure that CompareWithLatest level is used if application source has changed
+		ctrl.requestAppRefresh(app.Name, ComparisonWithNothing.Pointer(), nil)
+		// sample app source change
+		app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{
+			Parameters: []argoappv1.HelmParameter{{
+				Name:  "foo",
+				Value: "bar",
+			}},
+		}

-			t.Run("refresh app using the 'latest' level if comparison expired for hard refresh", func(t *testing.T) {
-				app := app.DeepCopy()
-				app.Status.Sync = argoappv1.SyncStatus{
-					Status: argoappv1.SyncStatusCodeSynced,
-					ComparedTo: argoappv1.ComparedTo{
-						Destination: app.Spec.Destination,
-					},
-				}
-				if app.Spec.HasMultipleSources() {
-					app.Status.Sync.ComparedTo.Sources = app.Spec.Sources
-				} else {
-					app.Status.Sync.ComparedTo.Source = app.Spec.GetSource()
-				}
-				ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
-				reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
-				app.Status.ReconciledAt = &reconciledAt
-				needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 2*time.Hour, 1*time.Minute)
-				assert.True(t, needRefresh)
-				assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
-				assert.Equal(t, CompareWithLatest, compareWith)
-			})
-
-			t.Run("execute hard refresh if app has refresh annotation", func(t *testing.T) {
-				app := app.DeepCopy()
-				reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
-				app.Status.ReconciledAt = &reconciledAt
-				app.Annotations = map[string]string{
-					v1alpha1.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
-				}
-				needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-				assert.True(t, needRefresh)
-				assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
-				assert.Equal(t, CompareWithLatestForceResolve, compareWith)
-			})
-
-			t.Run("ensure that CompareWithLatest level is used if application source has changed", func(t *testing.T) {
-				app := app.DeepCopy()
-				ctrl.requestAppRefresh(app.Name, ComparisonWithNothing.Pointer(), nil)
-				// sample app source change
-				if app.Spec.HasMultipleSources() {
-					app.Spec.Sources[0].Helm = &argoappv1.ApplicationSourceHelm{
-						Parameters: []argoappv1.HelmParameter{{
-							Name:  "foo",
-							Value: "bar",
-						}},
-					}
-				} else {
-					app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{
-						Parameters: []argoappv1.HelmParameter{{
-							Name:  "foo",
-							Value: "bar",
-						}},
-					}
-				}
-
-				needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-				assert.True(t, needRefresh)
-				assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-				assert.Equal(t, CompareWithLatestForceResolve, compareWith)
-			})
-		})
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
 	}
 }

--- a/controller/cache/cache.go
+++ b/controller/cache/cache.go
@@ -25,7 +25,6 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"

 	"github.com/argoproj/argo-cd/v2/controller/metrics"
@@ -221,10 +220,10 @@ func asResourceNode(r *clustercache.Resource) appv1.ResourceNode {
 		gv = schema.GroupVersion{}
 	}
 	parentRefs := make([]appv1.ResourceRef, len(r.OwnerRefs))
-	for _, ownerRef := range r.OwnerRefs {
+	for i, ownerRef := range r.OwnerRefs {
 		ownerGvk := schema.FromAPIVersionAndKind(ownerRef.APIVersion, ownerRef.Kind)
 		ownerKey := kube.NewResourceKey(ownerGvk.Group, ownerRef.Kind, r.Ref.Namespace, ownerRef.Name)
-		parentRefs[0] = appv1.ResourceRef{Name: ownerRef.Name, Kind: ownerKey.Kind, Namespace: r.Ref.Namespace, Group: ownerKey.Group, UID: string(ownerRef.UID)}
+		parentRefs[i] = appv1.ResourceRef{Name: ownerRef.Name, Kind: ownerKey.Kind, Namespace: r.Ref.Namespace, Group: ownerKey.Group, UID: string(ownerRef.UID)}
 	}
 	var resHealth *appv1.HealthStatus
 	resourceInfo := resInfo(r)
@@ -395,20 +394,6 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		return nil, fmt.Errorf("error getting custom label: %w", err)
 	}

-	clusterCacheConfig := cluster.RESTConfig()
-	// Controller dynamically fetches all resource types available on the cluster
-	// using a discovery API that may contain deprecated APIs.
-	// This causes log flooding when managing a large number of clusters.
-	// https://github.com/argoproj/argo-cd/issues/11973
-	// However, we can safely suppress deprecation warnings
-	// because we do not rely on resources with a particular API group or version.
-	// https://kubernetes.io/blog/2020/09/03/warnings/#customize-client-handling
-	//
-	// Completely suppress warning logs only for log levels that are less than Debug.
-	if log.GetLevel() < log.DebugLevel {
-		clusterCacheConfig.WarningHandler = rest.NoWarnings{}
-	}
-
 	clusterCacheOpts := []clustercache.UpdateSettingsFunc{
 		clustercache.SetListSemaphore(semaphore.NewWeighted(clusterCacheListSemaphoreSize)),
 		clustercache.SetListPageSize(clusterCacheListPageSize),
@@ -440,7 +425,7 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetRetryOptions(clusterCacheAttemptLimit, clusterCacheRetryUseBackoff, isRetryableError),
 	}

-	clusterCache = clustercache.NewClusterCache(clusterCacheConfig, clusterCacheOpts...)
+	clusterCache = clustercache.NewClusterCache(cluster.RESTConfig(), clusterCacheOpts...)

 	_ = clusterCache.OnResourceUpdated(func(newRes *clustercache.Resource, oldRes *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) {
 		toNotify := make(map[string]bool)
@@ -488,11 +473,10 @@ func (c *liveStateCache) getSyncedCluster(server string) (clustercache.ClusterCa
 func (c *liveStateCache) invalidate(cacheSettings cacheSettings) {
 	log.Info("invalidating live state cache")
 	c.lock.Lock()
-	c.cacheSettings = cacheSettings
-	clusters := c.clusters
-	c.lock.Unlock()
+	defer c.lock.Unlock()

-	for _, clust := range clusters {
+	c.cacheSettings = cacheSettings
+	for _, clust := range c.clusters {
 		clust.Invalidate(clustercache.SetSettings(cacheSettings.clusterSettings))
 	}
 	log.Info("live state cache invalidated")
--- a/controller/cache/cache_test.go
+++ b/controller/cache/cache_test.go
@@ -6,10 +6,11 @@ import (
 	"net/url"
 	"testing"

-	apierr "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-
 	"github.com/stretchr/testify/assert"
+	"k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"

 	"github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/cache/mocks"
@@ -153,3 +154,51 @@ func TestIsRetryableError(t *testing.T) {
 		assert.True(t, isRetryableError(connectionReset))
 	})
 }
+
+func Test_asResourceNode_owner_refs(t *testing.T) {
+	resNode := asResourceNode(&cache.Resource{
+		ResourceVersion: "",
+		Ref: v1.ObjectReference{
+			APIVersion: "v1",
+		},
+		OwnerRefs: []metav1.OwnerReference{
+			{
+				APIVersion: "v1",
+				Kind:       "ConfigMap",
+				Name:       "cm-1",
+			},
+			{
+				APIVersion: "v1",
+				Kind:       "ConfigMap",
+				Name:       "cm-2",
+			},
+		},
+		CreationTimestamp: nil,
+		Info:              nil,
+		Resource:          nil,
+	})
+	expected := appv1.ResourceNode{
+		ResourceRef: appv1.ResourceRef{
+			Version: "v1",
+		},
+		ParentRefs: []appv1.ResourceRef{
+			{
+				Group: "",
+				Kind:  "ConfigMap",
+				Name:  "cm-1",
+			},
+			{
+				Group: "",
+				Kind:  "ConfigMap",
+				Name:  "cm-2",
+			},
+		},
+		Info:            nil,
+		NetworkingInfo:  nil,
+		ResourceVersion: "",
+		Images:          nil,
+		Health:          nil,
+		CreatedAt:       nil,
+	}
+	assert.Equal(t, expected, resNode)
+}
--- a/controller/state.go
+++ b/controller/state.go
@@ -107,7 +107,7 @@ type appStateManager struct {
 	persistResourceHealth bool
 }

-func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, error) {
+func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject) ([]*unstructured.Unstructured, map[*v1alpha1.ApplicationSource]*apiclient.ManifestResponse, error) {

 	ts := stats.NewTimingStats()
 	helmRepos, err := m.db.ListHelmRepositories(context.Background())
@@ -164,7 +164,7 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, sources []v1alp
 	}
 	defer io.Close(conn)

-	manifestInfos := make([]*apiclient.ManifestResponse, 0)
+	manifestInfoMap := make(map[*v1alpha1.ApplicationSource]*apiclient.ManifestResponse)
 	targetObjs := make([]*unstructured.Unstructured, 0)

 	// Store the map of all sources having ref field into a map for applications with sources field
@@ -215,14 +215,20 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, sources []v1alp
 			return nil, nil, err
 		}

+		// GenerateManifest can return empty ManifestResponse without error if app has multiple sources
+		// and if any of the source does not have path and chart field not specified.
+		// In that scenario, we continue to the next source
+		if app.Spec.HasMultipleSources() && len(manifestInfo.Manifests) == 0 {
+			continue
+		}
+
 		targetObj, err := unmarshalManifests(manifestInfo.Manifests)

 		if err != nil {
 			return nil, nil, err
 		}
 		targetObjs = append(targetObjs, targetObj...)
-
-		manifestInfos = append(manifestInfos, manifestInfo)
+		manifestInfoMap[&source] = manifestInfo
 	}

 	ts.AddCheckpoint("unmarshal_ms")
@@ -232,7 +238,7 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, sources []v1alp
 	}
 	logCtx = logCtx.WithField("time_ms", time.Since(ts.StartTime).Milliseconds())
 	logCtx.Info("getRepoObjs stats")
-	return targetObjs, manifestInfos, nil
+	return targetObjs, manifestInfoMap, nil
 }

 func unmarshalManifests(manifests []string) ([]*unstructured.Unstructured, error) {
@@ -393,7 +399,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 	var targetObjs []*unstructured.Unstructured
 	now := metav1.Now()

-	var manifestInfos []*apiclient.ManifestResponse
+	var manifestInfoMap map[*v1alpha1.ApplicationSource]*apiclient.ManifestResponse

 	if len(localManifests) == 0 {
 		// If the length of revisions is not same as the length of sources,
@@ -405,7 +411,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 			}
 		}

-		targetObjs, manifestInfos, err = m.getRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project)
+		targetObjs, manifestInfoMap, err = m.getRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project)
 		if err != nil {
 			targetObjs = make([]*unstructured.Unstructured, 0)
 			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
@@ -428,7 +434,9 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 			}
 		}
 		// empty out manifestInfoMap
-		manifestInfos = make([]*apiclient.ManifestResponse, 0)
+		for as := range manifestInfoMap {
+			delete(manifestInfoMap, as)
+		}
 	}
 	ts.AddCheckpoint("git_ms")

@@ -463,7 +471,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		failedToLoadObjs = true
 	}

-	logCtx.Debugf("Retrieved live manifests")
+	logCtx.Debugf("Retrieved lived manifests")

 	// filter out all resources which are not permitted in the application project
 	for k, v := range liveObjByKey {
@@ -508,12 +516,12 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 	}
 	manifestRevisions := make([]string, 0)

-	for _, manifestInfo := range manifestInfos {
+	for _, manifestInfo := range manifestInfoMap {
 		manifestRevisions = append(manifestRevisions, manifestInfo.Revision)
 	}

 	// restore comparison using cached diff result if previous comparison was performed for the same revision
-	revisionChanged := len(manifestInfos) != len(sources) || !reflect.DeepEqual(app.Status.Sync.Revisions, manifestRevisions)
+	revisionChanged := len(manifestInfoMap) != len(sources) || !reflect.DeepEqual(app.Status.Sync.Revisions, manifestRevisions)
 	specChanged := !reflect.DeepEqual(app.Status.Sync.ComparedTo, appv1.ComparedTo{Source: app.Spec.GetSource(), Destination: app.Spec.Destination, Sources: sources})

 	_, refreshRequested := app.IsRefreshRequested()
@@ -680,7 +688,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 	// Git has already performed the signature verification via its GPG interface, and the result is available
 	// in the manifest info received from the repository server. We now need to form our opinion about the result
 	// and stop processing if we do not agree about the outcome.
-	for _, manifestInfo := range manifestInfos {
+	for _, manifestInfo := range manifestInfoMap {
 		if gpg.IsGPGEnabled() && verifySignature && manifestInfo != nil {
 			conditions = append(conditions, verifyGnuPGSignature(manifestInfo.Revision, project, manifestInfo)...)
 		}
@@ -697,11 +705,11 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 	}

 	if hasMultipleSources {
-		for _, manifestInfo := range manifestInfos {
+		for _, manifestInfo := range manifestInfoMap {
 			compRes.appSourceTypes = append(compRes.appSourceTypes, appv1.ApplicationSourceType(manifestInfo.SourceType))
 		}
 	} else {
-		for _, manifestInfo := range manifestInfos {
+		for _, manifestInfo := range manifestInfoMap {
 			compRes.appSourceType = v1alpha1.ApplicationSourceType(manifestInfo.SourceType)
 			break
 		}
--- a/controller/state_test.go
+++ b/controller/state_test.go
@@ -233,74 +233,6 @@ func TestCompareAppStateExtraHook(t *testing.T) {
 	assert.Equal(t, 0, len(app.Status.Conditions))
 }

-// TestAppRevisions tests that revisions are properly propagated for a single source app
-func TestAppRevisionsSingleSource(t *testing.T) {
-	obj1 := NewPod()
-	obj1.SetNamespace(test.FakeDestNamespace)
-	data := fakeData{
-		manifestResponse: &apiclient.ManifestResponse{
-			Manifests: []string{toJSON(t, obj1)},
-			Namespace: test.FakeDestNamespace,
-			Server:    test.FakeClusterURL,
-			Revision:  "abc123",
-		},
-		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
-	}
-	ctrl := newFakeController(&data)
-
-	app := newFakeApp()
-	revisions := make([]string, 0)
-	revisions = append(revisions, "")
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, revisions, app.Spec.GetSources(), false, false, nil, app.Spec.HasMultipleSources())
-	assert.NotNil(t, compRes)
-	assert.NotNil(t, compRes.syncStatus)
-	assert.NotEmpty(t, compRes.syncStatus.Revision)
-	assert.Len(t, compRes.syncStatus.Revisions, 0)
-
-}
-
-// TestAppRevisions tests that revisions are properly propagated for a multi source app
-func TestAppRevisionsMultiSource(t *testing.T) {
-	obj1 := NewPod()
-	obj1.SetNamespace(test.FakeDestNamespace)
-	data := fakeData{
-		manifestResponses: []*apiclient.ManifestResponse{
-			{
-				Manifests: []string{toJSON(t, obj1)},
-				Namespace: test.FakeDestNamespace,
-				Server:    test.FakeClusterURL,
-				Revision:  "abc123",
-			},
-			{
-				Manifests: []string{toJSON(t, obj1)},
-				Namespace: test.FakeDestNamespace,
-				Server:    test.FakeClusterURL,
-				Revision:  "def456",
-			},
-			{
-				Manifests: []string{},
-				Namespace: test.FakeDestNamespace,
-				Server:    test.FakeClusterURL,
-				Revision:  "ghi789",
-			},
-		},
-		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
-	}
-	ctrl := newFakeController(&data)
-
-	app := newFakeMultiSourceApp()
-	revisions := make([]string, 0)
-	revisions = append(revisions, "")
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, revisions, app.Spec.GetSources(), false, false, nil, app.Spec.HasMultipleSources())
-	assert.NotNil(t, compRes)
-	assert.NotNil(t, compRes.syncStatus)
-	assert.Empty(t, compRes.syncStatus.Revision)
-	assert.Len(t, compRes.syncStatus.Revisions, 3)
-	assert.Equal(t, "abc123", compRes.syncStatus.Revisions[0])
-	assert.Equal(t, "def456", compRes.syncStatus.Revisions[1])
-	assert.Equal(t, "ghi789", compRes.syncStatus.Revisions[2])
-}
-
 func toJSON(t *testing.T, obj *unstructured.Unstructured) string {
 	data, err := json.Marshal(obj)
 	assert.NoError(t, err)
--- a/docs/assets/argocd-arch-authn-authz.jpg
+++ b/docs/assets/argocd-arch-authn-authz.jpg
--- a/docs/assets/extra_info-1.png
+++ b/docs/assets/extra_info-1.png
--- a/docs/assets/extra_info-2.png
+++ b/docs/assets/extra_info-2.png
--- a/docs/assets/extra_info.png
+++ b/docs/assets/extra_info.png
--- a/docs/assets/versions.js
+++ b/docs/assets/versions.js
@@ -9,6 +9,16 @@ setTimeout(function() {
  caret.innerHTML = "<i class='fa fa-caret-down dropdown-caret'></i>"
  caret.classList.add('dropdown-caret')
  div.querySelector('.rst-current-version').appendChild(caret);
+  div.querySelector('.rst-current-version').addEventListener('click', function() {
+      const classes = container.className.split(' ');
+      const index = classes.indexOf('shift-up');
+      if (index === -1) {
+          classes.push('shift-up');
+      } else {
+          classes.splice(index, 1);
+      }
+      container.className = classes.join(' ');
+  });
  }

  var CSSLink = document.createElement('link');
--- a/docs/cli_installation.md
+++ b/docs/cli_installation.md
@@ -39,6 +39,31 @@ rm argocd-linux-amd64

 You should now be able to run `argocd` commands.

+
+## Mac (M1)
+
+### Download With Curl
+
+You can view the latest version of Argo CD at the link above or run the following command to grab the version:
+
+```bash
+VERSION=$(curl --silent "https://api.github.com/repos/argoproj/argo-cd/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/')
+```
+
+Replace `VERSION` in the command below with the version of Argo CD you would like to download:
+
+```bash
+curl -sSL -o argocd-darwin-arm64 https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-darwin-arm64
+```
+
+Install the Argo CD CLI binary:
+
+```bash
+sudo install -m 555 argocd-darwin-arm64 /usr/local/bin/argocd
+rm argocd-darwin-arm64
+```
+
+
 ## Mac

 ### Homebrew
--- a/docs/developer-guide/architecture/authz-authn.md
+++ b/docs/developer-guide/architecture/authz-authn.md
@@ -0,0 +1,109 @@
+# Authentication and Authorization
+
+This document describes how authentication (authn) and authorization
+(authz) are implemented in Argo CD. There is a clear distinction in
+the code base of when and how these two security concepts are
+enforced.
+
+## Logical layers
+
+The diagram bellow suggests 4 different logical layers (represented by
+4 boxes: HTTP, gRPC, AuthN and AuthZ) inside Argo CD API server that
+collaborate to provide authentication and authorization. 
+
+- **HTTP**: The HTTP layer groups the *logical elements* that
+  collaborate to handle HTTP requests. Every incoming request reaches
+  the same HTTP server at the same port (8080). This server will
+  analyze the request headers and dispatch to the proper internal
+  server: gRPC or standard HTTP.
+
+- **gRPC**: The [gRPC][4] layer groups the logical elements responsible for
+  the gRPC implementation.
+
+- **AuthN**: The AuthN represents the layer responsible for
+  authentication.
+
+- **AuthZ**: The AuthZ represents the layer responsible for
+  authorization.
+
+![Argo CD Architecture](../../assets/argocd-arch-authn-authz.jpg)
+
+## Logical elements
+
+The logical elements (identified by numbers) can represent an object,
+a function or a component in the code base. Note that this particular
+distinction is not represented in the diagram.
+
+Incoming requests can reach Argo CD API server from the web UI as well
+as from the `argocd` CLI. The responsibility of the represented
+elements are described below with their respective numbers:
+
+1. **Cmux**: Uses the [cmux][1] library to provide a connection
+   multiplexer capability making it possible to use the same port to
+   handle standard HTTP as well as gRPC requests. It is responsible
+   for inspecting incoming requests and dispatch to appropriate
+   internal servers. If the request version is `http1.x` it will
+   delegate to the *http mux*. If the request version is `http2` and
+   has the header `content-type: application/grpc`, it will delegate
+   to the *gRPC Server*.
+
+1. **HTTP mux**: A [standard HTTP multiplexer][8] that will handle non
+   gRPC requests. It is responsible for serving a unified [REST
+   API][3] to the web UI exposing all gRPC and non-gRPC services.
+
+1. **gRPC-gateway**: Uses the [grpc-gateway][2] library to translate
+   internal gRPC services and expose them as a [REST API][3]. The
+   great majority of API services in Argo CD are implemented in gRPC.
+   The grpc-gateway makes it possible to access gRPC services from the
+   web UI.
+
+1. **Server**: The internal gRPC Server responsible for handling gRPC
+   requests.
+
+1. **AuthN**: Is responsible for invoking the authentication logic. It
+   is registered as a gRPC interceptor which will automatically
+   trigger for every gRPC request.
+
+1. **Session Manager**: Is the object responsible for managing Argo CD
+   API server session. It provides the functionality to verify the
+   validity of the authentication token provided in the request.
+   Depending on how Argo CD is configured it may or may not delegate
+   to an external AuthN provider to verify the token.
+
+1. **AuthN Provider**: Describes the component that can be plugged in
+   Argo CD API server to provide the authentication functionality such
+   as the login and the token verification process.
+
+1. **Service Method**: represents the method implementing the business
+   logic (core functionality) requested. An example of business logic
+   is: `List Applications`. Service methods are also responsible for
+   invoking the [RBAC][7] enforcement function to validate if the
+   authenticated user has permission to execute this method.
+
+1. **RBAC**: Is a collection of functions to provide the capability to
+   verify if the user has permission to execute a specific action in
+   Argo CD. It does so by validating the incoming request action
+   against predefined [RBAC][7] rules that can be configured in Argo CD
+   API server as well as in Argo CD `Project` CRD.
+
+1. **Casbin**: Uses the [Casbin][5] library to enforce [RBAC][7] rules.
+
+1. **AuthN Middleware**: Is an [HTTP Middleware][6] configured to
+   invoke the logic to verify the token for HTTP services that are not
+   implemented as gRPC and requires authentication.
+
+1. **HTTP Handler**: represents the http handlers responsible for
+   invoking the business logic (core functionality) requested. An
+   example of business logic is: `List Applications`. Http handlers
+   are also responsible for invoking the [RBAC][7] enforcement function to
+   validate if the authenticated user has permission to execute this
+   business logic.
+
+[1]: https://github.com/soheilhy/cmux
+[2]: https://github.com/grpc-ecosystem/grpc-gateway
+[3]: https://en.wikipedia.org/wiki/Representational_state_transfer
+[4]: https://grpc.io/
+[5]: https://casbin.org/
+[6]: https://github.com/golang/go/wiki/LearnServerProgramming#middleware
+[7]: https://en.wikipedia.org/wiki/Role-based_access_control
+[8]: https://pkg.go.dev/net/http#ServeMux
--- a/docs/developer-guide/debugging-remote-environment.md
+++ b/docs/developer-guide/debugging-remote-environment.md
@@ -28,7 +28,7 @@ telepresence intercept argocd-server --port 8080:http --env-file .envrc.remote #
 * `--port` forwards traffic of remote port http to 8080 locally (use `--port 8080:https` if argocd-server terminates TLS)
 * `--env-file` writes all the environment variables of the remote pod into a local file, the variables are also set on the subprocess of the `--run` command

-With this, any traffic that hits your argocd-server service in the cluster (e.g. through a LB / ingress) will be forwarded to your laptop on port 8080. So that you can now start argocd-server locally to debug or test new code. If you launch argocd-server using the environment variables in `.envrc.remote`, it is able to fetch all the configmaps, secrets and so on from the cluster and transparently connect to the other microservices so that no further configuration should be necessary, and it behaves exactly the same as in the cluster.
+With this, any traffic that hits your argocd-server service in the cluster (e.g through a LB / ingress) will be forwarded to your laptop on port 8080. So that you can now start argocd-server locally to debug or test new code. If you launch argocd-server using the environment variables in `.envrc.remote`, he is able to fetch all the configmaps, secrets and so one from the cluster and transparently connect to the other microservices so that no further configuration should be neccesary and he behaves exactly the same as in the cluster.

 List current status of Telepresence using:
 ```shell
--- a/docs/developer-guide/site.md
+++ b/docs/developer-guide/site.md
@@ -9,7 +9,12 @@ To test:
 ```bash
 make serve-docs
 ```
-Once running, you can view your locally built documentation at [http://0.0.0.0:8000/](http://0.0.0.0:8000/). 
+
+Check for broken external links:
+
+```bash
+make lint-docs
+```

 ## Deploying

--- a/docs/developer-guide/toolchain-guide.md
+++ b/docs/developer-guide/toolchain-guide.md
@@ -117,6 +117,27 @@ The Docker container for the virtualized toolchain will use the following local

 The following steps are required no matter whether you chose to use a virtualized or a local toolchain.

+!!!note "Docker privileges"
+    If you opt in to use the virtualized toolchain, you will need to have the
+    appropriate privileges to interact with the Docker daemon. It is not
+    recommended to work as the root user, and if your user does not have the
+    permissions to talk to the Docker user, but you have `sudo` setup on your
+    system, you can set the environment variable `SUDO` to `sudo` in order to
+    have the build scripts make any calls to the `docker` CLI using sudo,
+    without affecting the other parts of the build scripts (which should be
+    executed with your normal user privileges).
+
+    You can either set this before calling `make`, like so for example:
+
+    ```
+    SUDO=sudo make sometarget
+    ```
+
+    Or you can opt to export this permanently to your environment, for example
+    ```
+    export SUDO=sudo
+    ```
+
 ### Clone the Argo CD repository from your personal fork on GitHub

 * `mkdir -p ~/go/src/github.com/argoproj`
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -122,9 +122,9 @@ To terminate the sync, click on the "synchronisation" then "terminate":

 ![Synchronization](assets/synchronization-button.png) ![Terminate](assets/terminate-button.png)

-## Why Is My App `Out Of Sync` Even After Syncing?
+## Why Is My App Out Of Sync Even After Syncing?

-In some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
+Is some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
 Kustomize common labels feature.

 Argo CD automatically sets the `app.kubernetes.io/instance` label and uses it to determine which resources form the app.
@@ -142,7 +142,7 @@ The default polling interval is 3 minutes (180 seconds).
 You can change the setting by updating the `timeout.reconciliation` value in the [argocd-cm](https://github.com/argoproj/argo-cd/blob/2d6ce088acd4fb29271ffb6f6023dbb27594d59b/docs/operator-manual/argocd-cm.yaml#L279-L282) config map. If there are any Git changes, ArgoCD will only update applications with the [auto-sync setting](user-guide/auto_sync.md) enabled. If you set it to `0` then Argo CD will stop polling Git repositories automatically and you can only use alternative methods such as [webhooks](operator-manual/webhook.md) and/or manual syncs for deploying applications.


-## Why Are My Resource Limits `Out Of Sync`?
+## Why Are My Resource Limits Out Of Sync?

 Kubernetes has normalized your resource limits when they are applied, and then Argo CD has then compared the version in
 your generated manifests to the normalized one is Kubernetes - they won't match.
@@ -157,7 +157,7 @@ E.g.
 To fix this use diffing
 customizations [settings](./user-guide/diffing.md#known-kubernetes-types-in-crds-resource-limits-volume-mounts-etc).

-## How Do I Fix `invalid cookie, longer than max length 4093`?
+## How Do I Fix "invalid cookie, longer than max length 4093"?

 Argo CD uses a JWT as the auth token. You likely are part of many groups and have gone over the 4KB limit which is set
 for cookies. You can get the list of groups by opening "developer tools -> network"
@@ -224,38 +224,4 @@ resource.customizations.health.bitnami.com_SealedSecret: |
  hs.status = "Healthy"
  hs.message = "Controller doesn't report resource status"
  return hs
-```
-
-## How do I fix `The order in patch list … doesn't match $setElementOrder list: …`?
-
-An application may trigger a sync error labeled a `ComparisonError` with a message like:
-
-> The order in patch list: [map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]] doesn't match $setElementOrder list: [map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]]
-
-
-There are two parts to the message:
-
-1. `The order in patch list: [`
-
-    This identifies values for items, especially items that appear multiple times:
-
-    > map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]
-
-    You'll want to identify the keys that are duplicated -- you can focus on the first part, as each duplicated key will appear, once for each of its value with its value in the first list. The second list is really just 
-
-   `]`
-
-2. `doesn't match $setElementOrder list: [`
-
-    This includes all of the keys. It's included for debugging purposes -- you don't need to pay much attention to it. It will give you a hint about the precise location in the list for the duplicated keys:
-
-    > map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]
-   
-   `]`
-
-In this case, the duplicated keys have been **emphasized** to help you identify the problematic keys. Many editors have the ability to highlight all instances of a string, using such an editor can help with such problems.
-
-The most common instance of this error is with `env:` fields for `containers`.
-
-!!! note "Dynamic applications"
-    It's possible that your application is being generated by a tool in which case the duplication might not be evident within the scope of a single file. If you have trouble debugging this problem, consider filing a ticket to the owner of the generator tool asking them to improve its validation and error reporting.
+```
--- a/docs/getting_started.md
+++ b/docs/getting_started.md
@@ -81,7 +81,7 @@ in your Argo CD installation namespace. You can simply retrieve this password
 using the `argocd` CLI:

 ```bash
-argocd admin initial-password -n argocd
+argocd admin initial-password
 ```

 !!! warning
--- a/docs/operator-manual/app-any-namespace.md
+++ b/docs/operator-manual/app-any-namespace.md
@@ -24,7 +24,7 @@ This feature can only be enabled and used when your Argo CD is installed as a cl

 ### Switch resource tracking method

-Also, while technically not necessary, it is strongly suggested that you switch the application tracking method from the default `label` setting to either `annotation` or `annotation+label`. The reasoning for this is, that application names will be a composite of the namespace's name and the name of the `Application`, and this can easily exceed the 63 characters length limit imposed on label values. Annotations have a notably greater length limit.
+Also, while technically not necessary, it is strongly suggested that you switch the application tracking method from the default `label` setting to either `annotation` or `annotation+label`. The reasonsing for this is, that application names will be a composite of the namespace's name and the name of the `Application`, and this can easily exceed the 63 characters length limit imposed on label values. Annotations have a notably greater length limit.

 To enable annotation based resource tracking, refer to the documentation about [resource tracking methods](../../user-guide/resource_tracking/)

--- a/docs/operator-manual/application.yaml
+++ b/docs/operator-manual/application.yaml
@@ -6,10 +6,7 @@ metadata:
  namespace: argocd
  # Add this finalizer ONLY if you want these to cascade delete.
  finalizers:
-    # The default behaviour is foreground cascading deletion
    - resources-finalizer.argocd.argoproj.io
-    # Alternatively, you can use background cascading deletion
-    # - resources-finalizer.argocd.argoproj.io/background
  # Add labels to your application object.
  labels:
    name: guestbook
@@ -117,7 +114,9 @@ spec:

    # plugin specific config
    plugin:
-      # If the plugin is defined as a sidecar and name is not passed, the plugin will be automatically matched with the
+      # NOTE: this field is deprecated in v2.5 and must be removed to use sidecar-based plugins.
+      # Only set the plugin name if the plugin is defined in argocd-cm.
+      # If the plugin is defined as a sidecar, omit the name. The plugin will be automatically matched with the
      # Application according to the plugin's discovery rules.
      name: mypluginname
      # environment variables passed to the plugin
@@ -149,12 +148,7 @@ spec:
    # name: in-cluster
    # The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
    namespace: guestbook
-    
-  # Extra information to show in the Argo CD Application details tab
-  info:
-    - name: 'Example:'
-      value: 'https://example.com'
-      
+
  # Sync policy
  syncPolicy:
    automated: # automated sync by default retries failed attempts 5 times with following delays between attempts ( 5s, 10s, 20s, 40s, 80s ); retry controlled using `retry` field.
--- a/docs/operator-manual/applicationset.yaml
+++ b/docs/operator-manual/applicationset.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: test-hello-world-appset
+  namespace: argocd
+spec:
+  # See docs for available generators and their specs.
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+  # Determines whether go templating will be used in the `template` field below.
+  goTemplate: false
+  # These fields are identical to the Application spec.
+  template:
+    metadata:
+      name: test-hello-world-app
+    spec:
+      project: my-project
+  # This sync policy pertains to the ApplicationSet, not to the Applications it creates.
+  syncPolicy:
+    # Determines whether the controller will delete Applications when an ApplicationSet is deleted.
+    preserveResourcesOnDeletion: false
+  # Alpha feature to determine the order in which ApplicationSet applies changes.
+  strategy:
--- a/docs/operator-manual/applicationset/Generators-Git.md
+++ b/docs/operator-manual/applicationset/Generators-Git.md
@@ -110,7 +110,7 @@ spec:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'
 ```
-(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory/excludes).*)
+(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/examples/applicationset/git-generator-directory/excludes).*)

 This example excludes the `exclude-helm-guestbook` directory from the list of directories scanned for this `ApplicationSet` resource.

--- a/docs/operator-manual/applicationset/Generators-Post-Selector.md
+++ b/docs/operator-manual/applicationset/Generators-Post-Selector.md
@@ -1,43 +0,0 @@
-# Post Selector all generators
-
-The Selector allows to post-filter based on generated values using the kubernetes common labelSelector format. In the example, the list generator generates a set of two application which then filter by the key value to only select the `env` with value `staging`:
-
-## Example: List generator + Post Selector
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: guestbook
-spec:
-  generators:
-  - list:
-      elements:
-        - cluster: engineering-dev
-          url: https://kubernetes.default.svc
-          env: staging
-        - cluster: engineering-prod
-          url: https://kubernetes.default.svc
-          env: prod
-    selector:
-      matchLabels:
-        env: staging
-  template:
-    metadata:
-      name: '{{cluster}}-guestbook'
-    spec:
-      project: default
-      source:
-        repoURL: https://github.com/argoproj-labs/applicationset.git
-        targetRevision: HEAD
-        path: examples/list-generator/guestbook/{{cluster}}
-      destination:
-        server: '{{url}}'
-        namespace: guestbook
-```
-
-The List generator + Post Selector generates a single set of parameters:
-```yaml
- cluster: engineering-dev
-  url: https://kubernetes.default.svc
-  env: staging
-```
--- a/docs/operator-manual/applicationset/Generators.md
+++ b/docs/operator-manual/applicationset/Generators.md
@@ -15,6 +15,4 @@ As of this writing there are eight generators:
 - [Pull Request generator](Generators-Pull-Request.md): The Pull Request generator uses the API of an SCMaaS provider (eg GitHub) to automatically discover open pull requests within an repository.
 - [Cluster Decision Resource generator](Generators-Cluster-Decision-Resource.md): The Cluster Decision Resource generator is used to interface with Kubernetes custom resources that use custom resource-specific logic to decide which set of Argo CD clusters to deploy to.

-All generators can be filtered by using the [Post Selector](Generators-Post-Selector.md)
-
 If you are new to generators, begin with the **List** and **Cluster** generators. For more advanced use cases, see the documentation for the remaining generators above.
--- a/docs/operator-manual/applicationset/GoTemplate.md
+++ b/docs/operator-manual/applicationset/GoTemplate.md
@@ -87,10 +87,6 @@ By activating Go Templating, `{{ .path }}` becomes an object. Therefore, some ch
 generators' templating:

 - `{{ path }}` becomes `{{ .path.path }}`
- `{{ path.basename }}` becomes `{{ .path.basename }}`
- `{{ path.basenameNormalized }}` becomes `{{ .path.basenameNormalized }}`
- `{{ path.filename }}` becomes `{{ .path.filename }}`
- `{{ path.filenameNormalized }}` becomes `{{ .path.filenameNormalized }}`
 - `{{ path[n] }}` becomes `{{ index .path.segments n }}`

 Here is an example:
--- a/docs/operator-manual/applicationset/Progressive-Syncs.md
+++ b/docs/operator-manual/applicationset/Progressive-Syncs.md
@@ -34,7 +34,7 @@ When the ApplicationSet changes, the changes will be applied to each group of Ap
 * Application groups are selected using their labels and `matchExpressions`.
 * All `matchExpressions` must be true for an Application to be selected (multiple expressions match with AND behavior).
 * The `In` and `NotIn` operators must match at least one value to be considered true (OR behavior).
-* The `NotIn` operator has priority in the event that both a `NotIn` and `In` operator produce a match.
+* The `NotIn` operatorn has priority in the event that both a `NotIn` and `In` operator produce a match.
 * All Applications in each group must become Healthy before the ApplicationSet controller will proceed to update the next group of Applications.
 * The number of simultaneous Application updates in a group will not exceed its `maxUpdate` parameter (default is 100%, unbounded).
 * RollingSync will capture external changes outside the ApplicationSet resource, since it relies on watching the OutOfSync status of the managed Applications.
--- a/docs/operator-manual/config-management-plugins.md
+++ b/docs/operator-manual/config-management-plugins.md
@@ -20,21 +20,51 @@ The following sections will describe how to create, install, and use plugins. Ch

 There are two ways to install a Config Management Plugin:

- * **Sidecar plugin**
-   
-    This is a good option for a more complex plugin that would clutter the Argo CD ConfigMap. A copy of the repository is
-    sent to the sidecar container as a tarball and processed individually per application.
+1. Add the plugin config to the Argo CD ConfigMap (**this method is deprecated and will be removed in a future 
+   version**). The repo-server container will run your plugin's commands. This is a good option for a simple plugin that
+   requires only a few lines of code that fit nicely in the Argo CD ConfigMap.
+2. Add the plugin as a sidecar to the repo-server Pod.
+   This is a good option for a more complex plugin that would clutter the Argo CD ConfigMap. A copy of the repository is 
+   sent to the sidecar container as a tarball and processed individually per application, which makes it a good option 
+   for [concurrent processing of monorepos](high_availability.md#enable-concurrent-processing).

- * **ConfigMap plugin** (**this method is deprecated and will be removed in a future 
-   version**)
-   
-    The repo-server container will run your plugin's commands.
+### Option 1: Configure plugins via Argo CD configmap (deprecated)

-### Sidecar plugin
+The following changes are required to configure a new plugin:
+
+1. Make sure required binaries are available in `argocd-repo-server` pod. The binaries can be added via volume mounts or 
+   using a custom image (see [custom_tools](custom_tools.md) for examples of both).
+2. Register a new plugin in `argocd-cm` ConfigMap:
+
+        :::yaml
+        data:
+          configManagementPlugins: |
+            - name: pluginName
+              init:                          # Optional command to initialize application source directory
+                command: ["sample command"]
+                args: ["sample args"]
+              generate:                      # Command to generate manifests YAML
+                command: ["sample command"]
+                args: ["sample args"]
+              lockRepo: true                 # Defaults to false. See below.
+    
+    The `generate` command must print a valid YAML or JSON stream to stdout. Both `init` and `generate` commands are executed inside the application source directory or in `path` when specified for the app.
+
+3. [Create an Application which uses your new CMP](#using-a-cmp).
+
+More CMP examples are available in [argocd-example-apps](https://github.com/argoproj/argocd-example-apps/tree/master/plugins).
+
+!!!note "Repository locking"
+    If your plugin makes use of `git` (e.g. `git crypt`), it is advised to set
+    `lockRepo` to `true` so that your plugin will have exclusive access to the
+    repository at the time it is executed. Otherwise, two applications synced
+    at the same time may result in a race condition and sync failure.
+
+### Option 2: Configure plugin via sidecar

 An operator can configure a plugin tool via a sidecar to repo-server. The following changes are required to configure a new plugin:

-#### Write the plugin configuration file
+#### 1. Write the plugin configuration file

 Plugins will be configured via a ConfigManagementPlugin manifest located inside the plugin container.

@@ -54,7 +84,7 @@ spec:
    command: [sh]
    args: [-c, 'echo "Initializing..."']
  # The generate command runs in the Application source directory each time manifests are generated. Standard output
-  # must be ONLY valid Kubernetes Objects in either YAML or JSON. A non-zero exit code will fail manifest generation.
+  # must be ONLY valid YAML manifests. A non-zero exit code will fail manifest generation.
  # Error output will be sent to the UI, so avoid printing sensitive information (such as secrets).
  generate:
    command: [sh, -c]
@@ -67,8 +97,8 @@ spec:
  # Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the 
  # first (in that order) is evaluated.
  discover:
-    # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source 
-    # directory. If there is a match, this plugin may be used for the Application.
+    # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the repository's root 
+    # directory (not the Application source directory). If there is a match, this plugin may be used for the repository.
    fileName: "./subdir/s*.yaml"
    find:
      # This does the same thing as fileName, but it supports double-start (nested directory) glob patterns.
@@ -123,7 +153,7 @@ spec:
    While the ConfigManagementPlugin _looks like_ a Kubernetes object, it is not actually a custom resource. 
    It only follows kubernetes-style spec conventions.

-The `generate` command must print a valid Kubernetes YAML or JSON object stream to stdout. Both `init` and `generate` commands are executed inside the application source directory.
+The `generate` command must print a valid YAML stream to stdout. Both `init` and `generate` commands are executed inside the application source directory.

 The `discover.fileName` is used as [glob](https://pkg.go.dev/path/filepath#Glob) pattern to determine whether an
 application repository is supported by the plugin or not. 
@@ -138,7 +168,7 @@ If `discover.fileName` is not provided, the `discover.find.command` is executed
 application repository is supported by the plugin or not. The `find` command should return a non-error exit code
 and produce output to stdout when the application source type is supported.

-#### Place the plugin configuration file in the sidecar
+#### 2. Place the plugin configuration file in the sidecar

 Argo CD expects the plugin configuration file to be located at `/home/argocd/cmp-server/config/plugin.yaml` in the sidecar.

@@ -173,7 +203,7 @@ data:
        fileName: "./subdir/s*.yaml"
 ```

-#### Register the plugin sidecar
+#### 3. Register the plugin sidecar

 To install a plugin, patch argocd-repo-server to run the plugin container as a sidecar, with argocd-cmp-server as its 
 entrypoint. You can use either off-the-shelf or custom-built plugin image as sidecar image. For example:
@@ -212,40 +242,6 @@ volumes:
    2. Make sure that sidecar container is running as user 999.
    3. Make sure that plugin configuration file is present at `/home/argocd/cmp-server/config/plugin.yaml`. It can either be volume mapped via configmap or baked into image.

-### ConfigMap plugin
-
-!!! warning "Deprecated"
-    ConfigMap plugins are deprecated and will no longer be supported in 2.7.
-
-The following changes are required to configure a new plugin:
-
-1. Make sure required binaries are available in `argocd-repo-server` pod. The binaries can be added via volume mounts or
-   using a custom image (see [custom_tools](../operator-manual/custom_tools.md) for examples of both).
-2. Register a new plugin in `argocd-cm` ConfigMap:
-
-        data:
-          configManagementPlugins: |
-            - name: pluginName
-              init:                          # Optional command to initialize application source directory
-                command: ["sample command"]
-                args: ["sample args"]
-              generate:                      # Command to generate manifests YAML
-                command: ["sample command"]
-                args: ["sample args"]
-              lockRepo: true                 # Defaults to false. See below.
-   
-    The `generate` command must print a valid YAML or JSON stream to stdout. Both `init` and `generate` commands are executed inside the application source directory or in `path` when specified for the app.
-
-3. [Create an Application which uses your new CMP](#using-a-cmp).
-
-More CMP examples are available in [argocd-example-apps](https://github.com/argoproj/argocd-example-apps/tree/master/plugins).
-
-!!!note "Repository locking"
-    If your plugin makes use of `git` (e.g. `git crypt`), it is advised to set
-    `lockRepo` to `true` so that your plugin will have exclusive access to the
-    repository at the time it is executed. Otherwise, two applications synced
-    at the same time may result in a race condition and sync failure.
-
 ### Using environment variables in your plugin

 Plugin commands have access to
@@ -254,73 +250,82 @@ Plugin commands have access to
 2. [Standard build environment variables](../user-guide/build-environment.md)
 3. Variables in the Application spec (References to system and build variables will get interpolated in the variables' values):

-        apiVersion: argoproj.io/v1alpha1
-        kind: Application
-        spec:
-          source:
-            plugin:
-              env:
-                - name: FOO
-                  value: bar
-                - name: REV
-                  value: test-$ARGOCD_APP_REVISION
-   
-    !!! note
-        The `discover.find.command` command only has access to the above environment starting with v2.4.
-    
-    Before reaching the `init.command`, `generate.command`, and `discover.find.command` commands, Argo CD prefixes all 
-    user-supplied environment variables (#3 above) with `ARGOCD_ENV_`. This prevents users from directly setting 
-    potentially-sensitive environment variables.
-    
-    If your plugin was written before 2.4 and depends on user-supplied environment variables, then you will need to update
-    your plugin's behavior to work with 2.4. If you use a third-party plugin, make sure they explicitly advertise support
-    for 2.4.
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  source:
+    plugin:
+      env:
+        - name: FOO
+          value: bar
+        - name: REV
+          value: test-$ARGOCD_APP_REVISION
+```

-4. (Starting in v2.6) Parameters in the Application spec:
+!!! note
+    The `discover.command` command only has access to the above environment starting with v2.4.

-        apiVersion: argoproj.io/v1alpha1
-        kind: Application
-        spec:
-         source:
-           plugin:
-             parameters:
-               - name: values-files
-                 array: [values-dev.yaml]
-               - name: helm-parameters
-                 map:
-                   image.tag: v1.2.3
+Before reaching the `init.command`, `generate.command`, and `discover.command` commands, Argo CD prefixes all 
+user-supplied environment variables (#3 above) with `ARGOCD_ENV_`. This prevents users from directly setting 
+potentially-sensitive environment variables.
+
+If your plugin was written before 2.4 and depends on user-supplied environment variables, then you will need to update
+your plugin's behavior to work with 2.4. If you use a third-party plugin, make sure they explicitly advertise support
+for 2.4.
+
+4. (Starting in v2.4) Parameters in the Application spec:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+ source:
+   plugin:
+     parameters:
+       - name: values-files
+         array: [values-dev.yaml]
+       - name: helm-parameters
+         map:
+           image.tag: v1.2.3
+```
+
+The parameters are available as JSON in the `ARGOCD_APP_PARAMETERS` environment variable. The example above would
+produce this JSON:
+
+```json
+[{"name": "values-files", "array": ["values-dev.yaml"]}, {"name": "helm-parameters", "map": {"image.tag": "v1.2.3"}}]
+```
+
+!!! note
+    Parameter announcements, even if they specify defaults, are _not_ sent to the plugin in `ARGOCD_APP_PARAMETERS`.
+    Only parameters explicitly set in the Application spec are sent to the plugin. It is up to the plugin to apply
+    the same defaults as the ones announced to the UI.
+
+The same parameters are also available as individual environment variables. The names of the environment variables
+follows this convention:
+
+```yaml
+   - name: some-string-param
+     string: some-string-value
+   # PARAM_SOME_STRING_PARAM=some-string-value
   
-    The parameters are available as JSON in the `ARGOCD_APP_PARAMETERS` environment variable. The example above would
-    produce this JSON:
+   - name: some-array-param
+     value: [item1, item2]
+   # PARAM_SOME_ARRAY_PARAM_0=item1
+   # PARAM_SOME_ARRAY_PARAM_1=item2
   
-        [{"name": "values-files", "array": ["values-dev.yaml"]}, {"name": "helm-parameters", "map": {"image.tag": "v1.2.3"}}]
-   
-    !!! note
-        Parameter announcements, even if they specify defaults, are _not_ sent to the plugin in `ARGOCD_APP_PARAMETERS`.
-        Only parameters explicitly set in the Application spec are sent to the plugin. It is up to the plugin to apply
-        the same defaults as the ones announced to the UI.
-   
-    The same parameters are also available as individual environment variables. The names of the environment variables
-    follows this convention:
-   
-           - name: some-string-param
-             string: some-string-value
-           # PARAM_SOME_STRING_PARAM=some-string-value
-           
-           - name: some-array-param
-             value: [item1, item2]
-           # PARAM_SOME_ARRAY_PARAM_0=item1
-           # PARAM_SOME_ARRAY_PARAM_1=item2
-           
-           - name: some-map-param
-             map:
-               image.tag: v1.2.3
-           # PARAM_SOME_MAP_PARAM_IMAGE_TAG=v1.2.3
-   
-!!! warning "Sanitize/escape user input" 
-    As part of Argo CD's manifest generation system, config management plugins are treated with a level of trust. Be
+   - name: some-map-param
+     map:
+       image.tag: v1.2.3
+   # PARAM_SOME_MAP_PARAM_IMAGE_TAG=v1.2.3
+```
+
+!!! warning 
+    Sanitize/escape user input. As part of Argo CD's manifest generation system, config management plugins are treated with a level of trust. Be
    sure to escape user input in your plugin to prevent malicious input from causing unwanted behavior.

+
 ## Using a config management plugin with an Application

 If your CMP is defined in the `argocd-cm` ConfigMap, you can create a new Application using the CLI. Replace 
@@ -409,7 +414,7 @@ a future release.

 The following will show how to convert an argocd-cm plugin to a sidecar plugin.

-### Convert the ConfigMap entry into a config file
+### 1. Convert the ConfigMap entry into a config file

 First, copy the plugin's configuration into its own YAML file. Take for example the following ConfigMap entry:

@@ -420,7 +425,7 @@ data:
      init:                          # Optional command to initialize application source directory
        command: ["sample command"]
        args: ["sample args"]
-      generate:                      # Command to generate Kubernetes Objects in either YAML or JSON
+      generate:                      # Command to generate manifests YAML
        command: ["sample command"]
        args: ["sample args"]
      lockRepo: true                 # Defaults to false. See below.
@@ -437,7 +442,7 @@ spec:
  init:                          # Optional command to initialize application source directory
    command: ["sample command"]
    args: ["sample args"]
-  generate:                      # Command to generate Kubernetes Objects in either YAML or JSON
+  generate:                      # Command to generate manifests YAML
    command: ["sample command"]
    args: ["sample args"]
 ```
@@ -446,17 +451,18 @@ spec:
    The `lockRepo` key is not relevant for sidecar plugins, because sidecar plugins do not share a single source repo
    directory when generating manifests.

-### Write discovery rules for your plugin
+### 2. Write discovery rules for your plugin

 Sidecar plugins can use either discovery rules or a plugin name to match Applications to plugins. If the discovery rule is omitted 
 then you have to explicitly specify the plugin by name in the app spec or else that particular plugin will not match any app.

-If you want to use discovery instead of the plugin name to match applications to your plugin, write rules applicable to 
-your plugin [using the instructions above](#1-write-the-plugin-configuration-file) and add them to your configuration 
-file.
+Write rules applicable to your plugin [using the instructions above](#1-write-the-plugin-configuration-file) and add
+them to your configuration file.

-To use the name instead of discovery, update the name in your application manifest to `<metadata.name>-<spec.version>` 
-if version was mentioned in the `ConfigManagementPlugin` spec or else just use `<metadata.name>`. For example:
+!!! note
+    After installing your sidecar plugin, you may remove the `name` field from the plugin config in your
+    Application specs for auto-discovery or update the name to `<metadata.name>-<spec.version>`
+    if version was mentioned in the `ConfigManagementPlugin` spec or else just use `<metadata.name>`. For example:

 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -469,7 +475,7 @@ spec:
      name: pluginName  # Delete this for auto-discovery (and set `plugin: {}` if `name` was the only value) or use proper sidecar plugin name
 ```

-### Make sure the plugin has access to the tools it needs
+### 3. Make sure the plugin has access to the tools it needs

 Plugins configured with argocd-cm ran on the Argo CD image. This gave it access to all the tools installed on that
 image by default (see the [Dockerfile](https://github.com/argoproj/argo-cd/blob/master/Dockerfile) for base image and
@@ -478,7 +484,7 @@ installed tools).
 You can either use a stock image (like busybox) or design your own base image with the tools your plugin needs. For
 security, avoid using image with more binaries installed than what your plugin actually needs.

-### Test the plugin
+### 4. Test the plugin

 After installing the plugin as a sidecar [according to the directions above](#installing-a-config-management-plugin),
 test it out on a few Applications before migrating all of them to the sidecar plugin.
--- a/docs/operator-manual/custom_tools.md
+++ b/docs/operator-manual/custom_tools.md
@@ -69,5 +69,5 @@ RUN apt-get update && \
    chmod +x /usr/local/bin/sops

 # Switch back to non-root user
-USER 999
+USER $ARGOCD_USER_ID
 ```
--- a/docs/operator-manual/declarative-setup.md
+++ b/docs/operator-manual/declarative-setup.md
@@ -77,7 +77,7 @@ spec:
 ```

 !!! warning
-    Without the `resources-finalizer.argocd.argoproj.io` finalizer, deleting an application will not delete the resources it manages. To perform a cascading delete, you must add the finalizer. See [App Deletion](../user-guide/app_deletion.md#about-the-deletion-finalizer).
+    By default, deleting an application will not perform a cascade delete, which would delete its resources. You must add the finalizer if you want this behaviour - which you may well not want.

 ```yaml
 metadata:
@@ -416,25 +416,9 @@ data:

 ### SSH known host public keys

-If you are configuring repositories to use SSH, Argo CD will need to know their SSH public keys. In order for Argo CD to connect via SSH the public key(s) for each repository server must be pre-configured in Argo CD (unlike TLS configuration), otherwise the connections to the repository will fail.
+If you are connecting repositories via SSH, Argo CD will need to know the SSH known hosts public key of the repository servers. You can manage the SSH known hosts data in the ConfigMap named `argocd-ssh-known-hosts-cm`. This ConfigMap contains a single key/value pair, with `ssh_known_hosts` as the key and the actual public keys of the SSH servers as data. As opposed to TLS configuration, the public key(s) of each single repository server Argo CD will connect via SSH must be configured, otherwise the connections to the repository will fail. There is no fallback. The data can be copied from any existing `ssh_known_hosts` file, or from the output of the `ssh-keyscan` utility. The basic format is `<servername> <keydata>`, one entry per line.

-You can manage the SSH known hosts data in the `argocd-ssh-known-hosts-cm` ConfigMap. This ConfigMap contains a single entry, `ssh_known_hosts`, with the public keys of the SSH servers as its value. The value can be filled in from any existing `ssh_known_hosts` file, or from the output of the `ssh-keyscan` utility (which is part of OpenSSH's client package). The basic format is `<server_name> <keytype> <base64-encoded_key>`, one entry per line.
-
-Here is an example of running `ssh-keyscan`:
-```bash
-$ for host in bitbucket.org github.com gitlab.com ssh.dev.azure.com vs-ssh.visualstudio.com ; do ssh-keyscan $host 2> /dev/null ; done
-bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
-github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
-github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
-github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
-gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
-gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
-gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
-ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
-vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
-```
-
-Here is an example `ConfigMap` object using the output from `ssh-keyscan` above:
+An example ConfigMap object:

 ```yaml
 apiVersion: v1
--- a/docs/operator-manual/deep_links.md
+++ b/docs/operator-manual/deep_links.md
@@ -19,7 +19,7 @@ The configuration for Deep Links is present in `argocd-cm` as `<location>.links`
 Each link in the list has five subfields :
 1. `title` : title/tag that will be displayed in the UI corresponding to that link
 2. `url` : the actual URL where the deep link will redirect to, this field can be templated to use data from the
-   corresponding application, project or resource objects (depending on where it is located). This uses [text/template](pkg.go.dev/text/template) pkg for templating
+   corresponing application, project or resource objects (depending on where it is located). This uses [text/template](pkg.go.dev/text/template) pkg for templating
 3. `description` (optional) : a description for what the deep link is about
 4. `icon.class` (optional) : a font-awesome icon class to be used when displaying the links in dropdown menus
 5. `if` (optional) : a conditional statement that results in either `true` or `false`, it also has access to the same
@@ -60,4 +60,4 @@ An example `argocd-cm.yaml` file with deep links and their variations :
    - url: https://mycompany.splunk.com?search={{.metadata.namespace}}
      title: Splunk
      if: kind == "Pod" || kind == "Deployment"
-```
+```
--- a/docs/operator-manual/disaster_recovery.md
+++ b/docs/operator-manual/disaster_recovery.md
@@ -15,13 +15,13 @@ export VERSION=v1.0.1
 Export to a backup:

 ```bash
-docker run -v ~/.kube:/home/argocd/.kube --rm quay.io/argoproj/argocd:$VERSION argocd admin export > backup.yaml
+docker run -v ~/.kube:/home/argocd/.kube --rm argoproj/argocd:$VERSION argocd admin export > backup.yaml
 ```

 Import from a backup:

 ```bash
-docker run -i -v ~/.kube:/home/argocd/.kube --rm quay.io/argoproj/argocd:$VERSION argocd admin import - < backup.yaml
+docker run -i -v ~/.kube:/home/argocd/.kube --rm argoproj/argocd:$VERSION argocd admin import - < backup.yaml
 ```

 !!! note
--- a/docs/operator-manual/health.md
+++ b/docs/operator-manual/health.md
@@ -5,7 +5,7 @@ Argo CD provides built-in health assessment for several standard Kubernetes type
 surfaced to the overall Application health status as a whole. The following checks are made for
 specific types of kubernetes resources:

-### Deployment, ReplicaSet, StatefulSet, DaemonSet
+### Deployment, ReplicaSet, StatefulSet DaemonSet
 * Observed generation is equal to desired generation.
 * Number of **updated** replicas equals the number of desired replicas.

@@ -114,13 +114,12 @@ In order to prevent duplication of the custom health check for potentially multi

 ```yaml
  resource.customizations: |
-    "*.aws.crossplane.io/*":
+    *.aws.crossplane.io/*:
      health.lua: | 
        ...
 ```

-!!!important
-    Please note the required quotes in the resource customization health section, if the wildcard starts with `*`.
+

 The `obj` is a global variable which contains the resource. The script must return an object with status and optional message field.
 The custom health check might return one of the following health statuses:
--- a/docs/operator-manual/high_availability.md
+++ b/docs/operator-manual/high_availability.md
@@ -1,8 +1,10 @@
 # High Availability

-Argo CD is largely stateless. All data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
+Argo CD is largely stateless, all data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.

-A set of [HA manifests](https://github.com/argoproj/argo-cd/tree/master/manifests/ha) are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
+A set of HA manifests are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
+
+[Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests) 

 > **NOTE:** The HA installation will require at least three different nodes due to pod anti-affinity roles in the
 > specs. Additionally, IPv6 only clusters are not supported.
@@ -15,57 +17,53 @@ A set of [HA manifests](https://github.com/argoproj/argo-cd/tree/master/manifest

 The `argocd-repo-server` is responsible for cloning Git repository, keeping it up to date and generating manifests using the appropriate tool.

-* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory or limit on the number of OS threads.
-The `--parallelismlimit` flag controls how many manifests generations are running concurrently and helps avoid OOM kills.
+* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory and limit on the number of OS threads.
+The `--parallelismlimit` flag controls how many manifests generations are running concurrently and allows avoiding OOM kills.

 * the `argocd-repo-server` ensures that repository is in the clean state during the manifest generation using config management tools such as Kustomize, Helm
-or custom plugin. As a result Git repositories with multiple applications might affect repository server performance.
+or custom plugin. As a result Git repositories with multiple applications might be affect repository server performance.
 Read [Monorepo Scaling Considerations](#monorepo-scaling-considerations) for more information.

-* `argocd-repo-server` clones repository into `/tmp` ( of path specified in `TMPDIR` env variable ). Pod might run out of disk space if have too many repository
-or repositories has a lot of files. To avoid this problem mount persistent volume.
+* `argocd-repo-server` clones the repository into `/tmp` (or the path specified in the `TMPDIR` env variable). The Pod might run out of disk space if it has too many repositories
+or if the repositories have a lot of files. To avoid this problem mount a persistent volume.

-* `argocd-repo-server` `git ls-remote` to resolve ambiguous revision such as `HEAD`, branch or tag name. This operation is happening pretty frequently
-and might fail. To avoid failed syncs use `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.
+* `argocd-repo-server` uses `git ls-remote` to resolve ambiguous revisions such as `HEAD`, a branch or a tag name. This operation happens frequently
+and might fail. To avoid failed syncs use the `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.

-* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches the generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind that this will negate the benefits of caching if set too low. 
+* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind this will negate the benefit of caching if set too low. 

-* `argocd-repo-server` fork exec config management tools such as `helm` or `kustomize` and enforces 90 seconds timeout. The timeout can be increased using `ARGOCD_EXEC_TIMEOUT` env variable. The value should be in Go time duration string format, for example, `2m30s`.
+* `argocd-repo-server` executes config management tools such as `helm` or `kustomize` and enforces a 90 second timeout. This timeout can be changed by using the `ARGOCD_EXEC_TIMEOUT` env variable. The value should be in the Go time duration string format, for example, `2m30s`.

 **metrics:**

-* `argocd_git_request_total` - Number of git requests. The metric provides two tags: `repo` - Git repo URL; `request_type` - `ls-remote` or `fetch`.
+* `argocd_git_request_total` - Number of git requests. This metric provides two tags: `repo` - Git repo URL; `request_type` - `ls-remote` or `fetch`.

-* `ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM` - environment variable that enables collecting RPC performance metrics. Enable it if you need to troubleshoot performance issue. Note: metric is expensive to both query and store!
+* `ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM` - Is an environment variable that enables collecting RPC performance metrics. Enable it if you need to troubleshoot performance issues. Note: This metric is expensive to both query and store!

 ### argocd-application-controller

 **settings:**

-The `argocd-application-controller` uses `argocd-repo-server` to get generated manifests and Kubernetes API server to get actual cluster state.
+The `argocd-application-controller` uses `argocd-repo-server` to get generated manifests and Kubernetes API server to get the actual cluster state.

-* each controller replica uses two separate queues to process application reconciliation (milliseconds) and app syncing (seconds). Number of queue processors for each queue is controlled by
-`--status-processors` (20 by default) and `--operation-processors` (10 by default) flags. Increase number of processors if your Argo CD instance manages too many applications.
+* each controller replica uses two separate queues to process application reconciliation (milliseconds) and app syncing (seconds). The number of queue processors for each queue is controlled by
+`--status-processors` (20 by default) and `--operation-processors` (10 by default) flags. Increase the number of processors if your Argo CD instance manages too many applications.
 For 1000 application we use 50 for `--status-processors` and 25 for `--operation-processors`

-* The manifest generation typically takes the most time during reconciliation. The duration of manifest generation is limited to make sure controller refresh queue does not overflow.
-The app reconciliation fails with `Context deadline exceeded` error if manifest generating taking too much time. As workaround increase value of `--repo-server-timeout-seconds` and
-consider scaling up `argocd-repo-server` deployment.
+* The manifest generation typically takes the most time during reconciliation. The duration of manifest generation is limited to make sure the controller refresh queue does not overflow.
+The app reconciliation fails with `Context deadline exceeded` error if the manifest generation is taking too much time. As a workaround increase the value of `--repo-server-timeout-seconds` and
+consider scaling up the `argocd-repo-server` deployment.

-* The controller uses `kubectl` fork/exec to push changes into the cluster and to convert resource from preferred version into user specified version
-(e.g. Deployment `apps/v1` into `extensions/v1beta1`). Same as config management tool `kubectl` fork/exec might cause pod OOM kill. Use `--kubectl-parallelism-limit` flag to limit
-number of allowed concurrent kubectl fork/execs.
+* The controller uses Kubernetes watch APIs to maintain a lightweight Kubernetes cluster cache. This allows avoiding querying Kubernetes during app reconciliation and significantly improves
+performance. For performance reasons the controller monitors and caches only the preferred versions of a resource. During reconciliation, the controller might have to convert cached resources from the
+preferred version into a version of the resource stored in Git. If `kubectl convert` fails because the conversion is not supported then the controller falls back to Kubernetes API query which slows down
+reconciliation. In this case, we advise to use the preferred resource version in Git.

-* The controller uses Kubernetes watch APIs to maintain lightweight Kubernetes cluster cache. This allows to avoid querying Kubernetes during app reconciliation and significantly improve
-performance. For performance reasons controller monitors and caches only preferred the version of a resource. During reconciliation, the controller might have to convert cached resource from
-preferred version into a version of the resource stored in Git. If `kubectl convert` fails because conversion is not supported then controller falls back to Kubernetes API query which slows down
-reconciliation. In this case, we advise you to use the preferred resource version in Git.
-
-* The controller polls Git every 3m by default. You can increase this duration using `timeout.reconciliation` setting in the `argocd-cm` ConfigMap. The value of `timeout.reconciliation` is a duration string e.g `60s`, `1m`, `1h` or `1d`.
+* The controller polls Git every 3m by default. You can change this duration using the `timeout.reconciliation` setting in the `argocd-cm` ConfigMap. The value of `timeout.reconciliation` is a duration string e.g `60s`, `1m`, `1h` or `1d`.

 * If the controller is managing too many clusters and uses too much memory then you can shard clusters across multiple
 controller replicas. To enable sharding increase the number of replicas in `argocd-application-controller` `StatefulSet`
-and repeat number of replicas in `ARGOCD_CONTROLLER_REPLICAS` environment variable. The strategic merge patch below
+and repeat the number of replicas in the `ARGOCD_CONTROLLER_REPLICAS` environment variable. The strategic merge patch below
 demonstrates changes required to configure two controller replicas.

 ```yaml
@@ -84,22 +82,22 @@ spec:
          value: "2"
 ```

-* `ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM` - environment variable that enables collecting RPC performance metrics. Enable it if you need to troubleshoot performance issue. Note: metric is expensive to both query and store!
+* `ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM` - environment variable that enables collecting RPC performance metrics. Enable it if you need to troubleshoot performance issues. Note: This metric is expensive to both query and store!

 **metrics**

-* `argocd_app_reconcile` - reports application reconciliation duration. Can be used to build reconciliation duration heat map to get high-level reconciliation performance picture.
+* `argocd_app_reconcile` - reports application reconciliation duration. Can be used to build reconciliation duration heat map to get a high-level reconciliation performance picture.
 * `argocd_app_k8s_request_total` - number of k8s requests per application. The number of fallback Kubernetes API queries - useful to identify which application has a resource with
 non-preferred version and causes performance issues.

 ### argocd-server

-The `argocd-server` is stateless and probably least likely to cause issues. You might consider increasing number of replicas to 3 or more to ensure there is no downtime during upgrades.
+The `argocd-server` is stateless and probably least likely to cause issues. You might consider increasing the number of replicas to 3 or more to ensure there is no downtime during upgrades.

 **settings:**

 * The `ARGOCD_GRPC_MAX_SIZE_MB` environment variable allows specifying the max size of the server response message in megabytes.
-The default value is 200. You might need to increase for an Argo CD instance that manages 3000+ applications.    
+The default value is 200. You might need to increase this for an Argo CD instance that manages 3000+ applications.    

 ### argocd-dex-server, argocd-redis

@@ -107,17 +105,17 @@ The `argocd-dex-server` uses an in-memory database, and two or more instances wo

 ## Monorepo Scaling Considerations

-Argo CD repo server maintains one repository clone locally and use it for application manifest generation. If the manifest generation requires to change a file in the local repository clone then only one concurrent manifest generation per server instance is allowed. This limitation might significantly slowdown Argo CD if you have a mono repository with multiple applications (50+).
+Argo CD repo server maintains one repository clone locally and uses it for application manifest generation. If the manifest generation requires to change a file in the local repository clone then only one concurrent manifest generation per server instance is allowed. This limitation might significantly slowdown Argo CD if you have a mono repository with multiple applications (50+).

 ### Enable Concurrent Processing

-Argo CD determines if manifest generation might change local files in the local repository clone based on config management tool and application settings.
-If the manifest generation has no side effects then requests are processed in parallel without the performance penalty. Following are known cases that might cause slowness and workarounds:
+Argo CD determines if manifest generation might change local files in the local repository clone based on the config management tool and application settings.
+If the manifest generation has no side effects then requests are processed in parallel without a performance penalty. The following are known cases that might cause slowness and their workarounds:

-  * **Multiple Helm based applications pointing to the same directory in one Git repository:** ensure that your Helm chart don't have conditional
-[dependencies](https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags) and create `.argocd-allow-concurrency` file in chart directory.
+  * **Multiple Helm based applications pointing to the same directory in one Git repository:** ensure that your Helm chart doesn't have conditional
+[dependencies](https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags) and create `.argocd-allow-concurrency` file in the chart directory.

-  * **Multiple Custom plugin based applications:** avoid creating temporal files during manifest generation and create `.argocd-allow-concurrency` file in app directory, or use the sidecar plugin option, which processes each application using a temporary copy of the repository.
+  * **Multiple Custom plugin based applications:** avoid creating temporal files during manifest generation and create `.argocd-allow-concurrency` file in the app directory, or use the sidecar plugin option, which processes each application using a temporary copy of the repository.

  * **Multiple Kustomize applications in same repository with [parameter overrides](../user-guide/parameters.md):** sorry, no workaround for now.

@@ -186,4 +184,4 @@ spec:
    targetRevision: HEAD
    path: my-application
 # ...
-```
+```
--- a/docs/operator-manual/ingress.md
+++ b/docs/operator-manual/ingress.md
@@ -538,15 +538,15 @@ spec:
    - secretName: secret-yourdomain-com
  rules:
    - host: argocd.yourdomain.com
-      http:
-        paths:
-        - pathType: ImplementationSpecific
-          path: "/*"   # "*" is needed. Without this, the UI Javascript and CSS will not load properly
-          backend:
-            service:
-              name: argocd-server
-              port:
-                number: 80
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: "/*"   # "*" is needed. Without this, the UI Javascript and CSS will not load properly
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80
 ```

 If you use the version `1.21.3-gke.1600` or later, you should use the following Ingress resource:
@@ -563,15 +563,15 @@ spec:
    - secretName: secret-yourdomain-com
  rules:
    - host: argocd.yourdomain.com
-      http:
-        paths:
-        - pathType: Prefix
-          path: "/"
-          backend:
-            service:
-              name: argocd-server
-              port:
-                number: 80
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80
 ```

 As you may know already, it can take some minutes to deploy the load balancer and become ready to accept connections. Once it's ready, get the public IP address for your Load Balancer, go to your DNS server (Google or third party) and point your domain or subdomain (i.e. argocd.yourdomain.com) to that IP address.
--- a/docs/operator-manual/installation.md
+++ b/docs/operator-manual/installation.md
@@ -74,7 +74,7 @@ kind: Kustomization

 namespace: argocd
 resources:
- github.com/argoproj/argo-cd/manifests/ha/base?ref=v2.6.2
+- https://raw.githubusercontent.com/argoproj/argo-cd/v2.0.4/manifests/ha/install.yaml
 ```

 ## Helm
--- a/docs/operator-manual/rbac.md
+++ b/docs/operator-manual/rbac.md
@@ -64,7 +64,7 @@ See [Web-based Terminal](web_based_terminal.md) for more info.

 #### The `applicationsets` resource

-[ApplicationSets](applicationset/index.md) provide a declarative way to automatically create/update/delete Applications.
+[ApplicationSets](applicationset) provide a declarative way to automatically create/update/delete Applications.

 Granting `applicationsets, create` effectively grants the ability to create Applications. While it doesn't allow the 
 user to create Applications directly, they can create Applications via an ApplicationSet.
--- a/docs/operator-manual/ui-customization.md
+++ b/docs/operator-manual/ui-customization.md
@@ -0,0 +1,9 @@
+# UI Customization
+
+## Default Application Details View
+
+By default, the Application Details will show the `Tree` view.
+
+This can be configured on an Application basis, by setting the `pref.argocd.argoproj.io/default-view` annotation, accepting one of: `tree`, `pods`, `network`, `list` as values.
+
+For the Pods view, the default grouping mechanism can be configured using the `pref.argocd.argoproj.io/default-pod-sort` annotation, accepting one of: `node`, `parentResource`, `topLevelResource` as values.
--- a/docs/operator-manual/upgrading/2.3-2.4.md
+++ b/docs/operator-manual/upgrading/2.3-2.4.md
@@ -1,26 +1,5 @@
 # v2.3 to 2.4

-## Known Issues
-
-### Broken `project` filter before 2.4.27
-
-Argo CD 2.4.0 introduced a breaking API change, renaming the `project` filter to `projects`.
-
-#### Impact to API clients
-
-A similar issue applies to other API clients which communicate with the Argo CD API server via its REST API. If the
-client uses the `project` field to filter projects, the filter will not be applied. **The failing project filter could 
-have detrimental consequences if, for example, you rely on it to list Applications to be deleted.**
-
-#### Impact to CLI clients
-
-CLI clients older that v2.4.0 rely on client-side filtering and are not impacted by this bug.
-
-#### How to fix the problem
-
-Upgrade to Argo CD >=2.4.27, >=2.5.15, or >=2.6.6. This version of Argo CD will accept both `project` and `projects` as
-valid filters.
-
 ## KSonnet support is removed

 Ksonnet was deprecated in [2019](https://github.com/ksonnet/ksonnet/pull/914/files) and is no longer maintained.
--- a/docs/operator-manual/upgrading/2.4-2.5.md
+++ b/docs/operator-manual/upgrading/2.4-2.5.md
@@ -1,57 +1,5 @@
 # v2.4 to 2.5

-## Known Issues
-
-### Broken `project` filter before 2.5.15
-
-Argo CD 2.4.0 introduced a breaking API change, renaming the `project` filter to `projects`.
-
-#### Impact to API clients
-
-A similar issue applies to other API clients which communicate with the Argo CD API server via its REST API. If the
-client uses the `project` field to filter projects, the filter will not be applied. **The failing project filter could
-have detrimental consequences if, for example, you rely on it to list Applications to be deleted.**
-
-#### Impact to CLI clients
-
-CLI clients older that v2.4.0 rely on client-side filtering and are not impacted by this bug.
-
-#### How to fix the problem
-
-Upgrade to Argo CD >=2.4.27, >=2.5.15, or >=2.6.6. This version of Argo CD will accept both `project` and `projects` as
-valid filters.
-
-### Broken matrix-nested git files generator in 2.5.14
-
-Argo CD 2.5.14 introduced a bug in the matrix-nested git files generator. The bug only applies when the git files
-generator is the second generator nested under a matrix. For example:
-
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: guestbook
-spec:
-  generators:
-  - matrix:
-      generators:
-        - clusters: {}
-        - git:
-            repoURL: https://git.example.com/org/repo.git
-            revision: HEAD
-            files:
-              - path: "defaults/*.yaml"
-  template:
-    # ...
-```
-
-The nested git files generator will produce no parameters, causing the matrix generator to also produce no parameters.
-This will cause the ApplicationSet to produce no Applications. If the ApplicationSet controller is
-[configured with the ability to delete applications](https://argo-cd.readthedocs.io/en/latest/operator-manual/applicationset/Controlling-Resource-Modification/),
-it will delete all Applications which were previously created by the ApplicationSet.
-
-To avoid this issue, upgrade directly to >=2.5.15 or >= 2.6.6.
-
 ## Configure RBAC to account for new `applicationsets` resource

 2.5 introduces a new `applicationsets` [RBAC resource](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions).
@@ -86,7 +34,7 @@ p, role:org-admin, exec,         create, *, allow
 ## argocd-cm plugins (CMPs) are deprecated

 Starting with Argo CD v2.5, installing config management plugins (CMPs) via the `argocd-cm` ConfigMap is deprecated.
-~~Support will be removed in v2.6.~~ Support will be removed in v2.7.
+Support will be removed in v2.6.

 You can continue to use the plugins by [installing them as sidecars](https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/)
 on the repo-server Deployment.
@@ -99,8 +47,6 @@ following message:

 > argocd-cm plugins are deprecated, and support will be removed in v2.6. Upgrade your plugin to be installed via sidecar. https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/

-**NOTE:** removal of argocd-cm plugin support was delayed to v2.7. Update your logs scan to use `v2.7` instead of `v2.6`.
-
 If you run `argocd app list` as admin, the list of Applications using deprecated plugins will be logged as a warning.

 ## Dex server TLS configuration
@@ -151,14 +97,14 @@ When using `argocd app diff --local`, code from the repo server is run on the us

 In order to support CMPs and reduce local requirements, we have implemented *server-side generation* of local manifests via the `--server-side-generate` argument. For example, `argocd app diff --local repoDir --server-side-generate` will upload the contents of `repoDir` to the repo server and run your manifest generation pipeline against it, the same as it would for a Git repo.

-In ~~v2.6~~ v2.7, the `--server-side-generate` argument will become the default, ~~and client-side generation will be removed~~ and client-side generation will be supported as an alternative.
+In v2.7, the `--server-side-generate` argument will become the default and client-side generation will be removed.

 !!! warning
    The semantics of *where* Argo will start generating manifests within a repo has changed between client-side and server-side generation. With client-side generation, the application's path (`spec.source.path`) was ignored and the value of `--local-repo-root` was effectively used (by default `/` relative to `--local`).
    
    For example, given an application that has an application path of `/manifests`, you would have had to run `argocd app diff --local yourRepo/manifests`. This behavior did not match the repo server's process of downloading the full repo/chart and then beginning generation in the path specified in the application manifest.

-    When switching to server-side generation, `--local` should point to the root of your repo *without* including your `spec.source.path`. This is especially important to keep in mind when `--server-side-generate` becomes the default in v2.7. Existing scripts utilizing `diff --local` may break in v2.7 if `spec.source.path` was not `/`.
+    When switching to server-side generation, `--local` should point to the root of your repo *without* including your `spec.source.path`. This is especially important to keep in mind when `--server-side-generate` becomes the default in v2.6. Existing scripts utilizing `diff --local` may break in v2.6 if `spec.source.path` was not `/`.
    
 ## Upgraded Kustomize Version

@@ -184,21 +130,3 @@ This note is just for clarity. No action is required.

 We [expected](../upgrading/2.3-2.4.md#enable-logs-rbac-enforcement) to enable logs RBAC enforcement by default in 2.5.
 We have decided not to do that in the 2.x series due to disruption for users of [Project Roles](../../user-guide/projects.md#project-roles).
-
-## `argocd app create` for old CLI versions fails with API version >=2.5.16
-
-Starting with Argo CD 2.5.16, the API returns `PermissionDenied` instead of `NotFound` for Application `GET` requests if
-the Application does not exist.
-
-The Argo CD CLI before versions starting with version 2.5.0-rc1 and before versions 2.5.16 and 2.6.7 does a `GET` 
-request before the `POST` request in `argocd app create`. The command does not gracefully handle the `PermissionDenied` 
-response and will therefore fail to create/update the Application.
-
-To solve the issue, upgrade the CLI to at least 2.5.16, or 2.6.7.
-
-CLIs older than 2.5.0-rc1 are unaffected.
-
-## Golang upgrade in 2.5.20
-
-In 2.5.20, we upgrade the Golang version used to build Argo CD from 1.18 to 1.19. If you use Argo CD as a library, you
-may need to upgrade your Go version.
--- a/docs/operator-manual/upgrading/2.5-2.6.md
+++ b/docs/operator-manual/upgrading/2.5-2.6.md
@@ -1,57 +1,5 @@
 # v2.5 to 2.6

-## Known Issues
-
-### Broken `project` filter before 2.6.6
-
-Argo CD 2.4.0 introduced a breaking API change, renaming the `project` filter to `projects`.
-
-#### Impact to API clients
-
-A similar issue applies to other API clients which communicate with the Argo CD API server via its REST API. If the
-client uses the `project` field to filter projects, the filter will not be applied. **The failing project filter could
-have detrimental consequences if, for example, you rely on it to list Applications to be deleted.**
-
-#### Impact to CLI clients
-
-CLI clients older that v2.4.0 rely on client-side filtering and are not impacted by this bug.
-
-#### How to fix the problem
-
-Upgrade to Argo CD >=2.4.27, >=2.5.15, or >=2.6.6. This version of Argo CD will accept both `project` and `projects` as
-valid filters.
-
-### Broken matrix-nested git files generator in 2.6.5
-
-Argo CD 2.6.5 introduced a bug in the matrix-nested git files generator. The bug only applies when the git files 
-generator is the second generator nested under a matrix. For example:
-
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: guestbook
-spec:
-  generators:
-  - matrix:
-      generators:
-        - clusters: {}
-        - git:
-            repoURL: https://git.example.com/org/repo.git
-            revision: HEAD
-            files:
-              - path: "defaults/*.yaml"
-  template:
-    # ...
-```
-
-The nested git files generator will produce no parameters, causing the matrix generator to also produce no parameters.
-This will cause the ApplicationSet to produce no Applications. If the ApplicationSet controller is 
-[configured with the ability to delete applications](https://argo-cd.readthedocs.io/en/latest/operator-manual/applicationset/Controlling-Resource-Modification/), 
-it will delete all Applications which were previously created by the ApplicationSet.
-
-To avoid this issue, upgrade directly to >=2.5.15 or >= 2.6.6.
-
 ## ApplicationSets: `^` behavior change in Sprig's semver functions
 Argo CD 2.5 introduced [Go templating in ApplicationSets](https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/GoTemplate/). Go templates have access to the Sprig function library.

@@ -73,25 +21,3 @@ If you rely on an OIDC provider which does not provide a `aud` claim, you can di
 `skipAudienceCheckWhenTokenHasNoAudience` flag to `true` in your Argo CD OIDC configuration. (See the 
 [OIDC configuration documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#existing-oidc-provider)
 for an example.)
-
-## Removal of argocd-cm plugin support delayed until 2.7
-
-Support for argocd-cm plugins was previously scheduled for 2.6. At the time, sidecar plugins could not be specified by
-name. Argo CD v2.6 introduces support for specifying sidecar plugins by name. 
-
-Removal of argocd-cm plugin support has been delayed until 2.7 to provide a transition time for users who need to 
-specify plugins by name. 
-
-## `argocd app create` for old CLI versions fails with API version >=2.6.7
-
-Starting with Argo CD 2.6.7, the API returns `PermissionDenied` instead of `NotFound` for Application `GET` requests if
-the Application does not exist.
-
-The Argo CD CLI before versions starting with version 2.5.0-rc1 and before versions 2.5.16 and 2.6.7 does a `GET`
-request before the `POST` request in `argocd app create`. The command does not gracefully handle the `PermissionDenied`
-response and will therefore fail to create/update the Application.
-
-To solve the issue, upgrade the CLI to at least 2.5.16, or 2.6.7.
-
-CLIs older than 2.5.0-rc1 are unaffected.
-
--- a/docs/operator-manual/user-management/index.md
+++ b/docs/operator-manual/user-management/index.md
@@ -303,7 +303,7 @@ data:
    clientSecret: $oidc.okta.clientSecret
    
    # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above (and the 
-    # cliClientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must 
+    # cliCientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must 
    # explicitly include it in the list.
    # Token verification will pass if any of the token's audiences matches any of the audiences in this list.
    allowedAudiences:
--- a/docs/operator-manual/user-management/keycloak.md
+++ b/docs/operator-manual/user-management/keycloak.md
@@ -94,9 +94,8 @@ data:
 ```

 Make sure that:
-
 - __issuer__ ends with the correct realm (in this example _master_)
- __issuer__ on Keycloak releases older than version 17 the URL must include /auth (in this example /auth/realms/master)
+- __issuer__ on Keycloak releases older than version 17 the URL must include /auth (in this expample /auth/realms/master)
 - __clientID__ is set to the Client ID you configured in Keycloak
 - __clientSecret__ points to the right key you created in the _argocd-secret_ Secret
 - __requestedScopes__ contains the _groups_ claim if you didn't add it to the Default scopes
--- a/docs/operator-manual/user-management/openunison.md
+++ b/docs/operator-manual/user-management/openunison.md
@@ -19,7 +19,7 @@ metadata:
 spec:
  accessTokenSkewMillis: 120000
  accessTokenTimeToLive: 1200000
-  authChainName: login-service
+  authChainName: LoginService
  clientId: argocd
  codeLastMileKeyName: lastmile-oidc
  codeTokenSkewMilis: 60000
--- a/docs/snyk/index.md
+++ b/docs/snyk/index.md
@@ -13,51 +13,64 @@ recent minor releases.

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](master/argocd-test.html) | 0 | 0 | 1 | 0 |
-| [ui/yarn.lock](master/argocd-test.html) | 0 | 1 | 3 | 0 |
+| [go.mod](master/argocd-test.html) | 0 | 0 | 0 | 0 |
+| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 0 | 0 |
 | [dex:v2.35.3](master/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
 | [haproxy:2.6.2-alpine](master/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 2 | 13 |
-| [redis:7.0.5-alpine](master/redis_7.0.5-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 1 | 14 |
+| [redis:7.0.7-alpine](master/redis_7.0.7-alpine.html) | 0 | 0 | 0 | 0 |
 | [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |

-### v2.5.5
+### v2.6.0-rc7

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.5.5/argocd-test.html) | 0 | 0 | 4 | 0 |
-| [ui/yarn.lock](v2.5.5/argocd-test.html) | 0 | 1 | 3 | 0 |
-| [dex:v2.35.3](v2.5.5/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.6.2-alpine](v2.5.5/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.5.5](v2.5.5/quay.io_argoproj_argocd_v2.5.5.html) | 0 | 0 | 2 | 13 |
-| [redis:7.0.5-alpine](v2.5.5/redis_7.0.5-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.5.5/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.5.5/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.6.0-rc7/argocd-test.html) | 0 | 0 | 0 | 0 |
+| [ui/yarn.lock](v2.6.0-rc7/argocd-test.html) | 0 | 0 | 1 | 0 |
+| [dex:v2.35.3](v2.6.0-rc7/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
+| [haproxy:2.6.2-alpine](v2.6.0-rc7/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v2.6.0-rc7](v2.6.0-rc7/quay.io_argoproj_argocd_v2.6.0-rc7.html) | 0 | 0 | 1 | 14 |
+| [redis:7.0.7-alpine](v2.6.0-rc7/redis_7.0.7-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.6.0-rc7/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.6.0-rc7/argocd-iac-namespace-install.html) | - | - | - | - |

-### v2.4.18
+### v2.5.10

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.4.18/argocd-test.html) | 0 | 1 | 4 | 0 |
-| [ui/yarn.lock](v2.4.18/argocd-test.html) | 0 | 1 | 3 | 0 |
-| [dex:v2.35.3](v2.4.18/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.0.29-alpine](v2.4.18/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.4.18](v2.4.18/quay.io_argoproj_argocd_v2.4.18.html) | 0 | 0 | 2 | 13 |
-| [redis:7.0.4-alpine](v2.4.18/redis_7.0.4-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.4.18/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.4.18/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.5.10/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.5.10/argocd-test.html) | 0 | 0 | 4 | 0 |
+| [dex:v2.35.3](v2.5.10/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
+| [haproxy:2.6.2-alpine](v2.5.10/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v2.5.10](v2.5.10/quay.io_argoproj_argocd_v2.5.10.html) | 0 | 0 | 1 | 14 |
+| [redis:7.0.7-alpine](v2.5.10/redis_7.0.7-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.5.10/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.5.10/argocd-iac-namespace-install.html) | - | - | - | - |

-### v2.3.12
+### v2.4.22

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.3.12/argocd-test.html) | 0 | 1 | 4 | 0 |
-| [ui/yarn.lock](v2.3.12/argocd-test.html) | 0 | 2 | 5 | 0 |
-| [dex:v2.35.3](v2.3.12/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.0.29-alpine](v2.3.12/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd-applicationset:v0.4.1](v2.3.12/quay.io_argoproj_argocd-applicationset_v0.4.1.html) | 0 | 4 | 38 | 29 |
-| [argocd:v2.3.12](v2.3.12/quay.io_argoproj_argocd_v2.3.12.html) | 0 | 0 | 2 | 13 |
-| [redis:6.2.7-alpine](v2.3.12/redis_6.2.7-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.3.12/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.3.12/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.4.22/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.4.22/argocd-test.html) | 0 | 0 | 4 | 0 |
+| [dex:v2.35.3](v2.4.22/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
+| [haproxy:2.0.29-alpine](v2.4.22/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v2.4.22](v2.4.22/quay.io_argoproj_argocd_v2.4.22.html) | 0 | 0 | 1 | 14 |
+| [redis:7.0.7-alpine](v2.4.22/redis_7.0.7-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.4.22/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.4.22/argocd-iac-namespace-install.html) | - | - | - | - |
+
+### v2.3.16
+
+|    | Critical | High | Medium | Low |
+|---:|:--------:|:----:|:------:|:---:|
+| [go.mod](v2.3.16/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.3.16/argocd-test.html) | 0 | 2 | 6 | 0 |
+| [dex:v2.35.3](v2.3.16/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
+| [haproxy:2.0.29-alpine](v2.3.16/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd-applicationset:v0.4.1](v2.3.16/quay.io_argoproj_argocd-applicationset_v0.4.1.html) | 0 | 4 | 38 | 29 |
+| [argocd:v2.3.16](v2.3.16/quay.io_argoproj_argocd_v2.3.16.html) | 0 | 0 | 1 | 14 |
+| [redis:6.2.8-alpine](v2.3.16/redis_6.2.8-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.3.16/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.3.16/argocd-iac-namespace-install.html) | - | - | - | - |
--- a/docs/snyk/master/argocd-iac-install.html
+++ b/docs/snyk/master/argocd-iac-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">December 18th 2022, 12:16:18 am</p>
+                <p class="timestamp">February 5th 2023, 12:17:50 am</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
@@ -789,7 +789,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16343
+                              Line number: 16349
                          </li>
                      </ul>
              
@@ -905,7 +905,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 15979
+                              Line number: 15985
                          </li>
                      </ul>
              
@@ -963,7 +963,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 15945
+                              Line number: 15951
                          </li>
                      </ul>
              
@@ -1021,7 +1021,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16035
+                              Line number: 16041
                          </li>
                      </ul>
              
@@ -1079,7 +1079,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16109
+                              Line number: 16115
                          </li>
                      </ul>
              
@@ -1137,7 +1137,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16343
+                              Line number: 16349
                          </li>
                      </ul>
              
@@ -1195,7 +1195,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16165
+                              Line number: 16171
                          </li>
                      </ul>
              
@@ -1253,7 +1253,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16428
+                              Line number: 16434
                          </li>
                      </ul>
              
@@ -1311,7 +1311,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16732
+                              Line number: 16738
                          </li>
                      </ul>
              
@@ -1363,7 +1363,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 15959
+                              Line number: 15965
                          </li>
                      </ul>
              
@@ -1419,7 +1419,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16119
+                              Line number: 16125
                          </li>
                      </ul>
              
@@ -1523,7 +1523,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 15945
+                              Line number: 15951
                          </li>
                      </ul>
              
@@ -1575,7 +1575,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 15979
+                              Line number: 15985
                          </li>
                      </ul>
              
@@ -1627,7 +1627,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16109
+                              Line number: 16115
                          </li>
                      </ul>
              
@@ -1679,7 +1679,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16343
+                              Line number: 16349
                          </li>
                      </ul>
              
@@ -1795,7 +1795,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 15945
+                              Line number: 15951
                          </li>
                      </ul>
              
@@ -1853,7 +1853,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 15979
+                              Line number: 15985
                          </li>
                      </ul>
              
@@ -1911,7 +1911,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16035
+                              Line number: 16041
                          </li>
                      </ul>
              
@@ -1969,7 +1969,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16109
+                              Line number: 16115
                          </li>
                      </ul>
              
@@ -2027,7 +2027,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16343
+                              Line number: 16349
                          </li>
                      </ul>
              
@@ -2085,7 +2085,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16165
+                              Line number: 16171
                          </li>
                      </ul>
              
@@ -2143,7 +2143,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16428
+                              Line number: 16434
                          </li>
                      </ul>
              
@@ -2201,7 +2201,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 16732
+                              Line number: 16738
                          </li>
                      </ul>
              
--- a/docs/snyk/master/argocd-iac-namespace-install.html
+++ b/docs/snyk/master/argocd-iac-namespace-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">December 18th 2022, 12:16:27 am</p>
+                <p class="timestamp">February 5th 2023, 12:17:58 am</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
@@ -789,7 +789,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1153
                          </li>
                      </ul>
              
@@ -905,7 +905,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 789
                          </li>
                      </ul>
              
@@ -963,7 +963,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 755
                          </li>
                      </ul>
              
@@ -1021,7 +1021,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 839
+                              Line number: 845
                          </li>
                      </ul>
              
@@ -1079,7 +1079,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 919
                          </li>
                      </ul>
              
@@ -1137,7 +1137,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1153
                          </li>
                      </ul>
              
@@ -1195,7 +1195,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 969
+                              Line number: 975
                          </li>
                      </ul>
              
@@ -1253,7 +1253,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1232
+                              Line number: 1238
                          </li>
                      </ul>
              
@@ -1311,7 +1311,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1536
+                              Line number: 1542
                          </li>
                      </ul>
              
@@ -1363,7 +1363,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 763
+                              Line number: 769
                          </li>
                      </ul>
              
@@ -1419,7 +1419,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 923
+                              Line number: 929
                          </li>
                      </ul>
              
@@ -1523,7 +1523,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 755
                          </li>
                      </ul>
              
@@ -1575,7 +1575,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 789
                          </li>
                      </ul>
              
@@ -1627,7 +1627,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 919
                          </li>
                      </ul>
              
@@ -1679,7 +1679,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1153
                          </li>
                      </ul>
              
@@ -1795,7 +1795,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 755
                          </li>
                      </ul>
              
@@ -1853,7 +1853,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 789
                          </li>
                      </ul>
              
@@ -1911,7 +1911,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 839
+                              Line number: 845
                          </li>
                      </ul>
              
@@ -1969,7 +1969,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 919
                          </li>
                      </ul>
              
@@ -2027,7 +2027,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1153
                          </li>
                      </ul>
              
@@ -2085,7 +2085,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 969
+                              Line number: 975
                          </li>
                      </ul>
              
@@ -2143,7 +2143,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1232
+                              Line number: 1238
                          </li>
                      </ul>
              
@@ -2201,7 +2201,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1536
+                              Line number: 1542
                          </li>
                      </ul>
              
--- a/docs/snyk/master/argocd-test.html
+++ b/docs/snyk/master/argocd-test.html
--- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.35.3.html
+++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.35.3.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="0 known vulnerabilities found in 0 vulnerable dependency paths.">
+  <meta name="description" content="3 known vulnerabilities found in 5 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -456,35 +456,258 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">December 18th 2022, 12:14:17 am</p>
+                <p class="timestamp">February 5th 2023, 12:15:59 am</p>
              </div>
              <div class="source-panel">
-                <span>Scanned the following path:</span>
+                <span>Scanned the following paths:</span>
                <ul>
-                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li>
+                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/hairyhenderson/gomplate/v3 (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li>
                </ul>
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>0</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>0 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>14</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>3</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>5 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>756</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
          </header><!-- .project__header -->
        </div><!-- .layout-stacked__header -->
-      <section class="layout-container">
-          <table class="metatable">
-              <tbody>
-              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|ghcr.io/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
-              
-              </tbody>
-          </table>
-      </section>
+
    <div class="layout-container" style="padding-top: 35px;">
-      No known vulnerabilities detected.
+      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Input Validation</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/text/language
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/text/language@v0.3.7
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing <code>Accept-Language</code> headers.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/text/language</code> to version 0.3.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56152">GitHub Issue</a></li>
+        <li><a href="https://github.com/golang/text/releases/tag/v0.3.8">GitHub Release</a></li>
+        <li><a href="https://groups.google.com/g/golang-dev/c/qfPIly0X7aU">Google Groups Forum</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2134010">RedHat Bugzilla Bug</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Incorrect Privilege Assignment</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/sys/unix
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the <code>Faccessat</code> function can incorrectly report that a file is accessible.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/sys/unix</code> to version 0.1.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/sys/commit/33da011f77ade50ff5b6a6fb4a9a1e6d6b285809">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/sys/releases/tag/v0.1.0">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXSYSUNIX-3310442">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.</p>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.4.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://cs.opensource.google/go/x/net/+/1e63c2f08a10a150fa02c50ece89b340ae64efe4">Fix Commit</a></li>
+        <li><a href="https://go-review.googlesource.com/c/net/+/455635">Fix Commit</a></li>
+        <li><a href="https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56350">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+      </div><!-- cards -->
    </div>
  </main><!-- .layout-stacked__content -->
 </body>
--- a/docs/snyk/master/haproxy_2.6.2-alpine.html
+++ b/docs/snyk/master/haproxy_2.6.2-alpine.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">December 18th 2022, 12:14:22 am</p>
+                <p class="timestamp">February 5th 2023, 12:16:03 am</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html
+++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="15 known vulnerabilities found in 91 vulnerable dependency paths.">
+  <meta name="description" content="21 known vulnerabilities found in 98 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -456,35 +456,260 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">December 18th 2022, 12:14:47 am</p>
+                <p class="timestamp">February 5th 2023, 12:16:27 am</p>
              </div>
              <div class="source-panel">
-                <span>Scanned the following path:</span>
+                <span>Scanned the following paths:</span>
                <ul>
-                  <li class="paths">quay.io/argoproj/argocd:latest/argoproj/argocd (deb)</li>
+                  <li class="paths">quay.io/argoproj/argocd:latest/argoproj/argocd (deb)</li><li class="paths">quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:latest/kustomize/kustomize/v4 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:latest/helm/v3 (gomodules)</li>
                </ul>
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>15</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>91 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>162</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>21</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>98 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2061</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
          </header><!-- .project__header -->
        </div><!-- .layout-stacked__header -->
-      <section class="layout-container">
-          <table class="metatable">
-              <tbody>
-              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|quay.io/argoproj/argocd</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">quay.io/argoproj/argocd:latest/argoproj/argocd</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">deb</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Manifest</th> <td class="meta-row-value">Dockerfile</td></tr>
-              </tbody>
-          </table>
-      </section>
+
    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--high">
+                    <span class="label__text">high severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            gopkg.in/yaml.v3
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                sigs.k8s.io/kustomize/kustomize/v4@* and gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        sigs.k8s.io/kustomize/kustomize/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/go-yaml/yaml">gopkg.in/yaml.v3</a> is a YAML support package for the Go language.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) via the <code>Unmarshal</code> function, which causes the program to crash when attempting to deserialize invalid input.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">package main
+        
+        import (
+            &quot;gopkg.in/yaml.v3&quot;
+        )
+        
+        func main() {
+            var t interface{}
+            yaml.Unmarshal([]byte(&quot;0: [:!00 \xef&quot;), &amp;t)
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>gopkg.in/yaml.v3</code> to version 3.0.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754">GitHub Commit</a></li>
+        <li><a href="https://github.com/go-yaml/yaml/issues/666">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">NULL Pointer Dereference</h2>
+            <div class="card__section">
+        
+                <div class="label label--high">
+                    <span class="label__text">high severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            gopkg.in/yaml.v3
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                sigs.k8s.io/kustomize/kustomize/v4@* and gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        sigs.k8s.io/kustomize/kustomize/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/go-yaml/yaml">gopkg.in/yaml.v3</a> is a YAML support package for the Go language.</p>
+        <p>Affected versions of this package are vulnerable to NULL Pointer Dereference when parsing <code>#\n-\n-\n0</code> via the <code>parserc.go</code> parser.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">package main
+        
+        import (
+            &quot;gopkg.in/yaml.v3&quot;
+        )
+        
+        func main() {
+            var t interface{}
+            yaml.Unmarshal([]byte(&quot;#\n-\n-\n0&quot;), &amp;t)
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>gopkg.in/yaml.v3</code> to version 3.0.1 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/go-yaml/yaml/commit/f6f7691b1fdeb513f56608cd2c32c51f8194bf51">GitHub Commit</a></li>
+        <li><a href="https://github.com/go-yaml/yaml/issues/665">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Denial of Service</h2>
+            <div class="card__section">
+        
+                <div class="label label--high">
+                    <span class="label__text">high severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        helm.sh/helm/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service as an <code>HTTP/2</code> connection can hang during closing if a shutdown was preempted by a fatal error.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/net/commit/f3363e06e74cdc304618bf31d898b78590103527">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/54658">GitHub Issues</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Off-by-one Error</h2>
            <div class="card__section">
@@ -635,7 +860,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>systemd</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>systemd</code> package and not the <code>systemd</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>systemd</code>.</p>
@@ -657,7 +883,7 @@
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">CVE-2022-46908</h2>
+            <h2 class="card__title">Improper Input Validation</h2>
            <div class="card__section">
        
                <div class="label label--medium">
@@ -666,6 +892,228 @@
        
                <hr/>
        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/text/language
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                sigs.k8s.io/kustomize/kustomize/v4@* and golang.org/x/text/language@v0.3.7
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        sigs.k8s.io/kustomize/kustomize/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        helm.sh/helm/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing <code>Accept-Language</code> headers.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/text/language</code> to version 0.3.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56152">GitHub Issue</a></li>
+        <li><a href="https://github.com/golang/text/releases/tag/v0.3.8">GitHub Release</a></li>
+        <li><a href="https://groups.google.com/g/golang-dev/c/qfPIly0X7aU">Google Groups Forum</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2134010">RedHat Bugzilla Bug</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Incorrect Privilege Assignment</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/sys/unix
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                helm.sh/helm/v3@* and golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        helm.sh/helm/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the <code>Faccessat</code> function can incorrectly report that a file is accessible.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/sys/unix</code> to version 0.1.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/sys/commit/33da011f77ade50ff5b6a6fb4a9a1e6d6b285809">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/sys/releases/tag/v0.1.0">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXSYSUNIX-3310442">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        helm.sh/helm/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.</p>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.4.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://cs.opensource.google/go/x/net/+/1e63c2f08a10a150fa02c50ece89b340ae64efe4">Fix Commit</a></li>
+        <li><a href="https://go-review.googlesource.com/c/net/+/455635">Fix Commit</a></li>
+        <li><a href="https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56350">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
+            <h2 class="card__title">CVE-2022-46908</h2>
+            <div class="card__section">
+        
+                <div class="label label--low">
+                    <span class="label__text">low severity</span>
+                </div>
+        
+                <hr/>
+        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Package Manager: ubuntu:22.04
@@ -707,7 +1155,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>sqlite3</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>sqlite3</code> package and not the <code>sqlite3</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>sqlite3</code>.</p>
@@ -786,7 +1235,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>pcre3</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pcre3</code> package and not the <code>pcre3</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>pcre3</code>.</p>
@@ -856,7 +1306,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>patch</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>patch</code>.</p>
@@ -922,7 +1373,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>patch</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>patch</code>.</p>
@@ -990,7 +1442,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1
+                                        cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.0.2-0ubuntu1.7
                                        
@@ -1012,7 +1464,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:8.9p1-3
+                                        openssh/openssh-client@1:8.9p1-3ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.0.2-0ubuntu1.7
                                        
@@ -1036,9 +1488,9 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                         <span class="list-paths__item__arrow">›</span> 
-                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.6
+                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.7
                                         <span class="list-paths__item__arrow">›</span> 
                                        libssh/libssh-4@0.9.6-2build1
                                         <span class="list-paths__item__arrow">›</span> 
@@ -1055,15 +1507,15 @@
                                         <span class="list-paths__item__arrow">›</span> 
                                        shadow/passwd@1:4.8.1-2ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        libnsl/libnsl2@1.3.0-2build2
                                         <span class="list-paths__item__arrow">›</span> 
                                        libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5-3@1.19.2-2
+                                        krb5/libkrb5-3@1.19.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.0.2-0ubuntu1.7
                                        
@@ -1097,7 +1549,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssl</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the <code>-policy&amp;#39; argument to the command line utilities or by calling either </code>X509_VERIFY_PARAM_add0_policy()&#39; or `X509_VERIFY_PARAM_set1_policies()&#39; functions.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openssl</code>.</p>
@@ -1116,7 +1569,7 @@
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
-            <h2 class="card__title">CVE-2021-41617</h2>
+            <h2 class="card__title">Improper Privilege Management</h2>
            <div class="card__section">
        
                <div class="label label--low">
@@ -1137,7 +1590,7 @@
        
                    <li class="card__meta__item">Introduced through:
        
-                                docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3
+                                docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3ubuntu0.1
        
                    </li>
                </ul>
@@ -1152,7 +1605,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:8.9p1-3
+                                        openssh/openssh-client@1:8.9p1-3ubuntu0.1
                                        
                                </span>
        
@@ -1164,7 +1617,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssh</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssh</code> package and not the <code>openssh</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openssh</code>.</p>
@@ -1213,7 +1667,7 @@
        
                    <li class="card__meta__item">Introduced through:
        
-                                docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3
+                                docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3ubuntu0.1
        
                    </li>
                </ul>
@@ -1228,7 +1682,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:8.9p1-3
+                                        openssh/openssh-client@1:8.9p1-3ubuntu0.1
                                        
                                </span>
        
@@ -1240,7 +1694,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssh</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssh</code> package and not the <code>openssh</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openssh</code>.</p>
@@ -1504,7 +1959,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>ncurses</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>ncurses</code> package and not the <code>ncurses</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>ncurses</code>.</p>
@@ -1547,7 +2003,7 @@
        
                    <li class="card__meta__item">Introduced through:
        
-                                docker-image|quay.io/argoproj/argocd@latest and krb5/libk5crypto3@1.19.2-2
+                                docker-image|quay.io/argoproj/argocd@latest and krb5/libk5crypto3@1.19.2-2ubuntu0.1
        
                    </li>
                </ul>
@@ -1562,7 +2018,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libk5crypto3@1.19.2-2
+                                        krb5/libk5crypto3@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1575,15 +2031,15 @@
                                         <span class="list-paths__item__arrow">›</span> 
                                        shadow/passwd@1:4.8.1-2ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        libnsl/libnsl2@1.3.0-2build2
                                         <span class="list-paths__item__arrow">›</span> 
                                        libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libk5crypto3@1.19.2-2
+                                        krb5/libk5crypto3@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1596,17 +2052,17 @@
                                         <span class="list-paths__item__arrow">›</span> 
                                        shadow/passwd@1:4.8.1-2ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        libnsl/libnsl2@1.3.0-2build2
                                         <span class="list-paths__item__arrow">›</span> 
                                        libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5-3@1.19.2-2
+                                        krb5/libkrb5-3@1.19.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libk5crypto3@1.19.2-2
+                                        krb5/libk5crypto3@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1615,7 +2071,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5-3@1.19.2-2
+                                        krb5/libkrb5-3@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1628,15 +2084,15 @@
                                         <span class="list-paths__item__arrow">›</span> 
                                        shadow/passwd@1:4.8.1-2ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        libnsl/libnsl2@1.3.0-2build2
                                         <span class="list-paths__item__arrow">›</span> 
                                        libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5-3@1.19.2-2
+                                        krb5/libkrb5-3@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1645,7 +2101,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1654,9 +2110,9 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:8.9p1-3
+                                        openssh/openssh-client@1:8.9p1-3ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1665,11 +2121,11 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                         <span class="list-paths__item__arrow">›</span> 
-                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.6
+                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.7
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1678,13 +2134,13 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                         <span class="list-paths__item__arrow">›</span> 
-                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.6
+                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.7
                                         <span class="list-paths__item__arrow">›</span> 
                                        libssh/libssh-4@0.9.6-2build1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1697,13 +2153,13 @@
                                         <span class="list-paths__item__arrow">›</span> 
                                        shadow/passwd@1:4.8.1-2ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        libnsl/libnsl2@1.3.0-2build2
                                         <span class="list-paths__item__arrow">›</span> 
                                        libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1714,7 +2170,7 @@
                                         <span class="list-paths__item__arrow">›</span> 
                                        meta-common-packages@meta
                                         <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5support0@1.19.2-2
+                                        krb5/libkrb5support0@1.19.2-2ubuntu0.1
                                        
                                </span>
        
@@ -1726,7 +2182,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>krb5</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>krb5</code> package and not the <code>krb5</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable &#34;dbentry-&gt;n_key_data&#34; in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a &#34;u4&#34; variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>krb5</code>.</p>
@@ -2174,7 +2631,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>glibc</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm&#39;s runtime is proportional to the square of the length of the password.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>glibc</code>.</p>
@@ -2216,7 +2674,7 @@
                    <li class="card__meta__item">Introduced through:
        
        
-                                    docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.5 and others
+                                    docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.6 and others
                    </li>
                </ul>
        
@@ -2230,9 +2688,9 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                         <span class="list-paths__item__arrow">›</span> 
-                                        git/git-man@1:2.34.1-1ubuntu1.5
+                                        git/git-man@1:2.34.1-1ubuntu1.6
                                        
                                </span>
        
@@ -2241,7 +2699,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                        
                                </span>
        
@@ -2252,7 +2710,7 @@
                                         <span class="list-paths__item__arrow">›</span> 
                                        git-lfs@3.0.2-1
                                         <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                        
                                </span>
        
@@ -2264,7 +2722,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>git</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>git</code> package and not the <code>git</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>git</code>.</p>
@@ -2331,7 +2790,8 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>coreutils</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>coreutils</code> package and not the <code>coreutils</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
        <p>chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal&#39;s input buffer.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>coreutils</code>.</p>
@@ -2352,7 +2812,7 @@
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
-            <h2 class="card__title">CVE-2022-3715</h2>
+            <h2 class="card__title">Out-of-bounds Write</h2>
            <div class="card__section">
        
                <div class="label label--low">
@@ -2400,12 +2860,15 @@
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
-        <p><em>This vulnerability has not been analyzed by NVD yet.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>bash</code> package and not the <code>bash</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
+        <p>A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.</p>
        <h2 id="remediation">Remediation</h2>
        <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>bash</code>.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3715">ADVISORY</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2126720">MISC</a></li>
        </ul>
        
              <hr/>
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .6.12
 .6.0