Skip to content

deps: bump github.com/cert-manager/cert-manager from 1.19.3 to 1.20.3#100

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3
Closed

deps: bump github.com/cert-manager/cert-manager from 1.19.3 to 1.20.3#100
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/cert-manager/cert-manager from 1.19.3 to 1.20.3.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING] Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

Other (Cleanup or Flake)

v1.20.2

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies to address reported vulnerabilities.

Changes by Kind

Bug or Regression

Other (Cleanup or Flake)

v1.20.1

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression

  • Fixed duplicate parentRef bug when both issuer config and annotations are present. (#8658, @​hjoshi123)

... (truncated)

Commits
  • 1e1d16d Merge pull request #8940 from wallrj-cyberark/restrict-edit-clusterrole-rbac-...
  • 6bda472 Restrict Challenge and Order verbs in aggregate edit ClusterRole
  • 3428d65 Merge pull request #8926 from wallrj-cyberark/update-go-1.26.4-release-1.20
  • b352e55 [release-1.20] Update Go to v1.26.4
  • 725a401 Merge pull request #8899 from cert-manager/renovate/release-1.20-base-images
  • 29ae077 chore(deps): update base images
  • 0bca8fd Merge pull request #8817 from cert-manager/renovate/release-1.20-go-golang.or...
  • 15988af chore(deps): update module golang.org/x/net to v0.55.0 [security]
  • 27414f9 Merge pull request #8818 from cert-manager/renovate/release-1.20-go-golang.or...
  • 136b418 fix(deps): update module golang.org/x/crypto to v0.52.0 [security]
  • Additional commits viewable in compare view

Bumps [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) from 1.19.3 to 1.20.3.
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.19.3...v1.20.3)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.20.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3 branch from e88b927 to 3aa8e04 Compare July 4, 2026 08:20
@dependabot @github

dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot can't resolve your Go dependency files. Because of this, Dependabot cannot update this pull request.

@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #109.

@dependabot dependabot Bot closed this Jul 13, 2026
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3 branch July 13, 2026 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants