Files
helm/pkg/registry
Terry Howe 702529f90a fix(registry): keep credentials on plain-HTTP fallback with oras-go v2.6.1
oras-go v2.6.1 hardens the auth client to drop the Authorization header
when a request's origin changes mid-flight (GHSA-vh4v-2xq2-g5cg). Helm's
fallbackTransport reaches plain-HTTP registries by downgrading the
connection from https to http inside a single round trip, which oras now
treats as a credential-leaking origin change and refuses to authenticate.

On login, detect when the transport has fallen back to plain HTTP and, in
that case, set PlainHTTP explicitly and re-ping so requests are built as
http from the start. The scheme no longer changes mid-request, credentials
flow as before, and the new cross-origin protection is preserved for real
https registries (forcedHTTP stays false, so the retry never triggers).

Signed-off-by: Terry Howe <terrylhowe@gmail.com>
(cherry picked from commit 2fb05f8a35)
2026-06-11 23:49:32 -04:00
..
2026-02-26 14:27:58 -08:00
2025-03-14 08:46:18 -06:00
2025-06-06 12:15:44 -06:00
2025-03-14 08:46:18 -06:00
2026-02-26 14:27:58 -08:00