GHSA-RQGV-292V-5QGR Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases

Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands. Details Since 26848, registryAliases has become mergeable. This means that the helmv3 manager started honoring its value and uses a helm repo...