Last checked and updated on 12 Jun 2026
What Is New in Helm 3.21
| Category | Highlights |
|---|---|
| Improvements |
Kubernetes client libraries bumped to v1.36; OpenTelemetry packages upgraded to patch CVEs
|
| Bug Fixes |
Fixed pulling charts from OCI image indices; fixed chart dot-name path bug; fixed nil value preservation when chart default is an empty map (values.yaml)
|
| Deprecations | Helm v3 is approaching end-of-life -- migration to Helm v4 is strongly recommended |
What Kubernetes version does Helm 3.21 target?
Helm 3.21 aligns its client libraries with Kubernetes v1.36, keeping API compatibility current for clusters running the latest upstream releases. In practice, this means the k8s.io dependency group -- including k8s.io/client-go, k8s.io/api, and related packages -- has been bumped in lockstep via the k8s-io group update.
Most teams will not need to change anything in their charts or workflows. Watch out for any third-party Helm SDK integrations in your own Go code: if you import Helm packages directly, a go get update will pull in the new k8s.io transitive dependencies, which may require minor import adjustments.
Does Helm 3.21 fix OCI chart pulling issues?
Yes -- Helm 3.21 fixes a regression where charts stored inside OCI image indices (multi-arch manifests) could not be pulled correctly. This matters if you are distributing charts via container registries that use OCI image index manifests, a pattern increasingly common with tools like ORAS or when co-locating chart and container image artifacts in the same registry namespace.
Before this fix, a helm pull oci://registry/repo/chart:tag targeting an index manifest could silently fail or return unexpected content. After the fix, Helm correctly traverses the index to locate the chart layer. No configuration change is needed -- upgrading to 3.21 is sufficient.
# Pulling a chart from an OCI registry (now works correctly with image indices)
helm pull oci://registry.example.com/charts/my-app:1.0.0
What chart templating bugs were fixed in Helm 3.21?
Two notable templating bugs were resolved. First, the dot-name path bug: chart names containing dots (e.g. my.chart) could cause incorrect path resolution during rendering, leading to subtle failures in template lookups. This is fixed in 3.21.
Second, nil value preservation has been corrected. Previously, when a subchart's values.yaml defined a key with an explicit null (nil) value and the parent chart passed an empty map for the same key, the nil was silently dropped. In practice this caused unexpected defaults to reappear after a helm upgrade. The fix ensures nil values are preserved through the coalescing logic.
# values.yaml (subchart) -- nil is now preserved correctly
database:
password: null
# Parent override (empty map no longer overwrites nil)
database: {}
Are there any security fixes in Helm 3.21?
Helm 3.21 upgrades its OpenTelemetry dependency packages to address known CVEs. If your environment scans container images or binaries for vulnerabilities, upgrading to 3.21 will resolve findings related to the affected go.opentelemetry.io packages. No changes to Helm's observability behavior or configuration are required.
This matters if you operate in environments with strict CVE SLA policies -- keeping the Helm binary current avoids compliance flags on the OpenTelemetry transitive dependencies.
Is Helm v3 reaching end-of-life -- should teams migrate to Helm v4?
Helm v3 is approaching end-of-life, and the project is now actively directing users toward Helm v4. Helm 3.21 itself includes an official warning banner in its release notes to this effect. The 3.21.x branch will continue to receive bug-fix patches (3.21.1 is already planned), but new features are being developed in the v4 line.
Most teams should begin evaluating Helm v4 compatibility for their charts and CI pipelines. The next feature release after 3.21 in the v3 line (3.22.0) targets Kubernetes v1.37, but the long-term investment should shift toward v4. Watch out for breaking changes in Helm v4 around OCI, chart API versions, and Go SDK surface -- a migration guide from the Helm project should be consulted before upgrading production tooling.
Frequently Asked Questions about Helm 3.21
Is Helm 3.21 backward compatible with charts written for Helm 3.x?
Yes, Helm 3.21 is fully backward compatible with existing Helm 3 charts. No changes to Chart.yaml apiVersion or templates are required to upgrade.
Does Helm 3.21 require a specific version of Kubernetes?
Helm 3.21 ships with Kubernetes client libraries for v1.36, but it remains compatible with older supported Kubernetes clusters. You do not need to upgrade your cluster to use Helm 3.21.
How do I pull a chart from an OCI image index registry after upgrading to Helm 3.21?
No configuration change is needed. Simply run helm pull oci://your-registry/your-chart:tag as usual -- the OCI index traversal fix is applied automatically after upgrading to 3.21.
Will nil values in my subchart values.yaml be handled correctly after the Helm 3.21 fix?
Yes. After upgrading to Helm 3.21, nil (null) values defined in a subchart values.yaml are preserved correctly even when the parent chart passes an empty map for the same key, so unexpected defaults will no longer reappear on helm upgrade.
Should I upgrade to Helm v4 instead of Helm 3.21?
If you are starting a new project or have capacity to evaluate migration, planning a move to Helm v4 is advisable since Helm v3 is approaching end-of-life. For existing production workloads, upgrading to 3.21 is safe and recommended while you plan the v4 migration.
What CVEs are patched by the OpenTelemetry upgrade in Helm 3.21?
The release notes do not enumerate specific CVE identifiers, but the fix upgrades go.opentelemetry.io packages to their latest patched versions. Running a vulnerability scanner against the Helm 3.21 binary will confirm resolution of any previously flagged OpenTelemetry findings.