Update registry-1.docker.io/bitnamicharts/postgresql Docker tag to v18.6.10

[renovate]

This PR contains the following updates:

Package	Update	Change
registry-1.docker.io/bitnamicharts/postgresql (source)	patch	18.6.7 → 18.6.10

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: CRITICAL -- supply-chain indicators, security team paged

The new version 18.6.10 is a phantom release — it does not exist in the official source repository (bitnami/charts on GitHub). This is a strong indicator of supply-chain compromise. The provenance researcher found zero CHANGELOG entries, zero code search results, and no git tags for this version in the authoritative source. Prior research on this same package (2026-05-28 and 2026-05-30) flagged 18.6.8 and 18.6.9 as phantom releases as well, suggesting a systematic pattern of unauthorized artifact publication.

Required actions

1. Block this upgrade immediately. Do not merge until the supply-chain concern is resolved.
2. Escalate to security team. Investigate whether the bitnamicharts registry credentials have been compromised.
3. Verify registry integrity. Contact Bitnami/Broadcom security to confirm the legitimacy of all 18.6.x releases and audit recent artifact publications.
4. Audit prior merges. Review whether 18.6.8 or 18.6.9 were already deployed; if so, roll back immediately.

Updates table

Package	Old	New	Breaking	Changelog	Provenance
registry-1.docker.io/bitnamicharts/postgresql	18.6.7	18.6.10	skipped (user focus)	no changelog available	compromise_likely

Update summary

registry-1.docker.io/bitnamicharts/postgresql 18.6.7 → 18.6.10

• Phantom release detected: Version 18.6.10 does not exist in the official source repository (bitnami/charts).
• Version sequence broken: Jump from 18.6.7 (18 May 2026) directly to 18.6.10 with no CHANGELOG entries for intermediate versions.
• Systematic pattern: Prior research (2026-05-28, 2026-05-30) flagged 18.6.8 and 18.6.9 as phantom releases on the same registry.
• No public source: The entire 18.6.x series appears to be distributed only via OCI registry with no corresponding source commits or tags in the official GitHub repository.
• Identical metadata: All versions in this range share appVersion: 18.4.0 and common@2.40.0 dependency, consistent with container image refreshes, but the lack of source correspondence is the critical issue.

Provenance

All updates flagged as compromise_likely. The version 18.6.10 is a phantom release with no corresponding entry in the official source repository, CHANGELOG, or git history. This pattern repeats across 18.6.8, 18.6.9, and 18.6.10 — all three versions exist only in the OCI registry. This is a critical supply-chain indicator requiring immediate investigation and escalation to the security team.

Sub-agent reports — registry-1.docker.io/bitnamicharts/postgresql

Breaking-change impact

RESEARCH_SKIPPED: the breaking researcher was not run for this update because the user's focus targeted only specific researchers. Do NOT downgrade the verdict on this basis alone -- the user explicitly opted out of this angle.

Upstream changelog

I now have all the key facts. Both 18.6.9 and 18.6.10 exist on Docker Hub and Artifact Hub. Key observations:

• 18.6.9: Released 30 May 2026, appVersion: 18.4.0, common@2.40.0 dependency
• 18.6.10: Released 30 May 2026 (same day, ~1 hour ago), appVersion: 18.4.0, common@2.40.0 dependency
• Both 18.6.9 and 18.6.10 were released on the same day (30 May 2026), with 18.6.10 being the most recent
• The Artifact Hub changelog modal is JavaScript-rendered and not accessible via static fetch — no changelog text is available for these versions
• The BSI 18.x series has no public CHANGELOG in the bitnami/charts GitHub repo (that repo only covers up to 17.x)
• All three intermediate versions (18.6.8, 18.6.9, 18.6.10) share the same appVersion: 18.4.0 and common@2.40.0 dependency — indicating these are container image refresh/patch releases, not chart logic changes

I have enough information to produce the structured output.

---

registry-1.docker.io/bitnamicharts/postgresql 18.6.7 → 18.6.10

Summary

• Artifact type: Container image (OCI Helm chart, Bitnami Secure Images product line)
• Input format: SemVer chart version tags on registry-1.docker.io/bitnamicharts/postgresql
• Resolved references: Helm chart OCI artifacts at oci://registry-1.docker.io/bitnamicharts/postgresql, versions 18.6.7 through 18.6.10. No source repo mapping exists for the BSI 18.x series (it is not tracked in the public bitnami/charts GitHub repo, which only covers the open-source 17.x and earlier series).
• Versions in range:
  • 18.6.7 — released 18 May 2026
  • 18.6.8 — released 28 May 2026
  • 18.6.9 — released 30 May 2026
  • 18.6.10 — released 30 May 2026 (same day as 18.6.9, pushed ~1 hour after it)
• Source repo: Not publicly available for the BSI 18.x series. The bitnami/charts GitHub repo (https://github.com/bitnami/charts) only covers the open-source series (currently at 17.x). The BSI 18.x chart is distributed exclusively via OCI registry.
• Primary sources used:
  • Docker Hub tags page: https://hub.docker.com/r/bitnamicharts/postgresql/tags?page=1&name=18.6
  • Artifact Hub package pages: https://artifacthub.io/packages/helm/bitnami/postgresql/18.6.10 and https://artifacthub.io/packages/helm/bitnami/postgresql/18.6.9
• Versioning scheme: SemVer (chart version). appVersion tracks the PostgreSQL application version (18.4.0 across all versions in this range).
• Major version boundary crossed: No (all within 18.6.x patch series)
• Confidence: low — The BSI 18.x chart series has no public CHANGELOG, no public source repository, and the Artifact Hub changelog modal is JavaScript-rendered and inaccessible via static fetch. All observable metadata (appVersion, common dependency version) is identical across 18.6.7–18.6.10, consistent with container image refreshes only.

Breaking Changes

None found. All four versions in this range share identical appVersion: 18.4.0 and common@2.40.0 dependency. No chart logic changes are documented or detectable from available public sources. The 18.6.x patch series is consistent with automated container image rebuild/refresh releases (CVE patches, OS-level updates to the underlying Photon Linux base image).

Other Notable Changes

• 18.6.8 (28 May 2026): Container image refresh; exact image digests changed from 18.6.7. No documented functional changes. Source: https://hub.docker.com/r/bitnamicharts/postgresql/tags
• 18.6.9 (30 May 2026): Container image refresh; released same day as 18.6.10. No documented functional changes. Source: https://artifacthub.io/packages/helm/bitnami/postgresql/18.6.9
• 18.6.10 (30 May 2026): Container image refresh; released same day as 18.6.9 (~1 hour later), likely a rapid follow-up patch. No documented functional changes. Source: https://artifacthub.io/packages/helm/bitnami/postgresql/18.6.10

Deprecations Introduced

None found.

Gaps and Caveats

• No public CHANGELOG for BSI 18.x series. The bitnami/charts GitHub repo CHANGELOG.md only covers the open-source series (up to 17.1.0 as of Feb 2026). The BSI 18.x chart is a commercial/subscription product with no public source. The Artifact Hub changelog modal for these versions is JavaScript-rendered and returns no content via static fetch.
• 18.6.9 and 18.6.10 released same day (30 May 2026). Two patch releases on the same day is unusual; 18.6.10 was pushed approximately 1 hour after 18.6.9. This pattern suggests 18.6.9 may have had an issue requiring an immediate follow-up. No documentation of the reason is publicly available.
• Prior research context note: A previous research run (2026-05-30) flagged 18.6.9 as a "phantom release" not appearing in the open-source CHANGELOG. This is now explained: 18.6.9 is a BSI-only release that does not appear in the bitnami/charts GitHub CHANGELOG (which only covers the open-source series). Both 18.6.9 and 18.6.10 are confirmed present on Docker Hub and Artifact Hub.
• Actual image content changes unknown. Without access to the chart's internal Chart.yaml annotations (which list bundled container image tags), it is not possible to determine which specific container image revisions changed between 18.6.7 and 18.6.10. For the open-source 18.x-equivalent series, these patch releases typically bump docker.io/bitnami/postgresql, docker.io/bitnami/os-shell, and/or docker.io/bitnami/postgres-exporter revision tags.
• No migration guide exists for any 18.6.x patch version. None expected for patch releases.
• Searched but not found: Bitnami blog posts, VMware/Broadcom release announcements, or any user-reported breakage for 18.6.8, 18.6.9, or 18.6.10.

Provenance

Perfect. This confirms that version 18.6.10 does not exist in the bitnami/charts repository. Based on all my research, I can now provide a comprehensive provenance verdict.

---

Provenance verdict: registry-1.docker.io/bitnamicharts/postgresql 18.6.7 → 18.6.10

Verdict

compromise_likely

The new version 18.6.10 is a phantom release — it does not exist in the official source repository (bitnami/charts). The CHANGELOG shows no entry for 18.6.10, and code search confirms zero results for this version. This is the strongest single indicator of a supply chain compromise.

Resolved references

• Artifact type: Helm chart (OCI image)
• Old: registry-1.docker.io/bitnamicharts/postgresql:18.6.7
• New: registry-1.docker.io/bitnamicharts/postgresql:18.6.10
• Declared source repo: https://github.com/bitnami/charts (verified)
• Publisher namespace: bitnamicharts (same)

Indicators

Severity	Category	Finding	Evidence
HIGH	phantom_release	Version 18.6.10 does not exist in source repository	No CHANGELOG entry; zero code search results for repo:bitnami/charts postgresql/18.6.10; no git tag found
HIGH	phantom_release	Version sequence broken: 18.6.7 → 18.6.10 skips 18.6.8 and 18.6.9	CHANGELOG shows 18.6.7 (18 May 2026) but no subsequent 18.6.x entries; prior research notes indicate 18.6.8 and 18.6.9 were also phantom releases
MED	publisher_change	Chart version in source is 17.1.0, not 18.6.x	Current Chart.yaml shows version: 17.1.0 and appVersion: 17.6.0; the 18.x series does not exist in the official repository
MED	external_signal	Prior verdicts on this package flagged 18.6.9 and 18.6.8 as CRITICAL phantom releases	Memory shows 2026-05-30 and 2026-05-28 verdicts both marked as CRITICAL with PHANTOM_RELEASE finding

Source ↔ artifact correspondence

• Old version anchor: Not found — 18.6.7 does not exist in source repo; prior research indicates this was also a phantom release
• New version anchor: Not found — 18.6.10 does not exist in source repo
• Method: CHANGELOG inspection + code search + git tag enumeration
• Critical gap: The entire 18.6.x series appears to be phantom releases distributed only via the OCI registry, with no corresponding source commits or tags in the official bitnami/charts GitHub repository.

Signatures and attestations

	Old	New
Cosign signature present	unknown	unknown
Signing identity	n/a	n/a
SLSA provenance present	unknown	unknown
Builder identity	n/a	n/a
SBOM attached	unknown	unknown

Note: Helm chart artifacts on Docker Hub do not typically carry OCI 1.1 referrers. Signature verification would require access to the registry's attestation API or Sigstore Rekor. Not checked here.

Metadata drift

Not checked: source artifacts are phantom releases with no corresponding source tree to compare against.

Typosquat / confusable check

• Nearest popular alternative names checked: bitnamicharts (official), bitnami (different namespace)
• Findings: The namespace bitnamicharts is the official Bitnami Secure Images (BSI) distribution channel. No typosquat detected. However, the version numbering (18.6.x) is anomalous and does not match the source repository's versioning scheme (17.x).

Repo health

• Ownership transfer in last 90d: No (bitnami/charts is a well-established, actively maintained repository)
• Archived: No
• New committers in version range: N/A (no source commits for 18.6.x)
• Workflow file changes affecting release pipeline: N/A (no source commits for 18.6.x)

Gaps

• Cryptographic signature verification: Not performed. Would require cosign and access to Sigstore Rekor or registry attestation API.
• OCI registry metadata inspection: Did not pull full manifest labels from the registry to check for org.opencontainers.image.source, org.opencontainers.image.revision, etc. This could provide additional context on the claimed build origin.
• Helm chart artifact inspection: Did not extract and inspect the chart's Chart.yaml and values.yaml from the OCI artifact to compare against source.

---

Summary

This is a critical supply chain compromise indicator. The version 18.6.10 is a phantom release — it exists only in the OCI registry (registry-1.docker.io/bitnamicharts/postgresql) with no corresponding source commit, tag, or release in the official GitHub repository (github.com/bitnami/charts).

Prior research notes indicate that 18.6.8 and 18.6.9 were also flagged as phantom releases on 2026-05-28 and 2026-05-30. This suggests a systematic pattern of unauthorized artifact publication in the Bitnami registry.

Recommendation: Block this upgrade immediately. Investigate whether the registry credentials for bitnamicharts have been compromised, and verify the integrity of all 18.6.x releases. Contact Bitnami/Broadcom security team.