A chart with published to our Artifactory helm repository with `version: y` as the version.
This chart entry was then added exactly as it is to the helm repository's index.yaml.
Something like so:
Every helm command that tried to use this repository was now broken (users, automation, across the company), because the index.yaml was invalid according to the following error:
The following github issue was created with the helm/helm repo assuming it was a helm bug.
This seems to in fact not be a helm bug, but appears to be specific to Artifactory's helm repository implementation.
Downloading that broken chart tar file and running `helm repo index` locally, the generated index.yaml implicitly casts `version: y` to be `version: "true"`. While this could be considered an issue, at least the resulting index.yaml does not break the helm repository.
Until this bug is fixed in Artifactory's helm repository, a user publishing `version: y` or `version: n` or `version: 555e2` (a git hash that gets cast as a float due to the scientific notation `e2`) will result in globally breaking that helm repository for all users.
This is a huge risk, whether the publishing user's intentions were accidental or malicious.