chore(deps): bump github.com/argoproj/argo-cd/v2 from 2.2.7 to 2.2.10

[dependabot[bot]]

Bumps github.com/argoproj/argo-cd/v2 from 2.2.7 to 2.2.10.

Release notes

Sourced from github.com/argoproj/argo-cd/v2's releases.

v2.2.10

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.2.10/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.2.10/manifests/ha/install.yaml

Security fixes

• CRITICAL: External URLs for Deployments can include javascript (GHSA-h4w9-6x78-8vrj)
• HIGH: Insecure entropy in PKCE/Oauth2/OIDC params (GHSA-2m7h-86qq-fp4v)
• MODERATE: DoS through large directory app manifest files (GHSA-jhqp-vf4w-rpwq)
• MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server (GHSA-q4w5-4gq2-98vm)

Potentially-breaking changes

From the GHSA-2m7h-86qq-fp4v description:

The patch introduces a new reposerver.max.combined.directory.manifests.size config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.

If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.

Bug fixes

• fix: missing Helm params (#9565) (#9566)

Other

• test: directory app manifest generation (#9503)
• test: fix erroneous test change
• chore: eliminate go-mpatch dependency (#9045)
• chore: Make unit tests run on platforms other than amd64 (#8995)
• chore: remove obsolete repo-server unit test (#9559)
• chore: upgrade golangci-lint to v1.46.2 (#9448)
• chore: update golangci-lint (#8988)

v2.2.9

Quick Start

Non-HA:

... (truncated)

Commits

• 8db0e57 Bump version to 2.2.10
• 80a10d4 Bump version to 2.2.10
• 29521a9 chore: fix docs gen
• 58cccd5 Merge pull request from GHSA-jhqp-vf4w-rpwq
• 265a644 Merge pull request from GHSA-q4w5-4gq2-98vm
• 1fe9574 Merge pull request from GHSA-2m7h-86qq-fp4v
• 05e9079 Merge pull request from GHSA-h4w9-6x78-8vrj
• fd42ba7 fix: missing Helm params (#9565) (#9566)
• 4040dee test: directory app manifest generation (#9503)
• 845cfde test: fix erroneous test change
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[codecov-commenter]

Codecov Report

Merging #450 (0016ac1) into master (98e5e9d) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #450   +/-   ##
=======================================
  Coverage   65.70%   65.70%           
=======================================
  Files          21       21           
  Lines        2041     2041           
=======================================
  Hits         1341     1341           
  Misses        571      571           
  Partials      129      129           

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

[dependabot[bot]]

Superseded by #545.