(In reply to John Paul Adrian Glaubitz from comment #7) > I do not know the helmfile source code well enough to be able to rule out > they use any of the vulnerable code. There is a reason, they're shipping an > embedded source code copy of helm, isn't there? I do not know either, I'm just packaging it. What I do know, though, is that helmfile complains that it doesn't find a working helm program if it is not installed as a separate binary. In my last job we where using helm and helmfile to deploy and maintain a large set of applications in our cloud. Anyway, they have released version 0.151.0 over the weekend which has this: Support helm 3.11.1 (#695) Looking at that commit (https://github.com/helmfile/helmfile/pull/695/commits/9449164921819b1a32c5c99bf610adee2345c9ab) does not show any helm code, just references to the new version. I have submitted the updated package to Factory now: https://build.opensuse.org/request/show/1066782 Please take a look and close this issue if you think this is appropriate.