Comment # 8 on bug 1208089 from 
(In reply to John Paul Adrian Glaubitz from comment #7)
> I do not know the helmfile source code well enough to be able to rule out
> they use any of the vulnerable code. There is a reason, they're shipping an
> embedded source code copy of helm, isn't there?

I do not know either, I'm just packaging it. What I do know, though, is that
helmfile complains that it doesn't find a working helm program if it is not
installed as a separate binary. In my last job we where using helm and helmfile
to deploy and maintain a large set of applications in our cloud.

Anyway, they have released version 0.151.0 over the weekend which has this:

  Support helm 3.11.1 (#695)

Looking at that commit
(https://github.com/helmfile/helmfile/pull/695/commits/9449164921819b1a32c5c99bf610adee2345c9ab)
does not show any helm code, just references to the new version.

I have submitted the updated package to Factory now:
https://build.opensuse.org/request/show/1066782

Please take a look and close this issue if you think this is appropriate.

You are receiving this mail because: