grafana-image-renderer/5.0.3 package update

[octo-sts]

[octo-sts]

🩹 Build Failed: Patch Application Failed

Failed to run command "/bin/sh -c 'set -e \n[ -d '''/home/build''' ] || mkdir -p '''/home/build'''
cd '''/home/build'''
series=''''
if [ -z $series ]; then
if [ -n '''bump-axios-CVE-2025-58754.patch\n''' ]; then
series=$(mktemp)
echo '''bump-axios-CVE-2025-58754.patch\n''' | awk '''{ for(i = 1; i <= NF; i++) { print $i; } }''' >$series
else
echo "ERROR: Neither patches or series was set."
exit 1
fi
fi
grep -v -E '''^(#|$)''' $series | (while read patchfile; do
patch '''-p1''' --fuzz=2 --verbose <$patchfile
done)

exit 0'": Process exited with status 1

Build Details

Category	Details
Build System	melange
Failure Point	patch step - applying bump-axios-CVE-2025-58754.patch

Root Cause Analysis 🔍

The patch file 'bump-axios-CVE-2025-58754.patch' failed to apply because it cannot find the target file 'package.json' to patch. The patch appears to be looking for a file at a path that doesn't exist in the current directory structure, likely due to incorrect patch strip level (-p1) or the patch being created against a different directory structure than what exists in the build environment.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• kubeflow-pipelines/2.14.0 package update #61719

Suggested Changes

File: grafana-image-renderer.yaml

• remove at line 33-36 (pipeline section)
  Original:

  - uses: patch
    with:
      patches: |
        bump-axios-CVE-2025-58754.patch

Content:

Remove the entire patch step since the patch file cannot find its target and may be obsolete

Click to expand fix analysis

Analysis

Based on the similar fixed build failures, I can identify several key patterns: 1) Version updates often make patches incompatible with the new codebase structure, 2) Patches fail when the target files have different content or line numbers than expected, 3) The common solution is to either update the patch content to match the new file structure or remove patches that are no longer needed, 4) In some cases, patches become obsolete when upstream changes make them unnecessary. All three examples show that patch failures are typically resolved by either updating the patch file itself or removing it entirely when it's no longer applicable.

Click to expand fix explanation

Explanation

The patch failure occurs because 'bump-axios-CVE-2025-58754.patch' cannot find the target file 'package.json' to apply changes to. This suggests either: 1) The patch was created against a different directory structure, 2) The patch is no longer needed in version 5.0.3, or 3) The upstream changes in this version already include the CVE fix. Given that this is a CVE patch for axios and the version update from 5.0.2 to 5.0.3 mentions updating Chromium, it's likely that the axios dependency was also updated upstream, making this patch obsolete. Following the pattern from similar fixes where patches became incompatible after version updates, the safest approach is to remove the patch step entirely and verify that the CVE is resolved through the upstream dependency updates.

Click to expand alternative approaches

Alternative Approaches

• Update the patch file to match the current directory structure and file content in version 5.0.3
• Change the patch strip level from -p1 to -p0 if the patch was created from the root directory
• Investigate if the CVE fix is already included in the updated dependencies and document why the patch is no longer needed

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

superseded by #70996