grafana-image-renderer/5.0.4 package update #70996
Conversation
octo-sts
bot
commented
Nov 4, 2025
octo-sts
bot
commented
Signed-off-by: wolfi-bot <[email protected]>
octo-sts
bot
added
request-version-update
🩹 Build Failed: Patch Application Failed
|diff --git a/package.json b/package.json
|
| Category | Details |
|---|---|
| Build System | melange |
| Failure Point | patch step attempting to apply bump-axios-CVE-2025-58754.patch |
Root Cause Analysis 🔍
The patch file 'bump-axios-CVE-2025-58754.patch' cannot locate the target file 'package.json' to apply changes. This suggests either the patch was created with incorrect path structure, the working directory is wrong, or the file structure in the source differs from what the patch expects. The patch is trying to modify package.json but the file cannot be found at the expected location.
🔍 Build failure fix suggestions
Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:
Similar PRs with fixes
Suggested Changes
File: grafana-image-renderer.yaml
- remove at line 32-35 (pipeline section)
Original:
- uses: patch
with:
patches: |
bump-axios-CVE-2025-58754.patch
Content:
Remove the patch step that is failing to apply
- add at line 37 (before yarn install)
Original:
- runs: |
npm pkg set resolutions.on-headers=1.1.0
Replacement:
- runs: |
npm pkg set resolutions.axios=1.7.9
npm pkg set resolutions.on-headers=1.1.0
Content:
Add axios version resolution to address CVE-2025-58754 directly via package.json resolutions
Click to expand fix analysis
Analysis
The similar fix shows a pattern where patch application fails due to incorrect path resolution or outdated patches. In the protobuf-c example, the fix involved removing the problematic patch entirely and updating to a newer version where the patch was no longer needed. This suggests that when patches can't find their target files, it's often because the upstream code has changed structure or the patch is targeting files that no longer exist or have moved.
Click to expand fix explanation
Explanation
The patch is failing because it cannot locate the package.json file, likely due to the patch being created with incorrect path structure or the file structure changing in the newer version (5.0.4). Instead of applying a patch, we can achieve the same security fix by using npm's resolutions feature to force a specific version of axios that addresses CVE-2025-58754. This approach is more reliable because it works regardless of the file structure and is a standard way to handle dependency version pinning in Node.js projects. The resolutions field in package.json allows us to override transitive dependency versions, which is exactly what the patch was trying to accomplish.
Click to expand alternative approaches
Alternative Approaches
- Create a new patch file with the correct path structure by examining the actual repository structure at the checkout location
- Use the patch step with a different strip level (e.g., -p0 or -p2) by adding strip parameter to the patch configuration
- Apply the axios version update using a sed command or similar text manipulation in the runs section instead of using patch
Was this comment helpful? Please use 👍 or 👎 reactions on this comment.
|
superseded by #71012 |
octo-sts
bot
deleted the
wolfictl-64fb1c61-4792-46f2-8ab3-5db4960f5304
branch
