grafana-image-renderer/5.0.7 package update #71118
Conversation
octo-sts
bot
commented
Nov 5, 2025
octo-sts
bot
commented
Signed-off-by: wolfi-bot <[email protected]>
octo-sts
bot
added
request-version-update
🩹 Build Failed: Patch Application Failed
|diff --git a/package.json b/package.json
|
| Category | Details |
|---|---|
| Build System | melange |
| Failure Point | patch step - applying bump-axios-CVE-2025-58754.patch |
Root Cause Analysis 🔍
The patch file bump-axios-CVE-2025-58754.patch is trying to modify package.json but cannot locate the target file. This could be due to incorrect patch path options (-p flag), the file being in a different location than expected, or the patch being created against a different version of the source code. The patch was skipped and all hunks were ignored, causing the build pipeline to fail.
🔍 Build failure fix suggestions
Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:
Similar PRs with fixes
Suggested Changes
File: grafana-image-renderer.yaml
- remove at line 31-34 (pipeline section)
Original:
- uses: patch
with:
patches: |
bump-axios-CVE-2025-58754.patch
Content:
Remove the patch step that is failing to apply the CVE patch
Click to expand fix analysis
Analysis
The similar fix shows a pattern where patch application failures are resolved by removing the problematic patch entirely and updating the package version. In the protobuf-c case, the deprecated-FileDescriptorLegacy.patch was removed because it was no longer needed with the updated version (1.5.0 to 1.5.1). The patch was targeting code that had been fixed upstream in the newer version, making the patch obsolete and causing path resolution failures.
Click to expand fix explanation
Explanation
The patch failure occurs because the bump-axios-CVE-2025-58754.patch is trying to modify package.json but cannot locate the file, indicating the patch was created for a different version or directory structure. Looking at the similar fix pattern, when patches fail due to path issues and the package has been updated (from previous versions to 5.0.7), the upstream changes likely already include the security fixes that the patch was meant to address. The CVE-2025-58754 fix for axios is likely already included in the dependencies installed by yarn/npm in version 5.0.7, making the manual patch unnecessary. Removing the patch step will allow the build to proceed with the upstream-provided security fixes.
Click to expand alternative approaches
Alternative Approaches
- Investigate if the patch needs to be updated for the new directory structure and fix the -p flag parameter
- Check if the axios vulnerability is already patched in the current dependency versions and confirm the patch is no longer needed
- Move the patch file to the correct location relative to the git checkout working directory
Was this comment helpful? Please use 👍 or 👎 reactions on this comment.
|
See #71012 (comment) |
|
This is now an outdated duplicate of #71649 |
octo-sts
bot
deleted the
wolfictl-d72c87f8-f712-461c-bb3a-7db0ddddac85
branch
