Skip to content

aws-cli-2/2.28.5 package update #61945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

aws-cli-2/2.28.5 package update #61945

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Aug 7, 2025

@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr aws-cli-2 labels Aug 7, 2025
@octo-sts octo-sts bot mentioned this pull request Aug 7, 2025
Closed
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Aug 7, 2025

🩹 Build Failed: Patch Application Failed

Hunk #1 FAILED at 14. 1 out of 1 hunk FAILED -- saving rejects to file requirements/download-deps/bootstrap-win-lock.txt.rej

Build Details

Category Details
Build System melange
Failure Point patch step - applying GHSA-5rjg-fvgr-3xxf.patch to requirements/download-deps/bootstrap-win-lock.txt

Root Cause Analysis 🔍

The patch file GHSA-5rjg-fvgr-3xxf.patch could not be applied to the bootstrap-win-lock.txt file. The patch was expecting to find content at line 14 but the actual file content didn't match what the patch expected, causing the hunk to fail. This is likely due to the source code having changed since the patch was created, making the patch no longer compatible with the current version of the file.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: aws-cli-2.yaml

  • version_update at line 3 (package.version)
    Original:
version: "2.28.5"

Replacement:

version: "2.29.0"

Content:

Update to version 2.29.0 which likely includes the GHSA-5rjg-fvgr-3xxf security fix
  • epoch_reset at line 4 (package.epoch)
    Original:
epoch: 0

Replacement:

epoch: 0

Content:

Keep epoch at 0 since this is a version bump
  • commit_hash_update at line 25 (expected-commit)
    Original:
expected-commit: 04efbdf1d52e2f13ad1e0ed3789de47dcfee6ed7

Replacement:

expected-commit: [new-commit-hash-for-2.29.0]

Content:

Update expected commit hash for the new version
  • patch_removal at line 28-30 (patch step)
    Original:
- uses: patch
    with:
      patches: GHSA-5rjg-fvgr-3xxf.patch

Content:

Remove the patch step entirely since the fix should be included in the newer version
Click to expand fix analysis

Analysis

Looking at the three similar fixes, there's a clear pattern: when patches fail to apply cleanly due to version mismatches, the most effective solution is to update to a newer version where the patch is no longer needed (because the fix is already included upstream) and remove the failing patch entirely. In Fix Example #0, they updated from 2.3.0 to 2.4.0 and regenerated requirements files. In Fix Example #1, they updated from 2.13.0 to 2.14.1 and removed the CVE patch. In Fix Example #2, they created a new package for version 4.0.0. The common thread is that newer upstream versions often include security fixes that make separate patches unnecessary.

Click to expand fix explanation

Explanation

This fix should work because the GHSA-5rjg-fvgr-3xxf patch is failing to apply to the bootstrap-win-lock.txt file, indicating that the file content has changed since the patch was created. This is a common scenario when security patches are created for older versions but the current source code has evolved. By updating to a newer version (2.29.0), we're likely getting a version where the security vulnerability has already been fixed upstream, making the separate patch unnecessary. This approach is consistent with Wolfi's guiding principle of keeping packages up to date with upstream releases. The pattern from the similar fixes shows that removing the failing patch and updating the version is the most reliable solution, as it eliminates the patch compatibility issue entirely while still addressing the security concern through the upstream fix.

Click to expand alternative approaches

Alternative Approaches

  • Regenerate the patch file for the current version by manually applying the security fix to the bootstrap-win-lock.txt file and creating a new patch
  • Check if there's an even newer version (2.30.x or later) that might be available
  • Investigate whether the security fix can be applied through a different mechanism, such as modifying the configure step or build process
  • Create a custom patch that targets the exact line numbers and content in the current version of the file

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Aug 7, 2025
@octo-sts octo-sts bot closed this Aug 8, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Aug 8, 2025

superseded by #62060

@octo-sts octo-sts bot deleted the wolfictl-90e9afc1-d85a-4b26-96c4-efb8033d7738 branch August 9, 2025 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr aws-cli-2 request-version-update request for a newer version of a package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wolfi-bot