prism/5.14.3 package update

[octo-sts]

[octo-sts]

🩹 Build Failed: Patch Application Failed

Hunk #1 FAILED at 23. 1 out of 1 hunk FAILED -- saving rejects to file package.json.rej

Build Details

Category	Details
Build System	melange
Failure Point	patch step - applying CVE-2025-1302.patch to package.json

Root Cause Analysis 🔍

The patch CVE-2025-1302.patch could not be applied to package.json because the target code at line 23 does not match what the patch expects. This typically occurs when the patch was created against a different version of the file, or the file has been modified since the patch was created.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• promitor/2.14.1 package update #61074

Suggested Changes

File: prism.yaml

• version_update at line 3 (package.version)
  Original:

version: "5.14.3"

Replacement:

version: "5.15.0"

Content:

Update package version to latest release where CVE-2025-1302 is likely already fixed

• commit_update at line 24 (pipeline git-checkout expected-commit)
  Original:

expected-commit: 1c36ecc5bd637d83d5f6590a0e7bcdbd3c6e52e3

Replacement:

expected-commit: [commit_hash_for_v5.15.0]

Content:

Update expected commit hash to match v5.15.0 tag (needs to be obtained from upstream repository)

• patch_removal at line 27-29 (pipeline patch step)
  Original:

  - uses: patch
    with:
      patches: CVE-2025-1302.patch

Content:

Remove the patch step entirely since the CVE should be fixed in the newer version

File: CVE-2025-1302.patch

• file_deletion (entire file)
  Original:

[entire patch file]

Content:

Delete the patch file since it's no longer needed with the updated version

Click to expand fix analysis

Analysis

The similar fixes show a consistent pattern: when patches fail to apply due to version mismatches, the solution is to update the package to a newer version where the CVE has already been fixed upstream, and remove the incompatible patch. In all three examples, the fix involved: 1) Bumping the package version to a newer release, 2) Updating the expected-commit hash to match the new version, 3) Removing the failing patch file entirely, and 4) Deleting the patch reference from the YAML configuration. This approach leverages Wolfi's principle of keeping packages up-to-date with upstream releases where security fixes are often already included.

Click to expand fix explanation

Explanation

This fix addresses the root cause by updating to a newer version where CVE-2025-1302 has likely been resolved upstream. The patch is failing because it was created for version 5.14.3, but the package.json structure has changed. Following the established pattern from similar fixes, updating to version 5.15.0 (or the latest available) should include the security fix natively. This approach aligns with Wolfi's principle of using the latest upstream versions and eliminates the need for manual patching. The expected-commit hash must be updated to match the new version tag to ensure build reproducibility.

Click to expand alternative approaches

Alternative Approaches

• If version 5.15.0 doesn't exist or doesn't contain the CVE fix, recreate the patch file against the current version by examining the actual package.json structure at line 23 and adjusting the patch context accordingly
• Apply the security fix directly in the runs section using npm/yarn commands to modify package.json dependencies, similar to how other CVE fixes are handled in the existing pipeline
• Check if the CVE can be resolved through the existing resolutions mechanism already used for other CVEs in the runs section

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[aborrero]

LGTM.