Skip to content

code-server/4.101.1 package update #57174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
OddBloke merged 5 commits into from
Jun 24, 2025
Merged

code-server/4.101.1 package update #57174

OddBloke merged 5 commits into from
Jun 24, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jun 21, 2025

@wolfi-bot
code-server/4.101.1 package update
556b5ee 
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr code-server labels Jun 21, 2025
@octo-sts octo-sts bot mentioned this pull request Jun 21, 2025
Closed
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jun 21, 2025

🩹 Build Failed: Patch Application Failed

Failed to apply patch fix-GHSA-v6h2-p8h4-qcjw.patch - Reversed (or previously applied) patch detected!

Build Details

Category Details
Build System melange
Failure Point patch '-p1' --fuzz=2 --verbose <fix-GHSA-v6h2-p8h4-qcjw.patch

Root Cause Analysis 🔍

The patch 'fix-GHSA-v6h2-p8h4-qcjw.patch' could not be applied because it appears to have been reversed or previously applied. The patch was attempting to modify package-lock.json, but the system detected a conflict and skipped applying it, resulting in a build failure.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: code-server.yaml

  • modify at line 47-48 (pipeline section - patch step)
    Original:
  - uses: patch
    with:
      patches: node-memory.patch GHSA-pq67-2wwv-3xjx.patch fix-CVE-2025-47279.patch fix-GHSA-v6h2-p8h4-qcjw.patch

Replacement:

  - uses: patch
    with:
      patches: node-memory.patch GHSA-pq67-2wwv-3xjx.patch fix-CVE-2025-47279.patch
Click to expand fix analysis

Analysis

Based on the similar fixed build failures, I observe that "Reversed (or previously applied) patch detected!" errors typically occur when:

  1. A patch file is trying to be applied but the changes have already been incorporated into the source code
  2. The patch doesn't match the current state of the codebase (possibly due to version upgrades)
  3. The source code has changed since the patch was created

In both example fixes, the resolution involved either:

  • Removing patch files that were no longer needed after a version upgrade (libarchive example)
  • Creating a new YAML file with updated version information and dependencies (argo-cd example)

The current error is specifically with the "fix-GHSA-v6h2-p8h4-qcjw.patch" file, which appears to be a security patch for a GitHub Security Advisory. The error indicates the patch either was already applied upstream or is no longer applicable to the current version of the code.

Click to expand fix explanation

Explanation

The suggested fix removes the problematic patch file "fix-GHSA-v6h2-p8h4-qcjw.patch" from the list of patches to be applied. This should resolve the build failure.

The error message "Reversed (or previously applied) patch detected!" indicates that the changes in this security patch have likely already been incorporated into the upstream code-server version 4.101.1. This is common when upgrading to newer versions of packages, as security fixes are often integrated into the main codebase by the upstream developers.

The fact that the error specifically mentions a conflict with package-lock.json suggests that dependency changes from the security fix are already present in the newer version. This is particularly likely given that the current version is a recent release (4.101.1) and the GitHub Security Advisory (GHSA) patch was likely created for an earlier version.

By removing the patch from the list, we're acknowledging that those security fixes are already part of the codebase and don't need to be applied again. The build should proceed normally after this change.

Click to expand alternative approaches

Alternative Approaches

  • Inspect the fix-GHSA-v6h2-p8h4-qcjw.patch file and update it to match the current state of the codebase (create a new patch that applies cleanly)
  • Apply the patch with the -R flag to reverse it (if it was applied in reverse), but this is less likely to be the correct approach
  • Look up the specific GHSA (GitHub Security Advisory) vulnerability and verify it's fixed in the current version before removing the patch
  • Add a conditional patch application step that first checks if the patch needs to be applied

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jun 21, 2025
@developer-guy
try without patches
184bfea 
Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>
@developer-guy
Copy link
Member

developer-guy commented Jun 22, 2025 

WARN 🔗 [19:13:49] 'vscode-reh-web-linux-x64-min' errored after 2.33 min pkg=code-server arch=amd64
WARN 🔗 [19:13:49] Error [ERR_WORKER_OUT_OF_MEMORY]: Worker terminated due to reaching memory limit: JS heap out of memory pkg=code-server arch=amd64
WARN 🔗     at [kOnExit] (node:internal/worker:320:26) pkg=code-server arch=amd64
WARN 🔗     at Worker.<computed>.onexit (node:internal/worker:230:20) pkg=code-server arch=amd64
WARN 🔗     at Worker.callbackTrampoline (node:internal/async_hooks:130:17) pkg=code-server arch=amd64

@debasishbsws debasishbsws self-assigned this Jun 23, 2025
@debasishbsws
Get Back the patches we need and use nodejs22
09da731 
ERROR: code-server currently requires node v22.
Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
@debasishbsws
Yam lint
e3a57a3 
Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Jun 24, 2025
@debasishbsws debasishbsws requested a review from a team June 24, 2025 14:42
@OddBloke OddBloke merged commit e148151 into main Jun 24, 2025
18 checks passed
@OddBloke OddBloke deleted the wolfictl-ce18d263-3210-4500-8674-eaeae51222a2 branch June 24, 2025 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OddBloke OddBloke OddBloke approved these changes

Assignees

@debasishbsws debasishbsws

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. code-server manual/review-needed request-version-update request for a newer version of a package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@developer-guy @OddBloke @debasishbsws @wolfi-bot @AmberArcadia