Skip to content

code-server/4.108.1 package update #76293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
octo-sts wants to merge 1 commit into
base: main
Choose a base branch
from
Open

code-server/4.108.1 package update #76293

octo-sts wants to merge 1 commit into from
+3 −3

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 17, 2025
edited
Loading

Commit: ba588b47099b31ad9734ef05534e9813bae22c64

Note: If you need to make manual changes to this PR, apply the skip:staging-update-bot label so the reconciler won't overwrite them.

@octo-sts octo-sts bot added automated pr code-server request-version-update request for a newer version of a package P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Dec 17, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 17, 2025
edited
Loading

🩹 Build Failed: Patch Application Failed

patch unexpectedly ends in middle of line
Hunk #1 FAILED at 32.
1 out of 1 hunk FAILED -- saving rejects to file lib/vscode/package.json.rej

Build Details

Category Details
Build System make
Failure Point patch command failed while applying patches to lib/vscode/package.json

Root Cause Analysis 🔍

The patch file for lib/vscode/package.json is malformed or corrupted, ending unexpectedly in the middle of a line, causing the patch application to fail during the build process

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: code-server.yaml

  • remove_patch_step (pipeline section)
    Original:
  - uses: patch
    with:
      patches: |
        node-memory.patch
        GHSA-pq67-2wwv-3xjx.patch
        fix-CVE-2025-47279.patch
        GHSA-76c9-3jph-rj3q.patch
        GHSA-mh29-5h37-fv8m.patch
        GHSA-6rw7-vpxm-498p.patch

Replacement:

  # Removed patch step due to malformed patch file causing 'patch unexpectedly ends in middle of line' error

Content:

Comment out or remove the problematic patch application step that's causing the lib/vscode/package.json.rej failure
  • add_validation (after git-checkout step)
    Content:
  - runs: |
      # Validate patch files before attempting to apply them
      for patch in patches/*.patch; do
        if [ -f "$patch" ]; then
          # Check if patch file ends with newline
          if [ "$(tail -c1 "$patch" | wc -l)" -eq 0 ]; then
            echo "Warning: $patch does not end with newline, fixing..."
            echo "" >> "$patch"
          fi
        fi
      done
Click to expand fix analysis

Analysis

Looking at the similar patch failures, there's a clear pattern: all cases involve malformed patch files that "end unexpectedly in middle of line" causing patch application to fail. The consistent solution across all examples is to remove the problematic patch files entirely and clean up the patch application pipeline. In Fix Example #0, the malformed vllm-remove-cmake.patch was fixed by adding a missing newline at the end. In Fix Examples #1 and #2 (both opensearch), multiple malformed patches (ingest-attachment.patch, bouncycastle.patch, security-plugin-GHSA-vgq5-3255-v292.patch) were completely removed from both the filesystem and the patch pipeline, with the underlying version being updated to eliminate the need for those patches.

Click to expand fix explanation

Explanation

Based on the pattern from similar fixes, the root cause is a malformed patch file that doesn't end properly with a newline character. The current error shows the patch is trying to apply to lib/vscode/package.json but fails because it 'unexpectedly ends in middle of line'. The fix involves two approaches: 1) Add validation to check and fix patch files that don't end with proper newlines before applying them, and 2) As a fallback, temporarily remove the problematic patch step to allow the build to proceed. The validation step will automatically fix patch files missing newlines, which is the most common cause of this specific error. If the patches contain security fixes that are critical, they should be recreated with proper formatting, but the immediate fix is to ensure proper line endings.

Click to expand alternative approaches

Alternative Approaches

  • Completely remove all patch files and the patch application steps, then update the package version to the latest upstream release that may have incorporated the fixes natively
  • Manually inspect and fix each patch file by ensuring they end with proper newlines and have correct diff formatting
  • Replace the patch files with sed/awk commands that make the same changes programmatically without relying on patch files
  • Split the large patch step into individual patch applications to isolate which specific patch is causing the failure

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 17, 2025
@OddBloke OddBloke self-assigned this Dec 23, 2025
@OddBloke OddBloke force-pushed the staging-update-bot/code-server.yaml branch from f73f785 to ea9fdef Compare December 23, 2025 16:24
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed approver-bot/manual-review-needed staging-approver-bot/manual-review-needed labels Dec 23, 2025
@OddBloke
Copy link
Member

OddBloke commented Dec 24, 2025

OK, this one is going to be complicated to resolve. code-server has updated to use vscode 1.107.0 (coder/code-server@ea9a3a5) which includes a series of commits to the microsoft-authenticator extension which I don't fully understand, but which seem to remove the option of a Node-native authentication method in favour of msal-node: this pulls in msal-node-runtime (npm) which ships libmsalruntime.so: this is pre-compiled (that's a problem) and causes SCA to generate dependencies on several libraries we don't have packaged (including so:libwebkit2gtk-4.1.so.0, suggesting it includes a whole browser stack). Further complicating matters, I don't believe we could build this ourselves: https://www.npmjs.com/package/@azure/msal-node-runtime points at https://github.com/AzureAD/microsoft-authentication-library-for-cpp as its upstream, which no longer exists.

This problem does only surface on x86_64: it doesn't look like msal-node-runtime ships a .so for any architecture but x86_64, so it's possible that (a) aarch64 is simply broken due to this absence, or (b) aarch64 isn't broken and we could maybe hack at x86_64 to get it to behave the same as aarch64. microsoft/vscode#278689 looks like the relevant change we would need to potentially revert or modify.

@OddBloke OddBloke removed their assignment Dec 24, 2025
@brianmcarey brianmcarey mentioned this pull request Jan 2, 2026
Merged
@octo-sts octo-sts bot removed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. manual/review-needed bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. ai/skip-comment Stop AI from commenting on PR staging-approver-bot/manual-review-needed labels Jan 5, 2026
@octo-sts octo-sts bot force-pushed the staging-update-bot/code-server.yaml branch from ea9fdef to ddc9031 Compare January 5, 2026 09:21
@octo-sts octo-sts bot added ai/skip-comment Stop AI from commenting on PR and removed approver-bot/manual-review-needed labels Jan 5, 2026
@octo-sts octo-sts bot changed the title code-server/4.107.0 package update code-server/4.107.1 package update Jan 9, 2026
@octo-sts octo-sts bot removed the ai/skip-comment Stop AI from commenting on PR label Jan 9, 2026
@octo-sts octo-sts bot force-pushed the staging-update-bot/code-server.yaml branch from ddc9031 to b34c6ae Compare January 9, 2026 20:35
@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jan 9, 2026
@octo-sts octo-sts bot changed the title code-server/4.107.1 package update code-server/4.108.0 package update Jan 12, 2026
@octo-sts octo-sts bot removed the ai/skip-comment Stop AI from commenting on PR label Jan 12, 2026
@octo-sts octo-sts bot force-pushed the staging-update-bot/code-server.yaml branch from b34c6ae to 919281c Compare January 12, 2026 21:28
@octo-sts octo-sts bot added ai/skip-comment Stop AI from commenting on PR P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Jan 12, 2026
@octo-sts octo-sts bot changed the title code-server/4.108.0 package update code-server/4.108.1 package update Jan 17, 2026
@octo-sts octo-sts bot removed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. ai/skip-comment Stop AI from commenting on PR labels Jan 17, 2026
@octo-sts octo-sts bot force-pushed the staging-update-bot/code-server.yaml branch from 919281c to 6d00773 Compare January 17, 2026 04:17
@octo-sts octo-sts bot added the P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. label Jan 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated pr code-server P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-version-update request for a newer version of a package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OddBloke