diff --git a/pkgs/tools/graphics/graphviz/base.nix b/pkgs/tools/graphics/graphviz/base.nix
index cd2302efd16..700bed237bd 100644
--- a/pkgs/tools/graphics/graphviz/base.nix
+++ b/pkgs/tools/graphics/graphviz/base.nix
@@ -7,7 +7,7 @@
 assert stdenv.isDarwin -> ApplicationServices != null;
 
 let
-  inherit (stdenv.lib) optionals optionalString;
+  inherit (stdenv.lib) optional optionals optionalString;
   raw_patch =
     # https://gitlab.com/graphviz/graphviz/issues/1367 CVE-2018-10196
     fetchpatch {
@@ -17,11 +17,13 @@ let
       excludes = ["tests/*"]; # we don't run them and they don't apply
     };
   # the patch needs a small adaption for older versions
-  patch = if stdenv.lib.versionAtLeast version "2.37" then raw_patch else
+  patchToUse = if stdenv.lib.versionAtLeast version "2.37" then raw_patch else
   stdenv.mkDerivation {
     inherit (raw_patch) name;
     buildCommand = "sed s/dot_root/agroot/g ${raw_patch} > $out";
   };
+  # 2.42 has the patch included
+  patches = optional (stdenv.lib.versionOlder version "2.42") patchToUse;
 in
 
 stdenv.mkDerivation {
@@ -52,9 +54,7 @@ stdenv.mkDerivation {
     "--with-ltdl-include=${libtool}/include"
   ] ++ stdenv.lib.optional (xorg == null) [ "--without-x" ];
 
-  patches = [
-    patch
-  ];
+  inherit patches;
 
   postPatch = ''
     for f in $(find . -name Makefile.in); do
diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix
index 7249a6cdaad..c79fe3aaf4d 100644
--- a/pkgs/tools/graphics/graphviz/default.nix
+++ b/pkgs/tools/graphics/graphviz/default.nix
@@ -1,5 +1,5 @@
 import ./base.nix rec {
-  rev = "67cd2e5121379a38e0801cc05cce5033f8a2a609";
-  version = "2.40.1";
-  sha256 = "1xjqq3g2n6jgwp5xzyvibgrxawlskkpam69fjjz9ksrrjas2qwzj";
+  rev = "da4c2ec6f24ca1b6d1752c6b5bc4389e55682147"; # use rev as tags have disappeared before
+  version = "2.42.2";
+  sha256 = "0lacl11amyvj04j78m63qifljl4c0nkyy50z4bkg8mg9j4hjdy0x";
  }