[Snyk] Security upgrade github-pages from 117 to 118#47
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-FARADAY-15253521
There was a problem hiding this comment.
Pull request overview
This is an automated security upgrade PR created by Snyk to address an SSRF vulnerability (SNYK-RUBY-FARADAY-15253521) in the Faraday gem. The PR upgrades the github-pages gem dependency used for the Jekyll-based documentation site.
Changes:
- Updates Gemfile to specify
github-pages >= 118instead of an unversioned dependency - Updates Gemfile.lock with resolved dependencies, installing github-pages version 232 (not 118 as the title suggests) and upgrading numerous transitive dependencies including the vulnerable Faraday gem from 0.11.0 to 2.14.1
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| Gemfile | Adds version constraint >= 118 to github-pages gem |
| Gemfile.lock | Updates all Jekyll and related dependencies to latest versions compatible with github-pages 232, including security fix for Faraday SSRF vulnerability |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1,3 +1,3 @@ | |||
| source "https://rubygems.org" | |||
| gem 'github-pages', group: :jekyll_plugins | |||
| gem 'github-pages', '>= 118', group: :jekyll_plugins | |||
There was a problem hiding this comment.
The version constraint >= 118 allows Bundler to install version 232 (the latest available), not just version 118 as the PR title suggests. This introduces major version changes across many dependencies including activesupport (4.2.7 → 7.2.3), kramdown (1.11.1 → 2.4.0), and liquid (3.0.6 → 4.0.4), which may include breaking changes. While >= 118 ensures future security updates are automatically applied, it also means the actual upgrade scope is much larger than the PR description indicates. Consider whether a more specific constraint like ~> 118.0 would be more appropriate to limit the upgrade scope while still allowing patch-level security updates, or verify that the jump to version 232 has been tested and doesn't break the Jekyll documentation site.
| gem 'github-pages', '>= 118', group: :jekyll_plugins | |
| gem 'github-pages', '~> 118.0', group: :jekyll_plugins |
Snyk has created this PR to fix 1 vulnerabilities in the rubygems dependencies of this project.
Snyk changed the following file(s):
GemfileGemfile.lockVulnerabilities that will be fixed with an upgrade:
SNYK-RUBY-FARADAY-15253521
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Server-side Request Forgery (SSRF)