Security

About that Github message: 'We found potential security vulnerabilities in your project' and how to fix it

You may sometimes see a message like this one in your repo on Github for a github-pages site that uses Jekyll:

If you see this, here’s what to do:

Regenerating Gemfile.lock

You may be able to resolve the problem by removing Gemfile.lock and regenerating it. Doing so may update the versions of Ruby Gems to versions that have important security updates.

1. Clone the repo to a Mac, Windows or Linux system with rvm installed (for info on installing rvm, see: /topics/running_locally_rvm/.
2. cd into the repo and remove the file Gemfile.lock

   rm Gemfile.lock
   

3. Run setup.sh and jekyll.sh

   ./setup.sh
   ./jekyll.sh
   

4. Add the newly generated Gemfile.lock and commit it.

   git add Gemfile.lock
   git commit -m "update Gemfile.lock"
   git push origin master
   

If that doesn’t resolve the problem:

1. Check the site https://pages.github.com/versions/ and look for the version of Ruby, e.g.

      ruby 2.5.3
   

2. If the version is higher than the one that is in your Gemfile, setup.sh and jekyll.sh, then edit those three files. It is a good time to check the latest versions of those files here:
   • topics/running_locally_gemfile/
   • topics/running_locally_jekyll_sh/
   • topics/running_locally_jekyll_sh/