[fastpages] Responding to dependabot security alerts?

@hamelsmu Whenever we get alerts from GitHub’s dependabot about fastpages, — e.g.

Your Dependabot alerts for today..

activesupport vulnerability found in [Gemfile.lock](https://github.com/drscotthawley/devblog3/blob/master/Gemfile.lock)

Remediation
Upgrade activesupport to version 6.0.3.1 or later. For example:

gem "activesupport", ">= 6.0.3.1",

Is it simply a matter of manually editing the Gemfile.lock file as indicated, or would you prefer that we do it some other way, such as pulling from upstream?

EDIT: Oh no. I tried editing by hand on GitHub and seem to have broken it. The last Action shows:

Your lockfile is unreadable. Run `rm Gemfile.lock` and then `bundle install` to
generate a new lockfile.

Lockfile is here. And commit history.

EDIT 2: Following GitHub’s instructions for Pull from upstream yields fatal: refusing to merge unrelated histories. :frowning:

You should be able to just remove the lockfile

1 Like

Thanks! That did it!

ooo, and now Hamel’s got it so you automatically get a Pull Request and all you have to do is click on the “Merge Pull Request” button?! awesome.