i’ve received email from github with security alerts for two of my repos that user fast_template and fastpages. As install was done automatically i am not sure how to handle that remediation action, possibly other users are in the same situation… any help will be appreciated. thanks!
1 nokogiri vulnerability found in Gemfile.lock 11 hours ago
Remediation
Upgrade nokogiri to version 1.10.8 or later. For example:
gem “nokogiri”, “>= 1.10.8”
Always verify the validity and compatibility of suggestions with your codebase.
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
The Nokogiri RubyGem has patched it’s vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.
I just got an automated PR on my nbdev-playground repo that I haven’t touched in a while, with the title ‘Bump nokogiri from 1.10.5 to 1.10.8 in /docs’, and it changes the version in docs/Gemfile.lock.
So it’s a jekyll dependency, I assume, and caused by nbdev (I assume again).
Should everyone who is getting this fix it manually (or merge the PR), or will it be fixed in an nbdev update soon? Or am I getting this wrong?
As an aside, I just noticed that the automatic PR failed in CI, with a ‘git status is not clean’ error, even though it passes on master branch. Not a big deal, as I can fix the Gemfile manually or wait for an update, but any insight would be helpful.