Github vulnerability

I have started getting this message on my nbdev github repository. Is this something nbdev needs to address?

GitHub found 1 vulnerability on xxx/pct’s default branch (1 high). To find out more, visit:

It’s already addressed in nbdev, but you’ll need to address it in your repo too.

Also there’s an option to open an automated PR to fix it :slight_smile: (it takes a few minutes to show up)

It is referring to “kramdown” which I don’t use in my repo (no idea what it is) so am assuming that comes from nbdev. Do I need to upgrade nbdev for this? I am on 02.20.

If you have a moment would you mind responding to my other query please? I’m stuck!
Importing own functions

Sorry for my ignorance, what is “PR”?

Pull Request

Do you mean do “git pull”? I did that, but no change.

The alert refers to a file “docs/Gemfile.lock”, which is a nbdev file.

How can I resolve this?

No, if you got the automatic pull request (in my case it was from dependabot on Github), you can find it at{your-username}/pct/pull. Then you should be able to click into it, accept the changes, and–assuming it doesn’t cause any conflicts–you can merge it into your main branch of the repository. This usually takes the shape of a big green button.

1 Like

I have the dependabot alert, but no pull request.

I see this message,

and these details,

But, as I say, these are from nbdev, and I have no idea what they are. So I presume it is something that needs to be resolved in nbdev. Is there anything I can do?

It seems that your version of nbdev was forked back when a necessary package, kramdown, was some version before 2.3.0. Unfortunately that means it’s got some serious vulnerability. You need to update kramdown by entering gem "kramdown", ">= 2.3.0" in your terminal while you’re in this package. Sorry I don’t know much more about this particular issue, as I don’t normally program in Ruby.

EDIT: another option is to copy the Gemfile and Gemfile.lock files from the nbdev repo docs/ folder into your docs folder. Perhaps Github Actions will upgrade your site in the latest build.

Thanks. I’d tried that but get this, even though I’d pip installed gem.

(pctdev) C:\Users\ruper\Versioning\nbdev\pct>gem “kramdown”, “>= 2.3.0”
‘gem’ is not recognized as an internal or external command,
operable program or batch file.

I’ve tried the second option, but still get the alert. Maybe it takes some time to trickle through.

I tried running cloning my site repository and the gem command with that syntax in the same directory as Gemfile.lock but got:
$ gem "kramdown", ">= 2.3.0"
ERROR: While executing gem ... (Gem::CommandLineError)
Unknown command kramdown,

so bash / gem does not function with above syntax. Reading the Gemfile and Gemfile.lock it looks like the syntax to ensure version belongs in either or both of the files, but I am not finding an original matching entry in the Gemfile for kramdown, and there are several lines in Gemfile.lock that mention the kramdown (which ones to modify? how many to modify).

I tried running
bundle update github-pages as suggested in the Gemfile itself, but I received the warning below and did not proceed:
Following files may not be writable, so sudo is needed:

Note the fix for activesupport was much more automated, and looking at the diff what the automated pull request did was modify several lines(version numbers) in Gemfile.lock.

I’m still waiting for dependabot to finish making the automated security update for kramdown but have no idea how long it might take (some google searches mention days), but I do not really care as
it seems high severity security issue is restricted to people who have edit access to the site to perform code injection (currently only me).

This is a public repository though so yeah, if you want to PWN me or assist me with a pull request to fix the issue, go right ahead!