Skip to content

fix(deps): resolve Dependabot security alerts#6

Open
bobbyg603 wants to merge 1 commit into
gh-pagesfrom
fix/dependabot-security-updates
Open

fix(deps): resolve Dependabot security alerts#6
bobbyg603 wants to merge 1 commit into
gh-pagesfrom
fix/dependabot-security-updates

Conversation

@bobbyg603

Copy link
Copy Markdown
Member

Summary

Resolves all 14 open Dependabot security alerts across the two ecosystems in this repo (Ruby/Jekyll Gemfile.lock and the npm my-javascript-crasher/package-lock.json). Minimal, security-focused diff — only lock files changed; package.json and Gemfile are untouched.

Ruby / Jekyll (Gemfile.lock)

The Gemfile uses the github-pages meta-gem. Its constraints on the vulnerable gems are loose ranges (nokogiri >= 1.16.2, < 2.0, faraday >= 1, < 3, concurrent-ruby ~> 1.0), so a targeted bundle update bumped each to its patched version without changing the pinned github-pages version (still 232):

Gem Before After Fixes alerts
concurrent-ruby 1.3.6 1.3.7 #91, #90, #89
faraday 2.14.1 2.14.3 #92, #78
nokogiri 1.19.3 1.19.4 (all platform variants) #87, #86, #85, #84, #83, #82, #81, #80

Incidental transitive bumps pulled in by the resolver: faraday-net_http 3.4.2 -> 3.4.4, json 2.19.5 -> 2.21.1.

Command used: bundle update concurrent-ruby faraday nokogiri

npm (my-javascript-crasher/package-lock.json)

qs is a transitive dev dependency (via http-server). Fixed with npm audit fix, which touched only the lock file:

Package Before After Fixes alert
qs 6.15.1 6.15.3 #79

Plus its dependency chain (side-channel 1.1.0 -> 1.1.1, object-inspect 1.13.3 -> 1.13.4, etc.).

npm audit: 1 moderate severity vulnerability -> found 0 vulnerabilities

Verification

  • bundle install — resolves cleanly (98 gems installed).
  • bundle exec jekyll build — succeeds (exit 0, Cayman remote theme).
  • npm ci + npm audit — installs cleanly, 0 vulnerabilities after fix.

Remaining alerts

None. All 14 open alerts (#78-#92) are addressed by the upgrades above. No build artifacts staged (_site and node_modules are gitignored).

🤖 Generated with Claude Code

Ruby (Gemfile.lock, github-pages meta-gem retained at v232):
- concurrent-ruby 1.3.6 -> 1.3.7
- faraday 2.14.1 -> 2.14.3 (faraday-net_http 3.4.2 -> 3.4.4)
- nokogiri 1.19.3 -> 1.19.4 (all platform variants)

npm (my-javascript-crasher/package-lock.json, transitive dev dep):
- qs 6.15.1 -> 6.15.3 (via npm audit fix); npm audit 1 moderate -> 0

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 15, 2026 17:59

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • my-javascript-crasher/package-lock.json: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants