Nokogiri severe notice

[David263]

Select Topic Area

Question

Body

I received this notice for three of my least-used repos: "Nokogiri contains libxml Out-of-bounds Write vulnerability" I don't understand this and can find no further explanation as to what I'm supposed to do in response.

[ersaope]

The notice you received is likely related to a security vulnerability found in the Nokogiri library used by your three least-used repos. Specifically, the vulnerability is related to an out-of-bounds write issue in the libxml component of Nokogiri.

To address this issue, you should update your Nokogiri library to a version that includes a fix for this vulnerability. You can do this by updating the library in your codebase and redeploying the affected repos.

If you are unsure about how to update the library or how to redeploy the affected repos, you may want to consult with a developer or security expert for assistance.

[rerdavies]

I'm a developer. I have the same issue. And I have no idea how to do this. Perhaps you could point me in the right direction. If you know Ruby, your help would be appreciated.

The nokogiri dependency is brought in by github-pages, which I installed following Github's recommendation.

Jekyll is written in Ruby, which is not a technoloygy I'm familiar with, or ever intend to be familiar with. I've tried various incarnations of gem update, none of which update any files in my repository. Neither the Gemfile, nor the Gemfile.lock files get updated. I'm not a Ruby developer, but I did skim relevant Ruby docs.

On my list -- to move my githhub,io pages to a vite-based workflow. So nice. But in the meantime, I'm stuck with the severe vulnerability in the Jeckyl github page that Github made me install in the first place. Still the recommended recipe for Github.io pages in Github help, despite the fact that there are now recipes for deploying using other technologies. But in the meantime...

So in the meantime....

How do I fix it?

[seyLu]

Expanding on @ersaope answer:

Since it is a library that another dev wrote, then you don't really have any control whether it gets an update or not (unless you fork it and maintain it yourself).

However, there are tools to automate checking if a library has an update, and updating our projects' dependencies accordingly

One that I use myself is Github's dependabot

And the way you set it up is (at least for ruby):

• create .github/dependabot.yaml (or .yml depending on the project/org naming standards)

# Basic `dependabot.yml` file with
# minimum configuration for ruby bundler package manager
version: 2
updates:
  # Enable version updates for ruby gem
  - package-ecosystem: "bundler"
    directory: "/"
    # Check ruby gems for updates every week 
    schedule:
      interval: "weekly"

references:

• Configuring Dependabot Updates
• Dependabot supported repos and ecosystems
• Bundler vs RVM vs Gems vs Ruby Gems stackoverflow

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[David263]

Sorry, I have little familiarity with GitHub, so I don't know how to resolve this discussion. I don't know if the problem I described has been solved or not, or whether it needs to be solved. It might even be a bug in GitHub. I have no idea.