

I use Jekyll and GitHub Pages to host my website. Every now and then, I get the following message

Usually, you can do nothing about it and the website would still work. However, it is important to fix these dependency issues to make sure that it remains secure. In this post I will explain how I do it - hopefully it will be useful for you too.
1. Understanding Jekyll
First, it is a good idea to understand how Jekyll works. Their website has a great guide about it and I recommend you go through it. In short, Jekyll is written in Ruby
and uses Bundler
to handle its dependencies. If you are like me and come from a Python
background, the way I see it is that Bundler
works as conda
or poetry
to ensure that the packages (or gems, in Ruby
terms) have the right version.
To do so, Bundler
creates two files: Gemfile
and Gemfile.lock
. So what’s the difference between them? In Gemfile
, you can specify which gems you wish to use, as well as their corresponding versions, which can be, for example, >=1.0.0
(i.e., version 1.0.0 or more recent). Bundler
creates Gemfile.lock
and records the exact versions that were installed. This ensures that when the website is generated, it uses the versions defined in Gemfile.lock
(instead of the most recent ones as defined in Gemfile
, which can potentially cause issues).
2. Solving the dependency vulnerabilities
Now that we know how Ruby (and Jekyll) deals with dependencies, we can proceed and fix the vulnerabilities. In my experience these are always caused by outdated dependencies.
This is actually quite simple:
- Open a terminal with admin rights and go to your website root directory
-
Delete the
Gemfile.lock
file. You can do this either through the terminaldel Gemfile.lock
(for Windows)rm Gemfile.lock
(for Mac/Linux)or through the file explorer. Alternatively, you can also cut it and paste it in another location for safekeeping.
-
Run the command
bundle update
which will generate a new
Gemfile.lock
with the proper, most updated dependencies (and therefore, with no vulnerabilities) - Commit and push the new
Gemfile.lock
to your GitHub repository - Done!
This should allow you to solve all, if not all, of the dependency issues in your Jekyll GitHub Pages website. If you want to know more about the topic, take a look at my other posts.
If you have any comments, questions or feedback, leave them in the comments below or drop me a line on Twitter (@amoncadatorres). Moreover, if you found this useful, fun, or just want to show your appreciation, you can always buy me a cookie. Cheers!