I use Jekyll and GitHub Pages to host my website. Every now and then, I get the following message
Usually, you can do nothing about it and the website would still work. However, it is important to fix these dependency issues to make sure that it remains secure. In this post I will explain how I do it - hopefully it will be useful for you too.
1. Understanding Jekyll
First, it is a good idea to understand how Jekyll works. Their website has a great guide about it and I recommend you go through it. In short, Jekyll is written in
Ruby and uses
Bundler to handle its dependencies. If you are like me and come from a
Python background, the way I see it is that
Bundler works as
poetry to ensure that the packages (or gems, in
Ruby terms) have the right version.
To do so,
Bundler creates two files:
Gemfile.lock. So what’s the difference between them? In
Gemfile, you can specify which gems you wish to use, as well as their corresponding versions, which can be, for example,
>=1.0.0 (i.e., version 1.0.0 or more recent).
Gemfile.lock and records the exact versions that were installed. This ensures that when the website is generated, it uses the versions defined in
Gemfile.lock (instead of the most recent ones as defined in
Gemfile, which can potentially cause issues).
2. Solving the dependency vulnerabilities
Now that we know how Ruby (and Jekyll) deals with dependencies, we can proceed and fix the vulnerabilities. In my experience these are always caused by outdated dependencies.
This is actually quite simple:
- Open a terminal with admin rights and go to your website root directory
Gemfile.lockfile. You can do this either through the terminal
del Gemfile.lock(for Windows)
rm Gemfile.lock(for Mac/Linux)
or through the file explorer. Alternatively, you can also cut it and paste it in another location for safekeeping.
Run the command
which will generate a new
Gemfile.lockwith the proper, most updated dependencies (and therefore, with no vulnerabilities)
- Commit and push the new
Gemfile.lockto your GitHub repository
This should allow you to solve all, if not all, of the dependency issues in your Jekyll GitHub Pages website. If you want to know more about the topic, take a look at my other posts.
If you have any comments, questions or feedback, leave them in the comments below or drop me a line on Twitter (@amoncadatorres). Moreover, if you found this useful, fun, or just want to show your appreciation, you can always buy me a cookie. Cheers!