actionview-4.2.10 security vulnerability in Gemfile.lock

[omsai]

Security e-mail from GitHub:

On Thu, Mar 14, 2019 at 5:07 AM GitHub notifications@github.com wrote: --snip-- Known critical severity security vulnerability detected in actionview >= 4.0.0, < 4.2.11.1 defined in Gemfile.lock.

Gemfile.lock update suggested: actionview ~> 4.2.11.1.

We can't correct the fault in our Gemfile.lock because the actionview dependency is pulled by version pinning of GitHub pages itself.

I've submitted a pull request upstream: https://github.com/github/pages-gem/pull/630

After upstream merges the change one should be able to resolve the issue one our end with the same procedure as #1

[omsai]

Even though the patch has been merged upstream, a new release of the github-pages gem hasn't yet been cut to propagate the patch to the https://rubygems.org repository. It's still on the affected 197 version. I'll install the package from the git ref as explained in the bundler docs until it's version bumped on rubygems. I've subscribed to the rubygems RSS feed for that package to be notified when their next release happens and will remove the git ref then.