Closed tkphd closed 3 years ago
Least-invasive fix of the Krandown vulnerability is to un-track Gemfile.lock, which is built from scratch when Ruby parses the Gemfile. Let the GitHub gems define their dependency versions.
Concur that this is a good fix, well-focused and appropriate.
I'll take that as a review.
The Gemfile was required by what we use to deploy the site, but that should be fixed by bumping the Action version
Least-invasive fix of the Krandown vulnerability is to un-track Gemfile.lock, which is built from scratch when Ruby parses the Gemfile. Let the GitHub gems define their dependency versions.