philipbelesky
commented
2 years ago Should be fixed now, although it's difficult to verify without seeing the alerts. Let me know if you are still getting them!
Closed mariuszhermansdorfer closed 2 years ago
philipbelesky
commented
2 years ago Should be fixed now, although it's difficult to verify without seeing the alerts. Let me know if you are still getting them!
mariuszhermansdorfer
commented
2 years ago Thanks. Everything is up to date now.
mariuszhermansdorfer
commented
2 years ago It turns out, that my previous reaction was a bit premature. Here are the security issues I can still see:
philipbelesky
commented
2 years ago I think these issues might be best left as a wontfix. The dependencies here are all 2nd or 3rd order, stemming from the github-pages gem and the version of Jekyll required to use Github pages. So, updates are going to be constrained at which those evolve.
The 'vulnerability' here isn't really worth worrying about either as the actual dynamic parts of Jekyll are just used during builds - what Github serves up is just the static html files. If it's too annoying I could shift things over to Cloudflare Pages which would enable us to control dependency versions more precisely.
mariuszhermansdorfer
commented
2 years ago Thanks for looking into this. Let's leave it as is, if it's too much effort to solve.
I'm getting some depandabot alerts about security vulnerabilities which can't be automatically resolved because of old dependencies. @philipbelesky could you please check whether we can update Jekyll to get this fixed?