GitHub Notifying of nokogiri in Non-existent Gemfile.lock

I’m building a simple GitHub pages site with Jekyll. I received security notices from Github “Known moderate severity security vulnerability detected in nokogiri < 1.8.2 defined in Gemfile.lock”.

OK. Great. I’ll just update my Gemfile.lock – except I don’t have a Gemfile lock. In fact, I don’t have any code in my repository. I’m just pushing my Jekyll site content.

Is this maybe GitHub telling me that GitHub’s version of nokogiri, used in the Jekyll run by GitHub needs to update nokogiri?

I don’t understand how a nokogiri that I’m not pushing to my GitHub Pages repository, listed in a Gemfile.lock I don’t have, can be a security vulnerability. Could someone please educate me? RTFM is a fine, if you could point me to the right FM.


FYI - I GitHub support said it was their Jekyll with the vulnerable nokogiri, and they’ve since updated it.

1 Like