How to update Jekyll version and Kramdown on GitHub Pages?

Hello. I set up my Jekyll site on GitHub Pages a few years ago and am now revisiting it so I’m a little rusty on how it all works!

I have a few queries…

  • Is it OK to create new posts and update layouts directly on the Github website?
  • I’ve got a Dependabot security vulnerability alert to update to 2.3.0 but “Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update.”. How do I update to the latest version of Kramdown?
  • How can I make sure my version of Jekyll is up to date?


Looks like you have hardcoded versions in your repo.
If you have a Gemfile and are using GitHub Pages,

  • remove or comment out any version declarations be it for Ruby itself or any gems
  • remove or comment out all other gem listings — everything you need on GitHub Pages is bundled by the github-pages gem including Jekyll.

Lastly, if you have your Gemfile.lock checked into the Git repository, either:

  • update the lockfile by running bundle update (or)
  • delete and then respawn the lockfile by running bundle install

Yes you can use GitHub or your IDE or a CMS like Forestry or Netlify to update posts, pages and layouts. There are pros and cons to each. Sometimes if I am confident in the change especially around content rather than code, I’ll make the change directly in GitHub. Also particularly useful if you add an Edit with GitHub page on your site - I find this is useful to jump from site to editing on GitHub. Even if no one else uses the button (they’d have to fork the repo too).

Regarding vulnerabilities, what I have done recently is bumped to the latest Jekyll version on 3.X which also solves the Kramdown issue, without having to lockdown Kramdown in Gemfile or the lockfile.

And to keep up with future updates, I don’t pin at Jekyll 3.9.0 but rather let it float to any 3.X (but < 4.X)

gem 'jekyll', '~> 3'

You could also do this for 3.9 and above, setting a min version. This is more verbose.

gem 'jekyll', '>=3.9', '<4'

# or

gem 'jekyll', '~> 3.9', '>= 3.9.0'

Or maybe just ~> 3.9 is sufficient - still new to this.

I also deleted the lockfiles - I’ll regenerate it eventually when I do a local install.

I did that on a bunch of my repos to resolve the vulnerability.

Thanks for your replies! Where do I execute either of the above commands? I tried installing the command line tool on my Mac but when I execute any of the commands I just get

ERROR: While executing gem ... (Gem::CommandLineError)
Unknown command jekyll,

those would sit in the Gemfile.

Ah all sorted now, thanks for your help everyone! :slight_smile: