Fixing the nokogiri vulnerability warning from the slideshow lab

Posting as other people may well have the same alert today that I got in a email notification of a vulnerability in nokogiri yesterday - 

Known high severity security vulnerability detected in nokogiri < 1.10.4 defined in Gemfile.lock.
Gemfile.lock update suggested: nokogiri ~> 1.10.4.

The link in the email goes to github but the page returns a 404 which is not very user friendly for the first time you get an alert - until I logged in and then I saw the alert show up.

Anyway, it looks like I just need to update gemfile.lock and update the nokogiri reference.

I’m assuming that all references need to updated?

Also clicking on the automated security fix gives me an error that the page is taking longer than normal to load.


After the automated security fix did not work I then tried enabling fixes on the repository and this then tried to create an automated fix PR but this also failed as there were conflicting dependencies. So I went ahead, changed all references to the file to 1.10.4 and then the alert went away.

So the fix was pretty easy, but the automated solutions had a couple of issues trying to resolve the issue.

Hi @absoblogginlutely! I can see how that would be a confusing user experience, I’m sorry about that.

I’m taking a look at your repositories, and it looks like the registrations all were from October of last year. Is this a security notification that you got due to a recent course, or from one that you had registered for in the past?

If it’s one from October, I think you’re right, many others also have probably gotten security notifications about their repositories. 

I believe automated security fixes are a relatively new feature, so I am sure that you are not the only user who experienced these hiccups. Thank you for sharing here, especially for sharing your solution! Please let me know if there’s anything we can help with.

Hey there! I also got the very same security notification for 3 of my repositories which were automatically created through Learning Lab courses. 

I could fix two of them (“reviewing a pull request” and “merge conflicts”) via the automated fixing feature from Dependabot. The third repo (slideshow), could not be automatically fixed: Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update.

I could potentially go and change the versions in the gemfile.lock, but as I am not familiar with the code I am not sure if this will break anything (and I would like to keep the code in those repos on a working status for later reference).

Thanks @brianamarie , this was from a repo on a course that I did last year - probably around October when I was learning githuub. The course has actually been superceded now and I’m assuming the new one doesn’t have the vulnerability in it :wink: I didn’t upgrade to the new course as doing so removes all of the progress settings for the course.

It was just a curious process this morning and a bit confusing for the first timer and I figured others would have similar questions.

As I’ve completed that lab I figured there was no harm in upgrading the settings to the new version of nokogiri anyway.

1 Like