Posting as other people may well have the same alert today that I got in a email notification of a vulnerability in nokogiri yesterday -
|Known high severity security vulnerability detected in nokogiri < 1.10.4 defined in Gemfile.lock.|
|Gemfile.lock update suggested: nokogiri ~> 1.10.4.|
The link in the email goes to github but the page returns a 404 which is not very user friendly for the first time you get an alert - until I logged in and then I saw the alert show up.
Anyway, it looks like I just need to update gemfile.lock and update the nokogiri reference.
I’m assuming that all references need to updated?
Also clicking on the automated security fix gives me an error that the page is taking longer than normal to load.
After the automated security fix did not work I then tried enabling fixes on the repository and this then tried to create an automated fix PR but this also failed as there were conflicting dependencies. So I went ahead, changed all references to the file to 1.10.4 and then the alert went away.
So the fix was pretty easy, but the automated solutions had a couple of issues trying to resolve the issue.