Hi everyone,
I am sure the image above looks very familiar so I am going to be showing how I fix my Github vulnerabilities quickly and correctly. I always had issues fixing them and it took me a while to figure it out so I hope it helps someone out there.
Some vulnerabilities are fairly simpler to fix while others might need a rails version upgrade. I will be using the screenshot above for reference. It's from one of my repos using Rails 6.
We can see from the image that the severity of each vulnerability is stated and the high severity vulnerabilities need to be fixed as soon as possible to stop your app from been vulnerable. You can set GitHub to fix these vulnerabilities but you still probably need to test it out to make sure your app still works fine.
I have 9 alerts i.e. 9 gems to fix. Two are reported from yarn.lock and seven from Gemfile.lock.
Fixing the Yarn.lock vulnerabilities
Lodash and websocket-extensions
Click on the alert to view more information about it. As you can see, Github's dependabot already created to PR to fix it for me but I will close that and fix it the manual way.
First, open the repo on your code editor and go to that file. Next, search for the package and delete it. Here is mine:
We need to bump websocket-extensions from 0.1.3 to 0.1.4 and Lodash from 4.17.15 to 4.17.19.
Run yarn install and this should reinstall an updated version of those packages.
Notice the versions have changed.
Fixing the Gemfile.lock vulnerabilities
We have vulnerabilities reported for actionview, activesupport, actionpack and activestorage which can only be fixed by bumping the rails version. Let's try to fix that first as it might bump the versions of the other gem vulnerability. Update the rails version in the Gemfile.
source "https://rubygems.org"
git_source(:github) { |repo| "https://github.com/#{repo}.git" }
ruby "2.6.3"
gem "rails", "~> 6.0.3.2"
$ bundle update --patch rails
Run the above command in your terminal to update all things rails related to the next patch version. Always check that the actionview, activesupport etc. gem version is the same with the Rails version in your Gemfile.
P.S: In some cases, a workaround is usually given when a version upgrade is not feasible. For example, actionview recommended a workaround if you can't upgrade yet.
For other vulnerable gems not listed in the Gemfile, using the bundle update --patch <gem_name> pattern should fix them too.
The rails upgrade fixed the rack and websocket-extensions gems. We only have puma left to fix.
$ bundle update --patch puma
The command above will update the puma gem and we are good to go. Push your changes to your repo and you should have no alerts.
React to the post or leave a comment if this article helped you.
Until next week...
Top comments (1)
Hi Mbonu, this was an incredibly helpful post! Thank you for sharing :)