While updating the doc site on March 29, 2021, GitHub's Dependabot issued an alert for the kramdown
package:
https://github.com/q2ebanking/boa-constrictor/security/dependabot/docs/Gemfile.lock/kramdown/open
The Boa Constrictor doc site has a dependency on kramdown
2.3.0. Unfortunately, that version has a security vulnerability. The fix is to update to 2.3.1.
Unfortunately, the github-pages
gem, which is required for hosting the site on GitHub Pages, declares an explicit dependency on kramdown (= 2.3.0)
:
> bundle update kramdown
Fetching gem metadata from https://rubygems.org/...........
Resolving dependencies....
Bundler could not find compatible versions for gem "kramdown":
In Gemfile:
kramdown (>= 2.3.1)
github-pages (~> 213) was resolved to 213, which depends on
kramdown (= 2.3.0)
I verified that explicit dependency here:
https://rubygems.org/gems/github-pages
GitHub Pages requires the following package versions:
https://pages.github.com/versions/
At the time of opening this issue:
github-pages
--> 213
kramdown
--> 2.3.0
I do not believe that I can "hack" kramdown
2.3.1 into the doc site. I tried playing with it locally to see if I could make something work cleanly, but that did not work. I think we must wait for GitHub Pages to update the gem versions it supports and to release an update to the github-pages
gem that supports the kramdown
update.
It looks like kramdown
2.3.1 was released very recently:
https://kramdown.gettalong.org/news.html
I suspect that the Dependabot security alert is very new. Hopefully, if everyone in the world is receiving this alert, GitHub Pages will put an update in place very soon. Once they do, I'll update our doc site.