stackoom
  简体   繁体   中英

Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update

 原文  2020-08-08 09:51:33       github

Question

In one of my repositories today, I got this security notification:

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template=" string://<%= `).

 NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

I tried creating a dependabot security update but it couldn't update to the required version.

How to resolve this?

3 answers

solution1
 3 ACCPTED  2020-08-11 22:02:41

I had the same problem in a few repositories this week. They were all using GitHub pages to generate static sites, so the JSON vulnerability was probably irrelevant. However, it's easier if you can just upgrade away from the vulnerable version of kramdown.

The problem with my repositories was that they were using versions of the github-pages gem older than 207. Those required vulnerable versions of kramdown, so Dependabot wouldn't touch it. I'm not sure why Dependabot couldn't update github-pages .

To solve it, I used the bundle update --all command . bundle update github-pages also works, although in my project it had the same result. It installed a bunch of updates, and recorded them in the Gemfile.lock file. When I committed that change, the security notification on GitHub went away.

solution2
 1  2020-08-09 21:12:04

In my case I solved it by modifying the Gemfile.lock file, it is located in the root directory of the repository.

CTRL + F kramdown

Appears in three places in the file

Gemfile.lock 
line 70  kramdown (= 1.17.0) update to 2.3.0
line 105 kramdown (~> 1.14)  update to 2.3.0
line 170 kramdown (1.17.0)   update to 2.3.0

Create a new branch to modify, commit, and submit the changes. Open Pull Request, merge and confirm merge.

Then tell me how it went. Regards

solution3
 0  2020-09-21 12:45:53

Clone that repo locally. Run npm update . It will automatically update all your packages. No need to rely on dependabot. To verify the update run npm outdated .

To upgrade yarn.lock dependencies, run yarn upgrade --latest .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Distinguishing between Dependabot security and version update pull requests? Can't update private dependencies with dependabot Significance of the generic pull_request event and other more specific pull_request events like pull_request.opened How to create Github pull request on first version of master branch Automatic merging of Dependabot generated Pull Request with codeowners file and branch protection rule? Cannot get Jenkins to update GitHub Pull Request with a build status How to create an issue related to a pull request for a public Apache (or other) repository How to create two pull request from one fork in github Create comment on pull request Create Pull Request from another Pull Request
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM