Hi everyone,

I am sure the image above looks very familiar so I am going to be showing how I fix my Github vulnerabilities quickly and correctly. I always had issues fixing them and it took me a while to figure it out so I hope it helps someone out there.

Some vulnerabilities are fairly simpler to fix while others might need a rails version upgrade. I will be using the screenshot above for reference. It's from one of my repos using Rails 6.

We can see from the image that the severity of each vulnerability is stated and thehigh severity vulnerabilities need to be fixed as soon as possible to stop your app from beenvulnerable. You can set GitHub to fix these vulnerabilities but you still probably need to test it out to make sure your app still works fine.

I have 9 alerts i.e. 9 gems to fix. Two are reported fromyarn.lock and seven fromGemfile.lock.

Fixing theYarn.lock vulnerabilities

Lodash andwebsocket-extensions

Click on the alert to view more information about it. As you can see, Github's dependabot already created to PR to fix it for me but I will close that and fix it the manual way.

First, open the repo on your code editor and go to that file. Next, search for the package and delete it. Here is mine:

We need to bumpwebsocket-extensions from 0.1.3 to 0.1.4 andLodash from 4.17.15 to 4.17.19.

Runyarn install and this should reinstall an updated version of those packages.

Notice the versions have changed.

Fixing theGemfile.lock vulnerabilities

We have vulnerabilities reported foractionview, activesupport, actionpack and activestorage which can only be fixed by bumping the rails version. Let's try to fix that first as it might bump the versions of the other gem vulnerability. Update the rails version in theGemfile.

source"https://rubygems.org"git_source(:github){|repo|"https://github.com/#{repo}.git"}ruby"2.6.3"gem"rails","~> 6.0.3.2"

$ bundle update --patch rails

Run the above command in your terminal to update all things rails related to the next patch version. Always check that theactionview, activesupport etc. gem version is the same with the Rails version in your Gemfile.

P.S: In some cases, a workaround is usually given when a version upgrade is not feasible. For example,actionview recommended a workaround if you can't upgrade yet.

For other vulnerable gems not listed in the Gemfile, using thebundle update --patch <gem_name> pattern should fix them too.

The rails upgrade fixed therack andwebsocket-extensions gems. We only havepuma left to fix.

$ bundle update --patch puma

The command above will update the puma gem and we are good to go. Push your changes to your repo and you should have no alerts.

React to the post or leave a comment if this article helped you.

Until next week...