Fix security vulnerabilities in Rack, FFI, and Jekyll #105
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes CVE-2018-16471 (a vulnerability in Rack), CVE-2018-1000201 (a vulnerability in FFI), and CVE-2018-17567 (a vulnerability in Jekyll) by upgrading all those gems.
I’m not really sure whether we are actually vulnerable to those (we have setup for running a live server on Heroku, which would be vulnerable, and a description for serving static files, which would not), so it seemed worth updating just in case. I verified that the generated static file bundle is identical to what I get when building the
master
branch, so this should be OK.NOTE: I upgraded Jekyll to the latest, rather than just what was needed to address the vulnerability, since the 2.6.x line, which would have been the minimal update, breaks our URLs (Fixed here: jekyll/jekyll#6459 and jekyll/jekyll#6475, originally introduced in the fix to jekyll/jekyll#6222 (comment)). Everything works correctly in 2.8.x again.