Skip to content

[Snyk] Fix for 22 vulnerabilities#3

Open
kingjay66 wants to merge 1 commit into
masterfrom
snyk-fix-441fabf4b2a7642aa154212b5ea2f7ce
Open

[Snyk] Fix for 22 vulnerabilities#3
kingjay66 wants to merge 1 commit into
masterfrom
snyk-fix-441fabf4b2a7642aa154212b5ea2f7ce

Conversation

@kingjay66

@kingjay66 kingjay66 commented Jul 14, 2025

Copy link
Copy Markdown
Owner

snyk-top-banner

Snyk has created this PR to fix 22 vulnerabilities in the rubygems dependencies of this project.

Snyk changed the following file(s):

  • Gemfile
  • Gemfile.lock

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Deserialization of Untrusted Data
SNYK-RUBY-ACTIVESUPPORT-569598		   834  
high severity Heap-based Buffer Overflow
SNYK-RUBY-NOKOGIRI-7164639		   696  
high severity Stack-based Buffer Overflow
SNYK-RUBY-NOKOGIRI-8732769		   671  
high severity Use After Free
SNYK-RUBY-NOKOGIRI-8732779		   671  
high severity Integer Overflow or Wraparound
SNYK-RUBY-COMMONMARKER-2415031		   654  
medium severity Denial of Service (DoS)
SNYK-RUBY-COMMONMARKER-3318400		   646  
medium severity Denial of Service (DoS)
SNYK-RUBY-COMMONMARKER-5829860		   641  
high severity NULL Pointer Dereference
SNYK-RUBY-NOKOGIRI-3052880		   589  
medium severity Denial of Service (DoS)
SNYK-RUBY-COMMONMARKER-5603112		   586  
medium severity Use After Free
SNYK-RUBY-NOKOGIRI-9510795		   576  
high severity Remote Code Execution
SNYK-RUBY-KRAMDOWN-585939		   574  
medium severity Denial of Service (DoS)
SNYK-RUBY-COMMONMARKER-3318401		   536  
medium severity Use After Free
SNYK-RUBY-NOKOGIRI-6228056		   524  
medium severity Cross-site Scripting (XSS)
SNYK-RUBY-ACTIVESUPPORT-3360028		   519  
medium severity Deserialization of Untrusted Data
SNYK-RUBY-KRAMDOWN-1087436		   505  
low severity Out-of-bounds Read
SNYK-RUBY-COMMONMARKER-3318398		   486  
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-RUBY-ACTIVESUPPORT-3237242		   479  
medium severity Denial of Service (DoS)
SNYK-RUBY-COMMONMARKER-5603111		   479  
medium severity Use After Free
SNYK-RUBY-NOKOGIRI-9510789		   469  
medium severity Denial of Service (DoS)
SNYK-RUBY-COMMONMARKER-3318399		   429  
low severity Buffer Under-read
SNYK-RUBY-NOKOGIRI-9789079		   426  
low severity Cross-site Scripting (XSS)
SNYK-RUBY-NOKOGIRI-8453714		   319  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting (XSS)
🦉 Deserialization of Untrusted Data
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: Gemfile & Gemfile.lock to reduce vulnerabilities
f9e8648 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-569598
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-7164639
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-8732769
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-8732779
- https://snyk.io/vuln/SNYK-RUBY-COMMONMARKER-2415031
- https://snyk.io/vuln/SNYK-RUBY-COMMONMARKER-3318400
- https://snyk.io/vuln/SNYK-RUBY-COMMONMARKER-5829860
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-3052880
- https://snyk.io/vuln/SNYK-RUBY-COMMONMARKER-5603112
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-9510795
- https://snyk.io/vuln/SNYK-RUBY-KRAMDOWN-585939
- https://snyk.io/vuln/SNYK-RUBY-COMMONMARKER-3318401
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-6228056
- https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-3360028
- https://snyk.io/vuln/SNYK-RUBY-KRAMDOWN-1087436
- https://snyk.io/vuln/SNYK-RUBY-COMMONMARKER-3318398
- https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-3237242
- https://snyk.io/vuln/SNYK-RUBY-COMMONMARKER-5603111
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-9510789
- https://snyk.io/vuln/SNYK-RUBY-COMMONMARKER-3318399
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-9789079
- https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-8453714
@socket-security

socket-security Bot commented Jul 14, 2025

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedjekyll@​3.7.4 ⏵ 3.9.583100100100100
Updatedgithub-pages@​192 ⏵ 23199 +1100100100100
Updatedjekyll-relative-links@​0.5.3 ⏵ 0.6.1100 +1100100100100

View full report

@socket-security

socket-security Bot commented Jul 14, 2025

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Block Medium
benchmark@0.4.1 has Shell access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/benchmark@0.4.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/benchmark@0.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
concurrent-ruby@1.3.5 has Shell access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll@3.9.5gem/concurrent-ruby@1.3.5

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/concurrent-ruby@1.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
drb@2.2.3 has Network access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/drb@2.2.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/drb@2.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
logger@1.6.6 has Shell access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/logger@1.6.6

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/logger@1.6.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
pathutil@0.16.2 has Shell access.

Location: Package overview

From: Gemfile.lockgem/jekyll@3.9.5gem/pathutil@0.16.2

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/pathutil@0.16.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
rexml@3.4.1 Uses eval.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll@3.9.5gem/rexml@3.4.1

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/rexml@3.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
rexml@3.4.1 has Shell access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll@3.9.5gem/rexml@3.4.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/rexml@3.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
activesupport@7.1.5.1 has Environment variable access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/activesupport@7.1.5.1

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/activesupport@7.1.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
addressable@2.8.7 has URL strings.

URLs: https://rubygems.org, http://www.google.com/, http://www.example.com/%%30%30, http://www.example.com/, https://www.example.com/, https://www.example.com/foo/bar, https://www.example.com/bar, http://example.com/home/, http://example.com/home/index, http://example.com/, http://example.com/search/an-example-search-query/, http://example.com/a/b/c/, http://example.com/?a=1&b=2&c=3&first=foo, http://example.com/foo, http://example.com/search/, http://example.com/first/second/, http://example.com/a/b/c/?one=1&two=2#foo, http://example.com/a/b/c/#foo, http://example.com/1/, http://example.com/?one=1, http://example.com/?two=2, http://example.com, http://example.com/1, http://example.com/search/Caf%C3%A9/, http://example.com/search/Cafe%CC%81/, http://example.com/search/an+example+search+query/, http://cyberscore.dev/api/users, http://cyberscore.dev/api/users?username=foobaz, HTTP://example.com.:%38%30/%70a%74%68?a=%31#1%323, HTTP://example.com.:80, HTTP://example.com.:80/%70a%74%68?a=%31#1%323, http://example.com/path?a=1#123, http://example.com/path, https://www.example.com:8080, https://www.example.com:8080/, ftp://ftp.is.co.za/rfc/rfc1808.txt, ftp://ftp.is.co.za, http://www.ietf.org/rfc/rfc2396.txt, http://www.ietf.org, http://192.0.2.16:8000, http://example.com:bogus/, http://EXAMPLE.com, http://EXAMPLE.com:80/, http://example.com:/, http://example.com:80/, http://EXAMPLE.COM/, http://example.com/path/, http://elsewhere.com/, http://example.com/relative/path, HTTP://www.w3.org/pub/WWW/TheProject.html, http://www.w3.org, HTTP://example.com/, http://Example.com/, http://example.com/?, http://example.com/#, http://example.com?#, http://example.com./, HTTP://EXAMPLE.COM/, http://www.example.co.uk/, http://www.example.co.uk, http://sub_domain.blogspot.com/, http://sub_domain.blogspot.com, http://example.com/~smith/, http://example.com/%7Esmith/, http://example.com/%7esmith/, http://example.com/%E8, http://example.com/path%2Fsegment/, http://example.com/path/segment/, http://example.com/?%F6, http://example.com/#%F6, http://example.com/%C3%87, http://example.com/C%CC%A7, http://example.com/C%25CC%25A7, http://example.com/%25C3%2587, http://example.com/?q=string, http://example.com:8080/, http://example.com/path/to/, http://example.com:80/path/to/, http://example.com:8080/path/to/, http://example.com:8080, http://example.com:%38%30/, http://example.com/%2E/, http://example.com/../, http://www.example.com///../, http://www.example.com//, http://example.com/path/to/resource/, http://example.com/path/to/resource/sub, http://example.com/path/to/another, http://example.com/path/to/res, http://example.com/to/resource/, http://example.com/file.txt, http://example.com/x, http://example.com/?x=1&y=2, http://elsewhere.com/path/to/, http://newexample.com, http://example.com/path/to/resource?query=x#fragment, http://example.com/search?q=Q%26A, http://example.com/?&x=b, http://example.com/?q=, http://example.com/?&&x=b, http://example.com/?q=a&&x=b, http://example.com/?q&&x=b, http://example.com/?q=a+b, https://example.com/?q=a+b, http://example.com/?q=a%2bb, http://example.com/?v=%7E&w=%&x=%25&y=%2B&z=C%CC%A7, http://example.com/?v=%7E&w=%&x=%25&y=+&z=C%CC%A7, http://example.com/?a=1&a=1, http://example.com/?a=1&a=2, http://example.com/sound%2bvision, http://example.com/indirect/path/./to/../resource/, http://under_score.example.com/, http://www.xn--8ws00zhy3a.com/, http://www.xn--8ws00zhy3a.com, http://www.xn--8ws00zhy3a.com/%20some%20spaces%20/, http://www.xn--8ws00zhy3a.com/atomtests/iri/%E8%A9%B9.html, http://www.xn--n8jaaaaai5bhf7as8fsfk3jnknefdde3f, http://www.comrade.net/path/to/source/, http://www.comrade.co.uk/path/to/source/, http://www.comrade.com/path/to/source/, http://127.0.0.1/, https://example.com/, http://example.com/example.com/, ftp://example.com, http://example.com:21, ftp://example.com:21, http://example.com/path/to/resource, http://7777.example.org:8089

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll@3.9.5gem/addressable@2.8.7

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/addressable@2.8.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
benchmark@0.4.1 has URL strings.

URLs: https://rubygems.org

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/benchmark@0.4.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/benchmark@0.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
benchmark@0.4.1 has Filesystem access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/benchmark@0.4.1

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/benchmark@0.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
bigdecimal@3.2.2 has Filesystem access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/bigdecimal@3.2.2

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/bigdecimal@3.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
concurrent-ruby@1.3.5 has URL strings.

URLs: https://rubygems.org, https://github.com/ruby-concurrency/concurrent-ruby/pull/841

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll@3.9.5gem/concurrent-ruby@1.3.5

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/concurrent-ruby@1.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
concurrent-ruby@1.3.5 has Environment variable access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll@3.9.5gem/concurrent-ruby@1.3.5

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/concurrent-ruby@1.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
drb@2.2.3 has Filesystem access.

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/drb@2.2.3

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/drb@2.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
execjs@2.10.0 has URL strings.

URLs: https://github.com/oracle/truffleruby/blob/master/doc/user/polyglot.md#installing-other-languages, https://github.com/rails/execjs

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/execjs@2.10.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/execjs@2.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
faraday@2.8.1 has URL strings.

URLs: https://lostisland.github.io/faraday/usage/, http://domain.test/hello, http://wrong.test/hello, http://wrong.test/bait, http://foo.com/foo?a=1, http://foo.com/foo?a, http://domain.test/bait, http://httpbingo.org, http://httpbingo.org:815/fish?a=1, http://httpbingo.org/foo, http://nigiri.com/bar, https://httpbingo.org/foo, http://httpbingo.org/fish?a=1&b=2, http://httpbingo.org/omnom, http://httpbingo.org/sake.html?a=1, http://httpbingo.org/nigiri, http://httpbingo.org/nigiri?a=2, http://httpbingo.org/get/, https://httpbingo.org/get/sake.html, http://httpbingo.org/get/sake.html, http://httpbingo.org/sake/, http://service.com, http://service.com/service:search?limit=400, http://service.com/service%3Asearch?limit=400, http://service.com/api/service%3Asearch?limit=400, http://httpbingo.org/nigiri?a=1&b=1, http://httpbingo.org/nigiri?a=1&b=2&c=3, https://ahttpbingo.org/sake.html, http://httpbingo.org/sake.html, http://env-proxy.com:80, http://proxy.com, http://example.com, http://prefixedexample.com, http://subdomain.example.com, http://127.0.0.1, http://example0.com, http://example1.com, http://example2.com, http://google.co.uk, https://proxy.com, https://google.co.uk, http://proxy2.com, http://duncan.proxy.com:80, http://proxy.com:80, http://example.co, http://example.com?a=a&p=3, http://example.com?a=1&b=2, http://example.com?a=1&b=2&c=3&limit=5&page=1, http://example.com?b=b, http://example.com/?A-1,B-2,C-3,FEELING-BLUE, http://example.com?color%5B%5D=blue&color%5B%5D=red, http://example.com?color, http://example.com?color=blue&color=red, http://example.org, http://httpbingo.org/api, http://httpbingo.org/api/foo.json?a=1, http://httpbingo.org/api/foo.json?a=1&b=2, https://lostisland.github.io/faraday, http://httpbingo.org/, http://example.com/abc

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/faraday@2.8.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/faraday@2.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
ffi@1.17.2 is a AI-detected potential code anomaly.

Notes: The script performs legitimate setup tasks but also contains suspicious activities such as downloading and executing binaries from an external source (https://rl.gl) and adding an untrusted repository with the --allow-unauthenticated flag. These actions pose significant security risks, including potential malware and supply chain attacks.

Confidence: 1.00

Severity: 0.60

From: Gemfile.lockgem/github-pages@231gem/jekyll@3.9.5gem/ffi@1.17.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/ffi@1.17.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
github-pages-health-check@1.18.2 has URL strings.

URLs: https://rubygems.org, https://github.com/github/pages-health-check, https://help.github.com, https://www.cloudflare.com/ips-v4, https://www.cloudflare.com/ips-v6, https://api.fastly.com/public-ip-list

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/github-pages-health-check@1.18.2

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/github-pages-health-check@1.18.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
jekyll-github-metadata@2.16.1 has URL strings.

URLs: https://api.github.com, https://docs.github.com, https://github.com

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll-github-metadata@2.16.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/jekyll-github-metadata@2.16.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
jekyll-remote-theme@0.4.3 has URL strings.

URLs: https://github.com/benbalter/jekyll-remote-theme

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll-remote-theme@0.4.3

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/jekyll-remote-theme@0.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
jekyll-seo-tag@2.8.0 has URL strings.

URLs: https://rubygems.org, https://schema.org

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll-seo-tag@2.8.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/jekyll-seo-tag@2.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
jekyll-sitemap@1.4.0 has URL strings.

URLs: https://rubygems.org, http://example.org, http://example.org/bass/sitemap.xml, http://xn--mlaut-jva.example.org/sitemap.xml, http://example.org/sitemap.xml

Location: Package overview

From: Gemfile.lockgem/github-pages@231gem/jekyll-sitemap@1.4.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/jekyll-sitemap@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 16 more rows in the dashboard

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kingjay66 @snyk-bot