How to remove or replace vulnerable gem dependencies?

Question

I have an app I developed a couple of years ago with some dependencies in Gemfile.lock that are now security vulnerabilities, but when I run bundle update or bundle --patch gemname or gem install updated-gem, I continue to get the message:

Bundler attempted to update actionview but its version stayed the same

First time with gems with vulnerability issue, how do I get them resolved?

Answer 1

You don't do anything in the Gemfile.lock file, these are built by rails automatically whenever you install a version of rails in your gem.

First, I would install a gem called bundle-audit. Follow the instructions on the documentation on how to use it, this gem will tell you what gems are vulnerable.

Then look at the version of rails you have in your Gemfile, not Gemfile.lock and compare the version with the version of gem dependencies. If you find that they are the same versions or similar, those a probably the gem dependencies that version of rails came with.

So what you do is change your version of rails to the next recommended version.

Do a bundle update, this will rebuild your gem dependencies in your Gemfile.lock from scratch and then you should be golden. You can verify that by doing another bundle-audit check command. If it says no vulnerabilities found or something like that, you are done.