SteGriff

Blog

Next & Previous

Updating Ruby, Jekyll and Kramdown

I had a couple of sites on ancient versions of Jekyll, and Github Dependabot kept bothering me about all the vulnerable packages.

Here’s what I think I did (cut to ‘All Steps’ at the bottom for a tl;dr):

Update Ruby

  1. Install the latest Ruby. This was 3.2.3 at time of writing.

  2. If your repo gemfile contains ruby RUBY_VERSION and you’re hosting on Netlify, then update your .ruby-version file to point to the new version. I changed mine from 2.4.3 to 3.2.3. You can also just hard-code it in the gemfile if you want.

Update gems

Confusingly in the Ruby Gem world - you update the gemfile manually and then run bundle i to install those package versions.

  1. Update the gemfile so that Jekyll is at the latest version - I’m sticking with major version 3, so it’s 3.9.4

  2. I’m wild so I delete Gemfile.lock (I don’t think you’re supposed to, but I want to force it to regenerate).

  3. Run bundle i

Here’s my output:

$ bundle i
Fetching gem metadata from https://rubygems.org/...........
Resolving dependencies...
Using liquid 4.0.4 (was 3.0.6)
Using rouge 3.30.0 (was 1.11.1)
Fetching i18n 1.14.5
Using kramdown 2.4.0 (was 1.17.0)
Using jekyll-watch 2.2.1 (was 1.5.1)
Installing i18n 1.14.5
Using jekyll 3.9.4 (was 3.4.3)
Bundle complete! 3 Gemfile dependencies, 30 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

So, I can see that the main thing is that I’m off the insecure kramdown (versions below 2.3.0).

Polyfill what you’ve lost

New kramdown doesn’t have a built in GitHub Flavoured Markdown (GFM) parser so you have to add it to your gems.

Best place to do that is under :jekyll_plugins:

# If you have any plugins, put them here!
group :jekyll_plugins do
   gem "jekyll-feed", "~> 0.6"
   gem "kramdown-parser-gfm"
end

Then do bundle i again.

If you now try to bundle exec jekyll s you are likely to get an error along the lines of:

`require': cannot load such file -- webrick (LoadError)

…and this means that you also need to add the webrick gem: bundle add webrick which will put a new gem in an ugly place at the bottom of your gemfile, so feel free to move it up next to the Jekyll one.

Now you should be able to serve.

All steps

  1. Update Ruby.
  2. Update ruby version in gemfile and/or .ruby-version.
  3. Update Jekyll version in gemfile.
  4. bundle add webrick.
  5. Add gem "kramdown-parser-gfm" to jekyll_plugins in gemfile.
  6. Tidy your gemfile if you want.
  7. Maybe delete Gemfile.lock??
  8. bundle i
  9. bundle exec jekyll s to test.

Have fun out there, and may the shiny new gems keep the dependabot from your door 💎🤖