Software dependency upgrades

screenshot of an email notification for security vulnerabilities in the lodash npm package
screenshot of an email notification for a security advisory for the nokogiri Ruby Gem
GitHub periodically sends me emails about new security vulnerabilities and advisories for my software projects.

Over the past couple of years, I’ve created a number of websites using various tools. Some are personal projects I developed in order to teach myself new skills. Others are production websites with active traffic that I’ve built to publish my activities and sell products to customers (in addition to being an engineer and sometimes web-developer, I am an artist and printmaker). It seems to be the nature of software, especially web software, that everything develops vulnerabilities and need periodic updates. And the longer you leave the upgrade, the more difficult it is to complete.

This is less of a cohesive writeup, and more of a series of notes for myself the next time I need to upgrade my software dependencies to fix vulnerabilities.


JavaScript is a programming language that can be run in web browsers.

I completed my first JavaScript app, Trois, in September 2018 and wrote about it here. Trois is implemented in React, a popular JavaScript library created by Facebook that can be used to build interactive websites that run in the visitor’s browser.

The command line tool npm is a package manager for installing JavaScript libraries; I used it to install React. npm comes with many commands for keeping your software up to date.

Ruby on Rails

Ruby on Rails is a framework for building interactive websites that run on backend servers. In April 2018 I finished Visualize the World, my first Ruby on Rails application. I wrote about it here.

Compared to Trois, this site was more difficult to upgrade. My difficulties were partly due to the fact that I last looked at the code two years ago and haven’t worked on a Rails application since then.

I started on Rails version 5.1.2 which was released in June 2017. As of writing, the newest Rails release is There were a large number of changes made between the 5.x and 6.x releases, so instead of upgrading to the most recent version of Rails, I upgraded halfway to the last 5.x release: This was enough of an update to resolve all published security vulnerabilities for now.

For the most part, I followed the instructions in the Ruby on Rails guide. However, here are some other notes and resources that I used:

Deploying my changes went smoothly. I previously set up a Heroku pipeline to connect my GitHub repository to Heroku: Heroku automatically deploys the new version when I update code in the master branch.


I built my personal website (including my online print shop) using Jekyll. Read more about it here.

Jekyll is a static site generator built in Ruby; as Ruby versions get upgraded to add features or fix bugs, so too does Jekyll. I started this site using Jekyll 3.7.3; the most recent version as of this writing is 4.0.0.

I updated my Gemfile to request the latest 3.x Jekyll gem (gem "jekyll", "~> 3.7" requests the latest version of Jekyll that is later or equal to 3.7, but earlier than 4.0). In the terminal, I ran bundle outdated to check for outdated gems, then used bundle update to update all gems and dependencies to use the latest versions compatible with the Jekyll version.

See: Jekyll’s upgrade docs

Keeping your software up to date is a lot of work, but it’s a necessary security precaution. Plus, periodically updating keeps you safe from all the GitHub email notifications.