i18n dependency version conflict preventing activesupport update to fix CVE-2023-22796

[agnostic-apollo]

Before submitting an issue, please be sure to

• Read the contributing instructions
• Update to the latest Gem version (run bundle update github-pages)

This issue affects

• The site generated by GitHub Pages
• Building sites locally

Issue

The CVE-2023-22796 requires activesupport to be updated to 6.1.7.1 or 7.0.4.1.

The github-pages 227 gem depends on jekyll = 3.9.2, which depends on i18n ~> 0.7.

The activesupport 6.1.7.1 depends on i18n >= 1.6, < 2, which prevents an update. The activesupport 6.0.6.1 was the last version that depended on i18n >= 0.7, < 2, which then used i18n 0.9.5 to also satisfy jekyll's i18n ~> 0.7 requirement.

Note sure what can be done, other than possibly updating to jekyll >= 4.0.0, which depends on i18n >= 0.9.5, < 2. Any suggestions? Thanks.

[parkr]

You can file this and mention me in jekyll/Jekyll repo. I'm not sure why we'd rely on i18n directly.

I can release a 3.9.x fix for this.

[agnostic-apollo]

@parkr Done. Thanks for taking notice.