Dependency Updates
By Amr
Guide to automated dependency management and Ruby gem updates for the Zer0-Mistakes theme.
Estimated reading time: 3 minutes
Table of Contents
Dependency Updates
The Zer0-Mistakes theme uses automated workflows to keep dependencies current and secure.
Overview
Dependency management is handled through:
- Automated workflow - Weekly scheduled updates
- Manual trigger - On-demand updates
- Security scanning - Vulnerability detection
Update Workflow
Triggers
on:
schedule:
- cron: '0 0 * * 1' # Weekly on Monday
workflow_dispatch: # Manual trigger
What Gets Updated
| Dependency Type | Tool | File Updated |
|---|---|---|
| Ruby Gems | Bundler | Gemfile.lock |
| Jekyll Plugins | Bundler | Gemfile.lock |
| Node Packages | npm | package-lock.json |
Running Updates
Manual Update via GitHub UI
- Go to Actions tab
- Select Update Dependencies workflow
- Click Run workflow
Manual Update via Command Line
# Update all Ruby gems
bundle update
# Update specific gem
bundle update jekyll
# Update Node packages
npm update
In Docker
docker-compose exec jekyll bundle update
docker-compose exec jekyll bundle outdated
Workflow Process
1. Check for Updates
# List outdated gems
bundle outdated
# Show available updates
bundle outdated --only-explicit
2. Run Updates
# Update all dependencies
bundle update
# Conservative update (patch versions only)
bundle update --patch
3. Run Tests
The workflow automatically:
- Runs the full test suite
- Builds the Jekyll site
- Validates gem packaging
4. Create Pull Request
If updates are available, the workflow:
- Creates a branch (
deps/update-YYYYMMDD) - Commits changes
- Opens a PR for review
Dependency Pinning
Gemfile Constraints
Use pessimistic version constraints:
# Good: Allows patch updates
gem "jekyll", "~> 4.3"
# Good: Specific version when needed
gem "bootstrap", "5.3.3"
# Avoid: Too loose
gem "jekyll", ">= 4.0"
Version Constraint Guide
| Constraint | Meaning | Example |
|---|---|---|
~> 4.3 |
>= 4.3.0, < 5.0 | Allows 4.3.x |
~> 4.3.0 |
>= 4.3.0, < 4.4 | Allows 4.3.x |
>= 4.0 |
Any version >= 4.0 | Risky |
= 4.3.2 |
Exact version only | For critical deps |
Security Auditing
Bundle Audit
# Install audit tool
gem install bundler-audit
# Run security audit
bundle audit check --update
# Fix vulnerabilities
bundle audit check --update --fix
Automated Security
The CI pipeline includes:
- Weekly vulnerability scans
- PR checks for known vulnerabilities
- Alerts for critical issues
Handling Breaking Changes
When Updates Break Things
- Identify the culprit:
git diff Gemfile.lock - Revert specific gem:
bundle update --source problematic-gem - Lock to working version:
gem "problematic-gem", "1.2.3" # Pin to working version - Open issue for investigation
Update Strategy
For major updates:
- Create feature branch
- Update single dependency
- Run full test suite
- Review changelog for breaking changes
- Update code if needed
- Merge when stable
Key Dependencies
Core Dependencies
| Gem | Purpose | Update Frequency |
|---|---|---|
jekyll |
Static site generator | Monthly |
kramdown |
Markdown parser | As needed |
rouge |
Syntax highlighting | As needed |
Theme Dependencies
| Gem | Purpose | Update Frequency |
|---|---|---|
bootstrap |
CSS framework | Quarterly |
jekyll-feed |
RSS feed | As needed |
jekyll-sitemap |
Sitemap generation | As needed |
Troubleshooting
Dependency Conflicts
# See dependency tree
bundle viz
# Resolve conflicts
bundle update --all
Bundler Cache Issues
# Clear Bundler cache
bundle clean --force
# Reinstall all gems
rm Gemfile.lock
bundle install
Docker Gem Issues
# Rebuild container with new gems
docker-compose down
docker-compose up --build
Best Practices
- Regular Updates: Keep dependencies current
- Test Thoroughly: Always run tests after updates
- Review Changelogs: Check for breaking changes
- Pin Critical Deps: Lock versions that matter
- Security First: Prioritize security updates