Lately I've gotten into Jekyll for building documentation sites and hosting them on Github Pages. I understand Github Pages has a very limited list of what is allowed plugin wise. While doing some vulnerability testing I found out the file Gemfile.lock is vulnerable to XML External Entity (XXE) Injection.
In my research I've read:
After reading the accepted answer of:
Assuming you're not writing a rubygem, Gemfile.lock should be in your repository. It's used as a snapshot of all your required gems and their dependencies. This way bundler doesn't have to recalculate all the gem dependencies each time you deploy, etc.
but I have no control over the Jekyll site. Please correct me if I'm understanding the process but Github Pages builds the site and if the Gemfile.lock is for development of Gems and that isn't something I can control it's ok to remove the file and add to the .gitignore?
GitHub Pages doesn't look for a Gemfile.lock file nor the Gemfile itself.
All it needs is a proper config file to load gems / plugins.