- The version of Jekyll that builds your site at deployment time (say at CI integration) is managed by Github including security updates
- If you install Jekyll into the repo (which you don't need to) for local testing you will add a bundler bundle file
- If you have a bundler bundle file in a public repo you will get automated Dependabot pull requests to suggest to update the file as security notices happen
- These updates affect your development environment version as specified in the repo, not the version managed in the build process
Up until recently the whole process was somewhat opaque, but it looks like the "Jekyll build process" is slowly migrating into Github Actions (with everything else) and there's a lot more visibility into its workflow than ever before. In a recent repository it seemed even more clearer than before that the Jekyll version in the "Github Action workflow" was Github-managed wasn't directly the Jekyll version specified in the code repository.
- The version of Jekyll that builds your site at deployment time (say at CI integration) is managed by Github including security updates
- If you install Jekyll into the repo (which you don't need to) for local testing you will add a bundler bundle file
- If you have a bundler bundle file in a public repo you will get automated Dependabot pull requests to suggest to update the file as security notices happen
- These updates affect your development environment version as specified in the repo, not the version managed in the build process
Up until recently the whole process was somewhat opaque, but it looks like the "Jekyll build process" is slowly migrating into Github Actions (with everything else) and there's a lot more visibility into its workflow than ever before. In a recent repository it seemed even more clearer than before that the Jekyll version in the "Github Action workflow" was Github-managed wasn't directly the Jekyll version specified in the code repository.