I have been receiving messages that GitHub found known dependency vulnerability in my Gemfile.lock, this is loofah (2.0.3) and Nokogiri (1.7.0.1) but these gems are dependencies I did not specifically asked for (other gems do depend on them) in my Gemfile, so, what can I do?

In your Gemfile.lock, you can see which one of your dependencies pulls in those libraries, and what their version constraint is.

rails-html-sanitizer (1.0.3)
  loofah (~> 2.0)

With Rails, loofah is required by rails-html-sanitizer and the version must just be greater than 2.0. If a version is locked, the Gemfile.lock will read = 2.0.

Since it is not locked, you can use bundle update loofah to install a more recent version that does not suffer from the security vulnerability. Or bundle update if you want to update all gems...

Should a version to locked, you have to check if the gem that declares the dependency has a newer version that updates its locked dependency (e.g. a new version of rails-html-sanitizier that updates loofah). With security issues, these updates normally happen pretty quickly. You would then update rails-html-sanitizier to get a new version of loofah.

You can go into your gemfile.lock and see which libraries are requiring these gems a dependencies. Then you can proceed to update replace or remove those libraries until you no longer have vulnerabilities.