Checklist
Description
The published auth0 gem ships a large number of files that are not needed at runtime, including:
Gemfile and Gemfile.lock (the gem's own development lockfile)examples/ruby-api/ (including its own Gemfile / Gemfile.lock)examples/ruby-on-rails-api/ (a full Rails app, including its own Gemfile)spec/ (test suite and fixtures).github/, .devcontainer/, .bundle/, Guardfile, Rakefile, Dockerfile, and other developer-only files
This happens because auth0.gemspec sets:
s.files = `git ls-files`.split("\n")which pulls in every tracked file in the repository rather than only the files required to load and run the gem.
Impact: false positives in downstream vulnerability scanners.
Enterprise vulnerability scanners such as AWS ECR, Snyk, Trivy, and Grype parse Gemfile.lock files found anywhere in a container image or installed gem path. Because the published auth0 gem ships multiple Gemfile.lock files (the gem's own plus the ones inside each example app), scanners report vulnerabilities in dependencies such as activesupport, rails, sinatra, puma, etc. — none of which are actual runtime dependencies of the auth0 gem.
Consumers of the gem then have to triage, suppress, or justify these findings for every new scan, even though the flagged dependencies are never loaded in production.
Secondary impact: unnecessarily large gem footprint. The current 5.18.1 release packages a full Rails example application into every install.
Reproduction
gem install auth0 (or install via Bundler).- Locate the installed gem:
gem which auth0 | xargs dirname | xargs dirname (or bundle info auth0 --path).
- In that directory, observe the presence of
Gemfile, Gemfile.lock, examples/, spec/, .github/, .devcontainer/, etc.
- Run a vulnerability scanner (e.g.
trivy rootfs, snyk test, or push a container using the gem into ECR) and observe findings reported against dependencies declared only in Gemfile.lock or in examples/ruby-on-rails-api/Gemfile.
Equivalently, inspecting the source: git ls-files in this repo currently returns ~385 files, almost all of which are included in the published gem.
Proposed resolution
Change auth0.gemspec to use an explicit allow-list for s.files rather than git ls-files, so only the files required at runtime are packaged:
lib/**/*.rbLICENSEREADME.mdCHANGELOG.mdauth0.gemspec.version
Also drop s.test_files (RubyGems has deprecated it, and there is no reason to ship specs in the packaged gem) and scope s.executables to bin/* only if any runtime executables exist (currently there are none intended for end users).
This eliminates the false-positive scanner findings at the source, shrinks the gem significantly, and aligns with current RubyGems packaging guidance.
Happy to open a PR implementing this — filing the issue first per the contribution guidelines.
Additional context
Related RubyGems guidance: https://guides.rubygems.org/specification-reference/#files
ruby-auth0 version
5.18.1
Ruby version
3.1.7
Checklist
Description
The published
auth0gem ships a large number of files that are not needed at runtime, including:GemfileandGemfile.lock(the gem's own development lockfile)examples/ruby-api/(including its ownGemfile/Gemfile.lock)examples/ruby-on-rails-api/(a full Rails app, including its ownGemfile)spec/(test suite and fixtures).github/,.devcontainer/,.bundle/,Guardfile,Rakefile,Dockerfile, and other developer-only filesThis happens because
auth0.gemspecsets:which pulls in every tracked file in the repository rather than only the files required to load and run the gem.
Impact: false positives in downstream vulnerability scanners.
Enterprise vulnerability scanners such as AWS ECR, Snyk, Trivy, and Grype parse
Gemfile.lockfiles found anywhere in a container image or installed gem path. Because the publishedauth0gem ships multipleGemfile.lockfiles (the gem's own plus the ones inside each example app), scanners report vulnerabilities in dependencies such asactivesupport,rails,sinatra,puma, etc. — none of which are actual runtime dependencies of theauth0gem.Consumers of the gem then have to triage, suppress, or justify these findings for every new scan, even though the flagged dependencies are never loaded in production.
Secondary impact: unnecessarily large gem footprint. The current 5.18.1 release packages a full Rails example application into every install.
Reproduction
gem install auth0(or install via Bundler).gem which auth0 | xargs dirname | xargs dirname(orbundle info auth0 --path).Gemfile,Gemfile.lock,examples/,spec/,.github/,.devcontainer/, etc.trivy rootfs,snyk test, or push a container using the gem into ECR) and observe findings reported against dependencies declared only inGemfile.lockor inexamples/ruby-on-rails-api/Gemfile.Equivalently, inspecting the source:
git ls-filesin this repo currently returns ~385 files, almost all of which are included in the published gem.Proposed resolution
Change
auth0.gemspecto use an explicit allow-list fors.filesrather thangit ls-files, so only the files required at runtime are packaged:lib/**/*.rbLICENSEREADME.mdCHANGELOG.mdauth0.gemspec.versionAlso drop
s.test_files(RubyGems has deprecated it, and there is no reason to ship specs in the packaged gem) and scopes.executablestobin/*only if any runtime executables exist (currently there are none intended for end users).This eliminates the false-positive scanner findings at the source, shrinks the gem significantly, and aligns with current RubyGems packaging guidance.
Happy to open a PR implementing this — filing the issue first per the contribution guidelines.
Additional context
Related RubyGems guidance: https://guides.rubygems.org/specification-reference/#files
ruby-auth0 version
5.18.1
Ruby version
3.1.7