Skip to content

Ship only runtime files in packaged gem to eliminate scanner false positives#721

Open
tmertens wants to merge 1 commit intoauth0:masterfrom
tmertens:fix/gemspec-packaging-reduce-false-positives
Open

Ship only runtime files in packaged gem to eliminate scanner false positives#721
tmertens wants to merge 1 commit intoauth0:masterfrom
tmertens:fix/gemspec-packaging-reduce-false-positives

Conversation

@tmertens
Copy link
Copy Markdown

@tmertens tmertens commented Apr 23, 2026
edited
Loading

Changes

Fixes #720.

Updates auth0.gemspec so the published gem contains only the files required to load and run the gem, rather than every file tracked by git.

Before (current behavior):

s.files        = `git ls-files`.split("\n")
s.test_files   = `git ls-files -- {test,spec,features}/*`.split("\n")
s.executables  = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }

This packaged ~385 files into every release of auth0, including:

  • The gem's own Gemfile and Gemfile.lock
  • examples/ruby-api/ (with its own Gemfile / Gemfile.lock)
  • examples/ruby-on-rails-api/ — a full Rails application with its own Gemfile
  • spec/ (unit + integration specs and VCR fixtures)
  • .github/, .devcontainer/, .bundle/, Guardfile, Rakefile, Dockerfile, CI config, etc.

After:

s.files = Dir['lib/**/*.rb'] + %w[LICENSE README.md CHANGELOG.md auth0.gemspec .version]

The packaged gem now contains only lib/**/*.rb plus LICENSE, README.md, CHANGELOG.md, auth0.gemspec, and .version — 51 files total.

s.test_files is removed — it has been deprecated by RubyGems and there is no reason to ship specs in the installed gem. s.executables is removed because no files under bin/ are tracked in git (the directory contains only local bundler binstubs).

Why this matters

Enterprise vulnerability scanners (AWS ECR, Snyk, Trivy, Grype, etc.) parse every Gemfile.lock they find inside a container image or installed gem path. Because the published auth0 gem currently ships multiple Gemfile.lock files (the gem's own, plus the ones inside each example app), scanners report vulnerabilities against activesupport, rails, sinatra, puma, and other dev/example dependencies that auth0 never loads at runtime.

Every consumer of the gem then has to triage or suppress those findings, even though the flagged dependencies are not actually present in their dependency graph. Removing those files from the package eliminates the false positives at the source.

Secondary benefit: significant reduction in gem size and install footprint.

Size impact

Measured against the installed auth0-5.18.1 gem from the current release:

Metric Before (5.18.1) After (this PR) Reduction
Packed .gem file 214 KB 47.5 KB −78% (4.5× smaller)
Extracted on disk 2.7 MB 372 KB −86% (~7.4× smaller)
File count 385 51 −334 files (−87%)

The on-disk reduction is larger than the .gem reduction because the embedded Rails example (examples/ruby-on-rails-api/) is mostly text/config that compresses well in the gem tarball but inflates substantially on extraction.

  • Endpoints added, deleted, deprecated, or changed: none
  • Classes and methods added, deleted, deprecated, or changed: none
  • Public API impact: none — only packaging metadata changed

References

Testing

Verified locally by rebuilding the gem and inspecting its contents:

$ gem build auth0.gemspec
$ tar -xOzf auth0-5.18.1.gem data.tar.gz | tar -tz | wc -l
51
$ tar -xOzf auth0-5.18.1.gem data.tar.gz | tar -tz | grep -E 'Gemfile|examples|spec/|\.github'
(no matches)
$ ruby -Ilib -rauth0 -e 'puts Auth0::VERSION'
5.18.1

The packaged gem contains only lib/**/*.rb, LICENSE, README.md, CHANGELOG.md, auth0.gemspec, and .version. Nothing that was previously importable from lib/ has been removed, so no existing code paths or public APIs are affected. Existing CI (unit specs, integration specs, rubocop) continues to run against the untouched working tree — the change is strictly in gem packaging metadata.

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of Ruby

Note on tests: this change only affects gem packaging metadata (s.files), which is exercised by gem build rather than by the gem's spec suite. If the maintainers would like a dedicated test asserting the packaged file list (e.g. using Gem::Specification.load('auth0.gemspec').files), I'm happy to add one — let me know which style fits best.

Checklist

@tmertens
fix(gemspec): ship only runtime files in packaged gem
449be1b 
The gemspec used `git ls-files` to populate `s.files`, which pulled every
tracked file — Gemfile, Gemfile.lock, examples/, spec/, .github/,
.devcontainer/, etc. — into the published gem. Downstream vulnerability
scanners (AWS ECR, Snyk, Trivy, Grype) parse those bundled Gemfile.lock
and example-app Gemfiles and report findings against dependencies that
are never loaded at runtime, producing large volumes of false positives
for gem consumers.

Switch to an explicit allow-list covering only the files needed to load
and run the gem: lib/**/*.rb, LICENSE, README.md, CHANGELOG.md,
auth0.gemspec, and .version. Drop s.test_files (deprecated by RubyGems)
and s.executables (no tracked bin/ entries exist). Package contents drop
from ~385 files to 51.

Refs auth0#720
@tmertens tmertens requested a review from a team as a code owner April 23, 2026 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Packaged gem bundles Gemfile.lock, examples, and spec dirs — triggers false-positive vulnerability scans

1 participant

@tmertens