From 449be1b288eae1352b1c4cb711633411e3be4297 Mon Sep 17 00:00:00 2001 From: Tim Mertens Date: Thu, 23 Apr 2026 11:52:48 -0500 Subject: [PATCH] fix(gemspec): ship only runtime files in packaged gem MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The gemspec used `git ls-files` to populate `s.files`, which pulled every tracked file — Gemfile, Gemfile.lock, examples/, spec/, .github/, .devcontainer/, etc. — into the published gem. Downstream vulnerability scanners (AWS ECR, Snyk, Trivy, Grype) parse those bundled Gemfile.lock and example-app Gemfiles and report findings against dependencies that are never loaded at runtime, producing large volumes of false positives for gem consumers. Switch to an explicit allow-list covering only the files needed to load and run the gem: lib/**/*.rb, LICENSE, README.md, CHANGELOG.md, auth0.gemspec, and .version. Drop s.test_files (deprecated by RubyGems) and s.executables (no tracked bin/ entries exist). Package contents drop from ~385 files to 51. Refs #720 --- auth0.gemspec | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/auth0.gemspec b/auth0.gemspec index 5978d9c5..64d97baf 100644 --- a/auth0.gemspec +++ b/auth0.gemspec @@ -11,9 +11,7 @@ Gem::Specification.new do |s| s.summary = 'Auth0 API Client' s.description = 'Ruby toolkit for Auth0 API https://auth0.com.' - s.files = `git ls-files`.split("\n") - s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n") - s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) } + s.files = Dir['lib/**/*.rb'] + %w[LICENSE README.md CHANGELOG.md auth0.gemspec .version] s.require_paths = ['lib'] s.add_runtime_dependency 'rest-client', '~> 2.1'