Changes

snyk test reported 7 vulnerabilities across 15 paths, all in development dependencies (zero customer impact — none of these gems are shipped as part of the auth0 gem itself).

auth0.gemspec — replaced dotenv-rails with dotenv. The Rails-specific gem was pulling in the full Rails stack transitively, which introduced the thor and rails-html-sanitizer vulnerability paths. The specs only use Dotenv.load, which is available in the base dotenv gem.

Gemfile.lock — only the six packages listed above were changed. No other gem versions were upgraded or downgraded.

References

• thor OS Command Injection
• rails-html-sanitizer XSS
• rexml XML Entity Expansion

Testing

Development/test dependency changes only — no production code was modified.

• bundle install
• bundle exec rake spec
• snyk test

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of Ruby

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors
• Rubocop passes on all added/modified files
• All active GitHub checks have passed