Require MFA for gem pushes

neilvcarvalho · web-flow · commit bd6834bbf28f · 2026-04-08T11:41:06.000-03:00
This adds the `rubygems_mfa_required` metadata to the gemspec, requiring multi-factor authentication for privileged operations on RubyGems.org. This is a protection against supply chain attacks like the recent NPM Axios compromise: https://socket.dev/blog/axios-npm-package-compromised Reference: https://guides.rubygems.org/mfa-requirement-opt-in/
diff --git a/factory_bot_rails.gemspec b/factory_bot_rails.gemspec
@@ -13,7 +13,10 @@ Gem::Specification.new do |s|
                   "factory_bot and Rails 6.1 or newer"
 
   s.files = Dir["lib/**/*"] + %w[CONTRIBUTING.md LICENSE NEWS.md README.md]
-  s.metadata["changelog_uri"] = "https://github.com/thoughtbot/factory_bot_rails/blob/main/NEWS.md"
+  s.metadata = {
+    "changelog_uri" = "https://github.com/thoughtbot/factory_bot_rails/blob/main/NEWS.md",
+    "rubygems_mfa_required" => "true"
+  }
   s.require_paths = ["lib"]
   s.required_ruby_version = Gem::Requirement.new(">= 3.1.0")
   s.executables = []
