There is actually another big third_party component that is currently shipped together with ruby package - rubygems.
Rubygems is developed as a project  separately from ruby. Once in a while ruby developers check-in rubygems into their source tree . And up until now we used ruby's version of rubygems.
The issue is that rubygems keeps getting releases that are never integrated into ruby releases. For example rubygems 2.7.6 has a number of security bugfixes and it was not merged into ruby 2.5 branch.
I am going to split 'rubygems' package from 'ruby' and bring 'rubygems' up-to-date. 'ruby' will have a dependency to 'rubygems' thus update does *not* require installing 'rubygems' separately.