gem.coop Tests Dependency Cooldowns as Package Ecosystems Move to Slow Down Attacks

The Gem Cooperative, a community-run Ruby gem server, has introduced a "cooldowns" feature that imposes a 48-hour delay before newly published packages become installable, aiming to reduce the risk of dependency attacks by limiting the rapid spread of potentially malicious releases. This initiative is a part of gem.coop's broader mission to explore innovative governance and package infrastructure strategies, setting it apart from RubyGems.org. The cooldown mechanism, currently in beta, operates at the registry level rather than relying on client-side tools, presenting a curated view of the Ruby ecosystem that hides new gem versions for two days, thereby limiting exposure during the critical period when attacks are most likely to occur. Additionally, projects requiring immediate access to new security updates can bypass the delay by using the primary gem.coop source, an option described as an "escape hatch" to maintain flexibility without undermining the default protective measures. This feature reflects a growing trend across ecosystems to adopt cooldowns as a defense against dependency attacks, highlighting the importance of infrastructure-level mitigations in enhancing supply chain security without depending solely on developer practices or automated tools.