RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems

RubyGems and Bundler 4.0.13 have introduced an opt-in cooldown feature to enhance security by delaying the installation of newly published gem versions, thus providing a time-based defense against supply chain attacks. This feature allows developers to set a specific number of days during which newly released gem versions are not resolved, aiming to mitigate risks associated with immediate adoption of malicious packages. The cooldown is unset by default, allowing existing projects to continue using the latest versions unless explicitly configured otherwise. This approach reflects a wider trend among package managers to introduce time-based controls that can prevent the rapid spread of compromised dependencies. While it offers protection against malicious versions, it also has trade-offs, potentially delaying legitimate releases, including urgent security updates. Bundler's implementation leverages timestamp metadata from RubyGems.org's compact index, ensuring that only versions released outside the cooldown window are resolved. The feature complements RubyGems' other security improvements like mandatory 2FA and AI-assisted vulnerability scanning, and it can be configured in various ways, including through Gemfile settings, global configs, and environment variables.