Post Syndicated from jzb original https://lwn.net/Articles/1076526/

Version
4.0.13 of Ruby’s Bundler
package-manager has added
dependency cooldowns in order to help mitigate the effect of
supply-chain attacks:

Most supply-chain attacks against RubyGems exploit a narrow window:
an account is compromised, a malicious version ships, and any
bundle install in the minutes that follow resolves
straight to it. Bundler 4.0.13 introduces cooldown, a time-based
filter that refuses to resolve to a version until it has been public
for at least N days. Releases too new to have been scrutinized are
passed over in favor of ones that have aged past the window.

The feature was designed in
the open, drawing on how
other ecosystems approach the same problem. It is opt-in, and
complements rather than replaces existing defenses like mandatory 2FA
and trusted publishing.

LWN covered
dependency cooldowns in April, and the takeover of RubyGems and
Bundler in October 2025.