Skip to content
Tech News
← Back to articles

Cooldown Support for Ruby Bundler

2026-06-03 | original
read original get RubyGems Bundler Support Tool → more articles

Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window.

The feature was designed in the open, drawing on how other ecosystems approach the same problem. It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing.

Cooldown reads the per-version created_at timestamp that rubygems.org’s v2 compact index now serves. A version whose source does not expose created_at , such as older gem servers, historical entries from before the v2 cutover, or private registries still on the v1 format, is treated as outside the window and stays resolvable. Cooldown never blocks resolution silently; it only holds back versions it can prove are too new.

Getting started

Cooldown ships in Bundler 4.0.13. If you are on an earlier release, update Bundler in place and pin the same version in your lockfile so the whole team moves together:

$ gem update --system # or: gem install bundler -v 4.0.13 $ bundle update --bundler = 4.0.13

Then declare a small cooldown on your source in the Gemfile . This is the right setup for most teams: it is committed alongside your code, so every developer and CI run enforce the same window with no extra setup.

source "https://rubygems.org" , cooldown: 7 gem "rails" gem "puma"

Cooldown takes effect during resolution. Run bundle install when there is no lockfile yet, or bundle update to re-resolve against it once a lockfile exists; an existing Gemfile.lock is always honored as-is, so adding a cooldown never disturbs versions you have already locked. Cooldown is unset by default, so a project without it keeps resolving to the newest versions.

That is all most projects need. The rest of this post covers the finer-grained controls.

... continue reading

Explore topics: bundle cooldown rubygems rubygems org source
Related:
Vim Classic 8.3 Launched as an AI-Free Vim Fork
AI Coding at Home Without Going Broke
AI coding at home without going broke
GLM 5.2 Is Out
AI costs spike as subscriptions hit pricing wall — firms turn towards Chinese LLMs, open-source models to extend budget

© 2026 GoKawiil

About | Editorial Policy | Contact