Cooldown Support for Ruby Bundler
2 days ago
- #Supply-chain attack prevention
- #Bundler cooldown feature
- #RubyGems security
- Bundler 4.0.13 introduces a cooldown feature to filter out newly published gem versions for a specified number of days to mitigate supply-chain attacks.
- Cooldown is opt-in and can be set per source in the Gemfile, via configuration settings, environment variables, or command-line flags.
- The feature uses the created_at timestamp from rubygems.org's v2 compact index to determine if a version is too new.
- Cooldown complements other security measures like mandatory 2FA, trusted publishing, and vulnerability scanning.
- An escape hatch with --cooldown 0 allows immediate installation of the latest versions when necessary, such as for urgent security updates.
- The bundle outdated command shows which versions are held back due to cooldown, indicating the days remaining until they become available.
- Cooldown works alongside ongoing security improvements on rubygems.org, including password validation and AI-assisted vulnerability scanning.