Ruby's Bundler adds a cooldown feature
Date:
Fri, 05 Jun 2026 12:57:00 +0000
Description:
Version
4.0.13 of Ruby's Bundler package-manager has added
dependency cooldowns in order to help mitigate the effect of
supply-chain attacks: Most supply-chain attacks against RubyGems exploit a narrow window:
an account is compromised, a malicious version ships, and any bundleinstall
in the minutes that follow resolves
straight to it. Bundler 4.0.13 introduces cooldown, a time-based
filter that refuses to resolve to a version until it has been public
for at least N days. Releases too new to have been scrutinized are
passed over in favor of ones that have aged past the window. The feature was designed in
the open , drawing on how
other ecosystems approach the same problem . It is opt-in, and
complements rather than replaces existing defenses like mandatory 2FA
and trusted publishing. LWN covered dependency cooldowns in April, and the takeover of RubyGems and
Bundler in October 2025.
======================================================================
Link to news story:
https://lwn.net/Articles/1076526/
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)