Ruby's Bundler adds a cooldown feature

Version4.0.13 of Ruby's Bundlerpackage-manager has addeddependency cooldowns in order to help mitigate the effect ofsupply-chain attacks:

Most supply-chain attacks against RubyGems exploit a narrow window:an account is compromised, a malicious version ships, and anybundleinstall in the minutes that follow resolvesstraight to it. Bundler 4.0.13 introduces cooldown, a time-basedfilter that refuses to resolve to a version until it has been publicfor at least N days. Releases too new to have been scrutinized arepassed over in favor of ones that have aged past the window.

The feature was designed inthe open, drawing on howother ecosystems approach the same problem. It is opt-in, andcomplements rather than replaces existing defenses like mandatory 2FAand trusted publishing.

LWN covereddependency cooldowns in April, and the takeover of RubyGems andBundler in October 2025.