{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreihx55e5tar7dsq37vuw2y5b2n5bepmcpzrc2uu24kj6o57hw6i5pm",
    "uri": "at://did:plc:b3tz6srl4ochk2wxn6dv6xpy/app.bsky.feed.post/3mnkp5urowgn2"
  },
  "path": "/Articles/1076526/",
  "publishedAt": "2026-06-05T12:57:00.000Z",
  "site": "https://lwn.net",
  "tags": [
    "Version\n4.0.13",
    "Bundler",
    "added\ndependency cooldowns",
    "designed in\nthe open",
    "how\nother ecosystems approach the same problem",
    "covered",
    "takeover of RubyGems and\nBundler"
  ],
  "textContent": "Version\n4.0.13 of Ruby's Bundler package-manager has added\ndependency cooldowns in order to help mitigate the effect of supply-chain attacks:\n\n> Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any `bundle install` in the minutes that follow resolves straight to it. Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least _N_ days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window.\n>\n> The feature was designed in\nthe open, drawing on how\nother ecosystems approach the same problem. It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing.\n\nLWN covered dependency cooldowns in April, and the takeover of RubyGems and\nBundler in October 2025.",
  "title": "Ruby's Bundler adds a cooldown feature"
}