The Bottom Line: RubyGems introduces a delayable waiting period for newly published packages to extend the time window in which malware in gems can be detected.
The RubyGems team has integrated a new cooldown feature in Bundler that protects Ruby developers from supply chain attacks by preventing newly published packages from being installed until after a configurable delay.
Recent attacks on software repositories have focused on stealing developer credentials to inject malicious code into their packages. When other developers install these compromised versions, their credentials are also compromised. This pattern repeats and multiplies the damage exponentially. The greatest risk exists in the time window between compromise and discovery — during this period, infected packages can be installed.
The RubyGems team has therefore added a new cooldown parameter to Bundler. This feature delays the installation of new gem versions by a configurable number of days. The system checks the timestamp of each new gem version: only older versions become immediately available, while new versions can only be installed after the cooldown phase has expired. This gives other developers and security tools an opportunity to examine packages for malicious code before they reach production systems.
For cases where immediate updating is necessary — such as when a known-safe package fixes a critical security vulnerability — the delay can be explicitly overridden. This enables a balance between security against compromised packages and flexibility for legitimate patching operations.
Source: www.csoonline.com · Published June 5, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.