Cooldown Support for Ruby Bundler
Bundler 4.0.13 introduces a cooldown feature to enhance security against supply-chain attacks in RubyGems. This feature prevents the resolution of newly released versions until they have been public for a specified number of days. It is designed to complement existing security measures and is opt-in for users.
- ▪Cooldown is a time-based filter that delays the resolution of newly released versions.
- ▪The feature is opt-in and designed to work alongside existing defenses like mandatory 2FA.
- ▪Users can configure cooldown settings per project, globally, or through environment variables.
Opening excerpt (first ~120 words) tap to expand
Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window. The feature was designed in the open, drawing on how other ecosystems approach the same problem. It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing. Cooldown reads the per-version created_at timestamp that rubygems.org’s v2 compact index now serves.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at RubyGems Blog.
Discussion
0 commentsMore from RubyGems Blog
