惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Palo Alto Networks Blog
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
GbyAI
GbyAI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
量子位
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
Microsoft Azure Blog
Microsoft Azure Blog
C
CERT Recently Published Vulnerability Notes
Recent Announcements
Recent Announcements
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
P
Privacy International News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
L
Lohrmann on Cybersecurity
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hugging Face - Blog
Hugging Face - Blog
P
Proofpoint News Feed
NISL@THU
NISL@THU
博客园 - Franky
C
Cybersecurity and Infrastructure Security Agency CISA
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
Know Your Adversary
Know Your Adversary
A
Arctic Wolf
F
Full Disclosure
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
博客园 - 【当耐特】
D
Docker
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Jina AI
Jina AI
Help Net Security
Help Net Security
V
Visual Studio Blog
小众软件
小众软件
B
Blog
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
N
Netflix TechBlog - Medium
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
C
Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic

Socket

Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Mu... Next.js moves to scheduled security releases - Socket 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Rolldown Pulls Rust React Compiler Integration After Binary ... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket GitHub Actions Checkout Now Blocks Risky pull_request_target... Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor Active Supply Chain Attack Compromises @antv Packages on npm Popular node-ipc npm Package Infected with Credential Stealer TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack fsnotify Maintainer Dispute Sparks Supply Chain Concerns Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems
Sarah Gooding · 2026-06-05 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

RubyGems and Bundler 4.0.13 introduced an opt-in cooldown feature that can delay installation of newly published gem versions, bringing a time-based supply chain defense to Ruby’s package management workflow.

The feature allows developers to configure Bundler so it will not resolve to a gem version until it has been public for a set number of days. In the example published by RubyGems maintainer Hiroshi SHIBATA, a project can add a cooldown directly to its Gemfile:

source "https://rubygems.org", cooldown: 7

With that setting, Bundler skips gem versions published within the last seven days and chooses versions that fall outside the cooldown window. Cooldown is unset by default, so existing projects continue resolving to the newest eligible versions unless the setting is explicitly enabled.

The feature targets a narrow but recurring supply chain risk: the period immediately after a malicious package version is published. In many compromise scenarios, attackers rely on speed. A maintainer account is taken over, a malicious release is pushed, and automated installs or CI jobs can pick it up before maintainers, registries, or security researchers have time to respond.

How Cooldown Changes Resolution#

Cooldown does not determine whether a gem is safe. It only delays resolution to versions that are too new under the configured policy.

Time-based install delays can reduce exposure to newly published malicious versions, but they can also hold back legitimate releases, including urgent security fixes. Bundler includes an escape hatch for those cases: passing --cooldown 0 disables the delay for a run when a project needs to install the newest available version.

The feature is part of a wider movement among package managers to add install-time controls that account for the speed of modern dependency attacks. pnpm introduced minimumReleaseAge to delay dependency updates, and npm later added a similar minimumReleaseAge setting. RubyGems’ cooldown feature applies the same general idea to Bundler’s resolver.

gem.coop’s cooldown feature tested a similar idea at the registry layer. The independent RubyGems-compatible registry delayed access to newly published gems through a separate gem source. Bundler’s version takes a different route: the delay is applied by the client during dependency resolution, using timestamp metadata from RubyGems.org’s compact index.

How Bundler Applies the Filter#

Bundler’s cooldown feature depends on per-version created_at metadata now available in RubyGems.org’s v2 compact index, which Bundler uses during dependency resolution.

RubyGems did not add this data to its public API. The timestamp is available to Bundler through the compact index, not as a new public gem metadata field for general API consumers.

When Bundler has the timestamp data, it compares a gem version’s release time against the configured cooldown period and skips versions that are still inside the window. If Bundler cannot prove that a version is too new, it does not block it. Older gem servers, historical entries from before the v2 cutover, and private registries that do not expose the timestamp remain resolvable.

That conservative behavior avoids breaking sources that do not provide the new metadata, but it also means the feature depends on whether Bundler can see release timestamps for a given source.

Configuration Options#

RubyGems’ announcement describes several ways to enable cooldown. The most project-specific option is the cooldown: keyword on a source in the Gemfile. Bundler also supports project config, global config, the BUNDLE_COOLDOWN environment variable, and command-line flags for bundle install, bundle update, bundle add, and bundle outdated.

The per-source option lets teams apply different policies to different registries. For example, a project could delay new versions from RubyGems.org while allowing an internal gem server to resolve immediately:

source "https://rubygems.org", cooldown: 7

source "https://gems.internal.example.com", cooldown: 0 do
gem "internal-tool"
end

Command-line flags take precedence over configuration settings, which take precedence over per-source Gemfile settings.

Bundler 4.0.13 also makes cooldown visible in bundle outdated. When a newer version exists but is still inside the configured waiting period, Bundler annotates it with the remaining cooldown time rather than treating the project as simply up to date.

RubyGems Extends Registry Security Improvements#

Cooldown shipped alongside RubyGems 4.0.13 and Bundler 4.0.13, which also included other enhancements and fixes. In the release notes, RubyGems listed cooldown under Bundler security changes.

The feature follows other recent RubyGems.org security work, including push-time gem validation, checks against Have I Been Pwned to prevent reuse of compromised passwords, mandatory 2FA, trusted publishing, and AI-assisted vulnerability scanning for critical gems backed by Alpha Omega and Anthropic.

Those efforts address different parts of the package supply chain. Registry-side checks can help prevent or detect malicious releases. Authentication improvements make maintainer account compromise harder. Cooldown gives consumers a way to delay adoption of releases that have only just appeared.

The tradeoff is that delay-based controls are not always desirable. A newly published version may be malicious, but it may also be an urgent fix. Bundler’s implementation leaves that decision to projects by making cooldown opt-in and allowing it to be disabled for a specific run.

RubyGems’ cooldown feature brings that control to Bundler at a time when delayed installation is becoming a more common response to fast-moving package compromises. The idea is simple: many malicious releases are detected and removed within hours, while automated installs can consume them almost immediately. A short waiting period gives those detection and takedown processes more time to work before a new version enters a project’s dependency resolution.