Ruby Fights Hackers by Delaying New Code

Ruby's package manager now has a 'cooldown' feature, delaying new code installs to give the community time to vet them for security threats.

Ruby is introducing a new security feature in its Bundler package manager to combat supply-chain attacks. According to Ruby core maintainer Hiroshi Shibata, most of these attacks exploit the narrow window immediately after a malicious new package version is published. To close this gap, Bundler now offers a filter that allows developers to enforce a "cooldown" period. This setting prevents the installation of any new package version until it has been publicly available for a user-defined number of days. Essentially, if a release is too new to have been properly scrutinized by the community, Bundler will skip it in favor of an older, more trusted version.

This delay is a critical, proactive defense mechanism. Attackers often rely on automated systems and developers quickly adopting the latest versions to spread malicious code before it can be discovered. By implementing a waiting period, the Ruby ecosystem gives security researchers, automated scanning tools, and the developer community a crucial buffer to inspect new code for threats. If a compromised package is identified during this cooldown, it can be reported and removed from the central repository before it's installed by teams using the new filter. This feature empowers development and security teams to significantly harden their applications against a common and dangerous attack vector, shifting their posture from reactive cleanup to proactive prevention.

The introduction of this feature reflects a broader industry-wide effort to secure the software supply chain. Package repositories like RubyGems, npm for JavaScript, and PyPI for Python are critical infrastructure and frequent targets for sophisticated attacks. Many ecosystems are exploring or implementing measures like improved package signing, security attestations, and mandatory two-factor authentication for maintainers. Ruby's cooldown approach is a simple yet powerful strategy that puts direct control into the hands of developers, allowing them to balance the need for new features with a more cautious, security-first approach to dependency management.