To counteract this, RubyGems workforce has added a brand new cooldown argument to Bundler that takes ignores gems till they’ve been revealed for a specified variety of days. This gives an extra layer of protection towards malicious bundle releases because it provides others a possibility to establish any malicious code they include earlier than set up.
The cooldown system works by checking the timestamp of any new variations of gems. Any new additions to the supply should come from older variations, any new additions can be delayed till they’re validated.
In conditions the place ready is unhelpful — for example when a known-good bundle is launched to patch a harmful safety flaw — the delay may be overridden.
This text first appeared on InfoWorld.
