Should RubyGems/Bundler Have a Cooldown Feature?

I'm Hiroshi Shibata (hsbt), a Ruby committer and the maintainer of RubyGems and Bundler. TL;DR Every major package manager is adding "cooldown" — a waiting period before you can install newly released packages. RubyGems/Bundler doesn't have one yet. I've been discussing whether we should add it. Short answer: yes, as an opt-in option, but cooldown alone isn't enough. What Is a Cooldown? A cooldown prevents upgrading to a new package version until a certain time has passed since its release. The idea is simple: if a malicious package is published, the waiting period gives security researchers time to catch it before it reaches your Gemfile.lock. William Woodruff's analysis found that 8 out of 10 supply chain attacks he examined had an exploitation window of less than one week. A 7-day cooldown could have prevented most of them. As Andrew Nesbitt summarizes in "Package Managers Need to Cool Down", from late 2025 into 2026, cooldown adoption has accelerated rapidly. The Landscape Cooldown