Ruby Bundler’s cooldown Feature for Safer Gem Updates

Bundler is the Ruby tool that installs and manages gem dependencies.

The latest version of Bundler (v 4.0.13) introduces a gem filtering feature called cooldown. When configured, it excludes recently published gem versions for the last N days. The goal is to reduce supply-chain attack risk and add a buffer period in case of incidents such as account takeover attacks. (Reference)

Upgrading to the new version

1. Run the following:

% gem update --system
% bundle update --bundler=4.0.13

2. Verify the version

% bundler version
4.0.13 (2026-06-06 commit 003f20f0dc)

Configure via Gemfile

1. Add `cooldown` days like this in your Gemfile:

source "https://rubygems.org", cooldown: 7

gem "rails", "~> 8.1"

2. Run the update command and observe that some newer gem versions are blocked:

% bundle update

1 version excluded by the cooldown setting; pass `--cooldown 0` to bypass.

Or, Configure via CLI

1. Pass the `cooldown` argument:

% bundle install --cooldown 7
% bundle update --cooldown 7
% bundle add rails --cooldown 7
% bundle outdated --cooldown 7

Upgrading to the new version

Configure via Gemfile

Or, Configure via CLI

AI Summary