You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The gem.coop public cooldown server hides gems until they have been published for 48 hours. If you need a different amount of time, [let's talk](mailto:hello@gem.coop).
17
+
18
+
### Why use cooldowns?
19
+
20
+
[We should all be using dependency cooldowns](https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns).
21
+
22
+
### Why did you make this?
23
+
24
+
Cooldowns are a useful tool to increase security. We wrote more about our reasons in the [cooldowns release announcement](/updates/4#whats-a-cooldown).
25
+
26
+
### Give us feedback
27
+
28
+
Join us in [discussions on GitHub](https://github.com/gem-coop/gem.coop/discussions/), or [join the Bundler Slack](https://join.slack.com/t/bundler/shared_invite/zt-3gzoadr40-Uk0Q4jfNWw6938TZpV9Okw) and chat with us in the [#gem-coop](https://slack.com/archives/C09JU5AP8J2) channel.
29
+
30
+
### I found a bug!
31
+
32
+
Please report bugs to us by [opening an issue](https://github.com/gem-coop/gem.coop/issues) on GitHub.
Copy file name to clipboardExpand all lines: content/updates/4.md
+15-7Lines changed: 15 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,18 +1,26 @@
1
1
+++
2
2
date = '2026-01-28T11:20:00+08:00'
3
3
title = 'gem.coop update #4: cooldowns beta'
4
-
draft = false
5
4
+++
6
5
7
-
Hi again, everyone. We've got a big update for you, and we could use your help testing things out. If you just want to test the cooldowns beta, jump straight to the end of this post. Before that, we have some other updates and background on cooldowns that we think you'll want to hear.
6
+
Hi again, everyone. We've got a big update for you, and we could use your help testing things out. If you just want to test the cooldowns beta, you can jump straight to [the cooldown docs](/cooldowns/). The rest of this post has updates from the team, as well as more background on why we built cooldowns in the first place.
8
7
9
8
## Recent work
10
9
11
-
Since our last update, we've been quite busy. Ellen has been working on [`jwl`](https://github.com/duckinator/jwl), demonstrating several ways that gems could be simpler. Olle did maintenance work on more repos than you can shake a stick at, including [a big testing PR](https://github.com/brunofacca/active-record-query-trace/pull/79) to [ActiveRecordQueryTrace](https://github.com/brunofacca/active-record-query-trace/). Martin built the [Skillet](https://github.com/martinemde/skillet) CLI tool to run Claude Skills as shell scripts. David fixed countless bugs in [`rv`](https://rv.dev), and worked with André on the new [`rv clean-install` command](https://spinel.coop/blog/rv-clean-install/), which works like `bundle install --frozen`. Samuel built and shipped the [arctic](github.com/persona-id/arctic) gem, providing frozen strings from ENV to save on allocations. Josef has been [investigating the new RubyBox feature in Ruby 4.0](https://rubyelders.com/writings/2026-01-ruby-box-reload.html). Our newest member Kasper released 1.0 versions for his Rails extensions[Oaken](https://github.com/kaspth/oaken), [Associated Object](https://github.com/kaspth/active_record-associated_object "active_record-associated_object"), [Stashed Redirects](https://github.com/kaspth/action_controller-stashed_redirects "action_controller-stashed_redirects"), and [Performs](https://github.com/kaspth/active_job-performs "active_job-performs").
10
+
Since our last update, we've been quite busy.
11
+
12
+
- Ellen has been working on [`jwl`](https://github.com/duckinator/jwl), demonstrating several ways that gems could be simpler.
13
+
- Olle did maintenance work on more repos than you can shake a stick at, including [a big testing PR](https://github.com/brunofacca/active-record-query-trace/pull/79) to [ActiveRecordQueryTrace](https://github.com/brunofacca/active-record-query-trace/).
14
+
- Martin built the [Skillet](https://github.com/martinemde/skillet) CLI tool to run Claude Skills as shell scripts.
15
+
- André (with lots of help from David) worked on the new [`rv clean-install` command](https://spinel.coop/blog/rv-clean-install/), which works like `bundle install --frozen`.
16
+
- David also fixed countless bugs in [`rv`](https://rv.dev), ensuring that installing ruby, installing gems, and compiling native extensions all work as expected.
17
+
- Samuel built and shipped the [arctic](github.com/persona-id/arctic) gem, providing frozen strings from ENV to save on allocations.
18
+
- Josef has been [investigating the new RubyBox feature in Ruby 4.0](https://rubyelders.com/writings/2026-01-ruby-box-reload.html).
19
+
- Kasper, our newest member, released 1.0 versions for his Rails extensions [Oaken](https://github.com/kaspth/oaken), [Associated Object](https://github.com/kaspth/active_record-associated_object"active_record-associated_object"), [Stashed Redirects](https://github.com/kaspth/action_controller-stashed_redirects"action_controller-stashed_redirects"), and [Performs](https://github.com/kaspth/active_job-performs"active_job-performs").
12
20
13
21
In addition to all of that work, we've also been experimenting with different ways of serving gems. Some of our experiments aren't fully baked yet, and we'll be back with more announcements soon. Today, we'd like to talk about our first fully baked experiment: cooldowns.
14
22
15
-
## What are cooldowns
23
+
## What's a cooldown
16
24
17
25
The concept of cooldowns is probably best explained in William Woodruff's blog post [We should all be using dependency cooldowns](https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns). The short version is that waiting a couple of days before upgrading your dependencies is a very effective security measure. Most compromised or malware-loaded packages are discovered and removed within a day or two. The very most sophisticated attacks (like [the attack on xz](https://research.swtch.com/xz-timeline)) managed to avoid discovery for about 5 weeks, but attacks of that sophistication are extremely rare. As William points out in his post, just waiting 48 hours would have avoided almost all of the significant supply chain attacks from the last 18 months.
18
26
@@ -24,15 +32,15 @@ We're launching cooldowns as a beta feature, meaning it's only available from `b
24
32
25
33
## Using cooldowns
26
34
27
-
To use the cooldowns feature, change the `source` in your Gemfile like this:
35
+
The cooldown source has a 48 hour delay, and updates at least once every hour.
36
+
37
+
To use the cooldowns feature, ensuring that you aren't able to see or install any gems that are less than 48 hours old, change the `source` in your Gemfile like this:
28
38
29
39
```diff
30
40
-source "https://gem.coop"
31
41
+source "https://beta.gem.coop/cooldown"
32
42
```
33
43
34
-
The cooldown source has a 48 hour delay, and updates at least once every hour.
35
-
36
44
If you need to install any gems that have just been released with critical security fixes, you can do that too:
0 commit comments