Cooldown option for bundle update and bundle outdated

[mudge]

@woodruffw’s “We should all be using dependency cooldowns” makes a good case that supporting a cooldown (a window of time between when a dependency is published and when it’s considered suitable for use) when updating dependencies is an effective way to mitigate common supply chain attacks.

npm-check-update supports this natively via its cooldown option, pnpm via its minimumReleaseAge, and Dependabot via cooldown.

Could Bundler support this directly itself when calling the likes of bundle update and bundle outdated?

At the moment, it seems Dependabot separately queries the RubyGems (and private registries’) API to determine the release date for each gem version so I assume this isn’t already readily available via a CLI command.

[hsbt]

Could Bundler support this directly itself when calling the likes of bundle update and bundle outdated?

👋 I'm positive to add this proposal to rubygems and bundler. I think it should be in the settings rather than options like pnpm, what do you think?

FYI: https://docs.renovatebot.com/key-concepts/minimum-release-age/

[mudge]

Would that make it simpler for the cooldown to apply to all applicable commands (rather than having to add a command line flag to individual commands)? If so, and especially if it can be controlled by an equivalent environment variable, that would work for my use case (automatically running bundle update in a scheduled workflow to regularly raise dependency updates).