bundler 4.0.10 → 4.0.14

data/lib/bundler/man/bundle-outdated.1

@@ -1,10 +1,10 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-OUTDATED" "1" "March 2026" ""
+.TH "BUNDLE\-OUTDATED" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\-outdated\fR \- List installed gems with newer versions available
 .SH "SYNOPSIS"
-\fBbundle outdated\fR [GEM] [\-\-local] [\-\-pre] [\-\-source] [\-\-filter\-strict | \-\-strict] [\-\-update\-strict] [\-\-parseable | \-\-porcelain] [\-\-group=GROUP] [\-\-groups] [\-\-patch|\-\-minor|\-\-major] [\-\-filter\-major] [\-\-filter\-minor] [\-\-filter\-patch] [\-\-only\-explicit]
+\fBbundle outdated\fR [GEM] [\-\-local] [\-\-pre] [\-\-source] [\-\-filter\-strict | \-\-strict] [\-\-update\-strict] [\-\-parseable | \-\-porcelain] [\-\-group=GROUP] [\-\-groups] [\-\-patch|\-\-minor|\-\-major] [\-\-filter\-major] [\-\-filter\-minor] [\-\-filter\-patch] [\-\-only\-explicit] [\-\-cooldown=NUMBER]
 .SH "DESCRIPTION"
 Outdated lists the names and versions of gems that have a newer version available in the given source\. Calling outdated with [GEM [GEM]] will only check for newer versions of the given gems\. Prerelease gems are ignored by default\. If your gems are up to date, Bundler will exit with a status of 0\. Otherwise, it will exit 1\.
 .SH "OPTIONS"
@@ -53,6 +53,9 @@ Only list patch newer versions\.
 .TP
 \fB\-\-only\-explicit\fR
 Only list gems specified in your Gemfile, not their dependencies\.
+.TP
+\fB\-\-cooldown=<number>\fR
+Annotate (rather than hide) versions that are still inside the cooldown window of \fInumber\fR days\. The prose output appends "in cooldown for Nd more days" and the table form adds "(cooldown Nd)" to the Latest column\. See \fBcooldown\fR in bundle\-config(1)\.
 .SH "PATCH LEVEL OPTIONS"
 See bundle update(1) \fIbundle\-update\.1\.html\fR for details\.
 .SH "FILTERING OUTPUT"
@@ -61,42 +64,42 @@ The 3 filtering options do not affect the resolution of versions, merely what ve
 If the regular output shows the following:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
-* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default
-* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
+* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default             2023\-11\-10
+* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test                2022\-08\-19
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-major\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default
+* Gem       Current  Latest  Requested  Groups   Release Date
+* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default  2023\-11\-10
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-minor\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test
+* Gem       Current  Latest  Requested  Groups  Release Date
+* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test    2022\-08\-19
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-patch\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
 .fi
 .IP "" 0
 .P
 Filter options can be combined\. \fB\-\-filter\-minor\fR and \fB\-\-filter\-patch\fR would show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
 .fi
 .IP "" 0
 .P

data/lib/bundler/man/bundle-outdated.1.ronn

@@ -16,6 +16,7 @@ bundle-outdated(1) -- List installed gems with newer versions available
                         [--filter-minor]
                         [--filter-patch]
                         [--only-explicit]
+                        [--cooldown=NUMBER]
 
 ## DESCRIPTION
 
@@ -71,6 +72,12 @@ are up to date, Bundler will exit with a status of 0. Otherwise, it will exit 1.
 * `--only-explicit`:
   Only list gems specified in your Gemfile, not their dependencies.
 
+* `--cooldown=<number>`:
+  Annotate (rather than hide) versions that are still inside the
+  cooldown window of <number> days. The prose output appends "in
+  cooldown for Nd more days" and the table form adds "(cooldown Nd)" to
+  the Latest column. See `cooldown` in bundle-config(1).
+
 ## PATCH LEVEL OPTIONS
 
 See [bundle update(1)](bundle-update.1.html) for details.
@@ -82,29 +89,29 @@ in the output.
 
 If the regular output shows the following:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
-    * hashie    1.2.0    3.4.6   = 1.2.0    default
-    * headless  2.2.3    2.3.1   = 2.2.3    test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
+    * hashie    1.2.0    3.4.6   = 1.2.0    default             2023-11-10
+    * headless  2.2.3    2.3.1   = 2.2.3    test                2022-08-19
 
 `--filter-major` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * hashie    1.2.0    3.4.6   = 1.2.0    default
+    * Gem       Current  Latest  Requested  Groups   Release Date
+    * hashie    1.2.0    3.4.6   = 1.2.0    default  2023-11-10
 
 `--filter-minor` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * headless  2.2.3    2.3.1   = 2.2.3    test
+    * Gem       Current  Latest  Requested  Groups  Release Date
+    * headless  2.2.3    2.3.1   = 2.2.3    test    2022-08-19
 
 `--filter-patch` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
 
 Filter options can be combined. `--filter-minor` and `--filter-patch` would show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
 
 Combining all three `filter` options would be the same result as providing none of them.

data/lib/bundler/man/bundle-platform.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-PLATFORM" "1" "March 2026" ""
+.TH "BUNDLE\-PLATFORM" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\-platform\fR \- Displays platform compatibility information
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-plugin.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-PLUGIN" "1" "March 2026" ""
+.TH "BUNDLE\-PLUGIN" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\-plugin\fR \- Manage Bundler plugins
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-pristine.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-PRISTINE" "1" "March 2026" ""
+.TH "BUNDLE\-PRISTINE" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\-pristine\fR \- Restores installed gems to their pristine condition
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-remove.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-REMOVE" "1" "March 2026" ""
+.TH "BUNDLE\-REMOVE" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\-remove\fR \- Removes gems from the Gemfile
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-show.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-SHOW" "1" "March 2026" ""
+.TH "BUNDLE\-SHOW" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\-show\fR \- Shows all the gems in your bundle, or the path to a gem
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-update.1

@@ -1,10 +1,10 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-UPDATE" "1" "March 2026" ""
+.TH "BUNDLE\-UPDATE" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\-update\fR \- Update your gems to the latest available versions
 .SH "SYNOPSIS"
-\fBbundle update\fR \fI*gems\fR [\-\-all] [\-\-group=NAME] [\-\-source=NAME] [\-\-local] [\-\-ruby] [\-\-bundler[=VERSION]] [\-\-force] [\-\-full\-index] [\-\-gemfile=GEMFILE] [\-\-jobs=NUMBER] [\-\-quiet] [\-\-patch|\-\-minor|\-\-major] [\-\-pre] [\-\-strict] [\-\-conservative]
+\fBbundle update\fR \fI*gems\fR [\-\-all] [\-\-group=NAME] [\-\-source=NAME] [\-\-local] [\-\-ruby] [\-\-bundler[=VERSION]] [\-\-cooldown=NUMBER] [\-\-force] [\-\-full\-index] [\-\-gemfile=GEMFILE] [\-\-jobs=NUMBER] [\-\-quiet] [\-\-patch|\-\-minor|\-\-major] [\-\-pre] [\-\-strict] [\-\-conservative]
 .SH "DESCRIPTION"
 Update the gems specified (all gems, if \fB\-\-all\fR flag is used), ignoring the previously installed gems specified in the \fBGemfile\.lock\fR\. In general, you should use bundle install(1) \fIbundle\-install\.1\.html\fR to install the same exact gems and versions across machines\.
 .P
@@ -64,6 +64,9 @@ Do not allow any gem to be updated past latest \fB\-\-patch\fR | \fB\-\-minor\fR
 .TP
 \fB\-\-conservative\fR
 Use bundle install conservative update behavior and do not allow indirect dependencies to be updated\.
+.TP
+\fB\-\-cooldown=<number>\fR
+Only consider gem versions published at least \fInumber\fR days ago when resolving\. Pass \fB0\fR to disable cooldown for this run, overriding any per\-source or global configuration\. Combine with \fB\-\-conservative\fR to minimize transitive churn when bypassing cooldown for an urgent update\. See \fBcooldown\fR in bundle\-config(1)\.
 .SH "UPDATING ALL GEMS"
 If you run \fBbundle update \-\-all\fR, bundler will ignore any previously installed gems and resolve all dependencies again based on the latest versions of all gems available in the sources\.
 .P

data/lib/bundler/man/bundle-update.1.ronn

@@ -9,6 +9,7 @@ bundle-update(1) -- Update your gems to the latest available versions
                         [--local]
                         [--ruby]
                         [--bundler[=VERSION]]
+                        [--cooldown=NUMBER]
                         [--force]
                         [--full-index]
                         [--gemfile=GEMFILE]
@@ -91,6 +92,13 @@ gem.
 * `--conservative`:
   Use bundle install conservative update behavior and do not allow indirect dependencies to be updated.
 
+* `--cooldown=<number>`:
+  Only consider gem versions published at least <number> days ago when
+  resolving. Pass `0` to disable cooldown for this run, overriding any
+  per-source or global configuration. Combine with `--conservative` to
+  minimize transitive churn when bypassing cooldown for an urgent
+  update. See `cooldown` in bundle-config(1).
+
 ## UPDATING ALL GEMS
 
 If you run `bundle update --all`, bundler will ignore

data/lib/bundler/man/bundle-version.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-VERSION" "1" "March 2026" ""
+.TH "BUNDLE\-VERSION" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\-version\fR \- Prints Bundler version information
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE" "1" "March 2026" ""
+.TH "BUNDLE" "1" "April 2026" ""
 .SH "NAME"
 \fBbundle\fR \- Ruby Dependency Management
 .SH "SYNOPSIS"

data/lib/bundler/man/gemfile.5

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "GEMFILE" "5" "March 2026" ""
+.TH "GEMFILE" "5" "April 2026" ""
 .SH "NAME"
 \fBGemfile\fR \- A format for describing gem dependencies for Ruby programs
 .SH "SYNOPSIS"

data/lib/bundler/remote_specification.rb

@@ -12,7 +12,7 @@ module Bundler
 
     attr_reader :name, :version, :platform
     attr_writer :dependencies
-    attr_accessor :source, :remote, :locked_platform
+    attr_accessor :source, :remote, :locked_platform, :created_at
 
     def initialize(name, version, platform, spec_fetcher)
       @name         = name

data/lib/bundler/resolver.rb

@@ -184,6 +184,9 @@ module Bundler
 
         platforms_explanation = specs_matching_other_platforms.any? ? " for any resolution platforms (#{package.platforms.join(", ")})" : ""
         custom_explanation = "#{constraint} could not be found in #{repository_for(package)}#{platforms_explanation}"
+        if hint = cooldown_hint(specs_matching_other_platforms)
+          custom_explanation += " (#{hint})"
+        end
 
         label = "#{name} (#{constraint_string})"
         extended_explanation = other_specs_matching_message(specs_matching_other_platforms, label) if specs_matching_other_platforms.any?
@@ -353,6 +356,10 @@ module Bundler
         message << "\n#{other_specs_matching_message(specs, matching_part)}"
       end
 
+      if hint = cooldown_hint(specs_matching_requirement)
+        message << "\n\n#{hint}."
+      end
+
       if specs_matching_requirement.any? && (hint = platform_mismatch_hint)
         message << "\n\n#{hint}"
       end
@@ -396,7 +403,7 @@ module Bundler
     end
 
     def filter_specs(specs, package)
-      filter_remote_specs(filter_prereleases(specs, package), package)
+      filter_remote_specs(filter_cooldown(filter_prereleases(specs, package)), package)
     end
 
     def filter_prereleases(specs, package)
@@ -405,6 +412,56 @@ module Bundler
       specs.reject {|s| s.version.prerelease? }
     end
 
+    def filter_cooldown(specs)
+      return specs if specs.empty?
+      excluded_versions = cooldown_excluded_versions(specs)
+      return specs if excluded_versions.empty?
+      specs.reject {|s| excluded_versions.include?([s.name, s.version]) }
+    end
+
+    def cooldown_excluded_versions(specs)
+      excluded = {}
+      specs.each do |spec|
+        next unless cooldown_excluded?(spec)
+        excluded[[spec.name, spec.version]] = true
+      end
+      excluded
+    end
+
+    def cooldown_hint(specs)
+      excluded_versions = cooldown_excluded_versions(specs)
+      return nil if excluded_versions.empty?
+      "#{excluded_versions.size} version#{"s" if excluded_versions.size > 1} excluded by the cooldown setting; pass `--cooldown 0` to bypass"
+    end
+
+    def cooldown_excluded?(spec)
+      return false unless spec.respond_to?(:created_at) && spec.created_at
+      return false unless spec.respond_to?(:remote) && spec.remote
+      return false if pinned_by_lockfile_floor?(spec)
+      days = spec.remote.effective_cooldown
+      return false if days.nil? || days <= 0
+      (cooldown_now - spec.created_at) < (days * 86_400)
+    end
+
+    # A spec sitting exactly at a `>= locked_version` prevent-downgrade floor is
+    # the version the lockfile currently pins. `bundle update` and `bundle
+    # outdated` install that floor so resolution never moves a gem backwards.
+    # Filtering it out for cooldown would then make resolution impossible
+    # whenever the locked version is itself inside the cooldown window, which is
+    # exactly what happens to a lockfile written before cooldown was enabled.
+    # Keep it eligible; gems being explicitly updated carry an exact `=`
+    # requirement instead and stay subject to the cooldown filter.
+    def pinned_by_lockfile_floor?(spec)
+      return false unless defined?(@base) && @base
+      requirement = base_requirements[spec.name]
+      return false unless requirement && !requirement.exact?
+      requirement.requirements.any? {|op, version| op == ">=" && version == spec.version }
+    end
+
+    def cooldown_now
+      @cooldown_now ||= Time.now
+    end
+
     def filter_remote_specs(specs, package)
       if package.prefer_local?
         local_specs = specs.select {|s| s.is_a?(StubSpecification) }

data/lib/bundler/rubygems_ext.rb

@@ -465,6 +465,28 @@ module Gem
     Resolver::APISet::GemParser.prepend(UnfreezeCompactIndexParsedResponse)
   end
 
+  # RubyGems before 4.0.13 split compact index dependency/requirement entries
+  # on every colon, which mangles metadata values that contain colons such as
+  # the `created_at` timestamps the cooldown feature relies on. Split only on
+  # the first colon so those values survive on older RubyGems.
+  #
+  # The module is defined unconditionally so it stays testable on any RubyGems,
+  # but only prepended when the host RubyGems still has the buggy behavior.
+  module SplitCompactIndexEntryOnFirstColon
+    private
+
+    def parse_dependency(string)
+      dependency = string.split(":", 2)
+      dependency[-1] = dependency[-1].split("&") if dependency.size > 1
+      dependency[0] = -dependency[0]
+      dependency
+    end
+  end
+
+  unless Gem.rubygems_version >= Gem::Version.new("4.0.13")
+    Resolver::APISet::GemParser.prepend(SplitCompactIndexEntryOnFirstColon)
+  end
+
   if Gem.rubygems_version < Gem::Version.new("3.6.0")
     class Package; end
     require "rubygems/package/tar_reader"

data/lib/bundler/rubygems_gem_installer.rb

@@ -20,7 +20,7 @@ module Bundler
       strict_rm_rf spec.extension_dir
 
       SharedHelpers.filesystem_access(gem_dir, :create) do
-        FileUtils.mkdir_p gem_dir, mode: 0o755
+        FileUtils.mkdir_p gem_dir
       end
 
       SharedHelpers.filesystem_access(gem_dir, :write) do

data/lib/bundler/settings.rb

@@ -42,6 +42,7 @@ module Bundler
     ].freeze
 
     NUMBER_KEYS = %w[
+      cooldown
       jobs
       redirect
       retry

data/lib/bundler/source/git/git_proxy.rb

@@ -432,9 +432,14 @@ module Bundler
         end
 
         def capture3_args_for(cmd, dir)
-          return ["git", *cmd] unless dir
+          # Disable automatic maintenance so a background commit-graph write in
+          # the source repo can't race the hardlinking local clone and fail with
+          # "hardlink different from source".
+          opts = ["-c", "gc.auto=0", "-c", "maintenance.auto=false"]
 
-          ["git", "-C", dir.to_s, *cmd]
+          return ["git", *opts, *cmd] unless dir
+
+          ["git", "-C", dir.to_s, *opts, *cmd]
         end
 
         def extra_clone_args

data/lib/bundler/source/metadata.rb

@@ -58,6 +58,10 @@ module Bundler
       def version_message(spec)
         "#{spec.name} #{spec.version}"
       end
+
+      def checksum_store
+        @checksum_store ||= Checksum::Store.new
+      end
     end
   end
 end

data/lib/bundler/source/path.rb

@@ -220,10 +220,11 @@ module Bundler
         # Some gem authors put absolute paths in their gemspec
         # and we have to save them from themselves
         spec.files = spec.files.filter_map do |path|
-          next path unless /\A#{Pathname::SEPARATOR_PAT}/o.match?(path)
+          pathname = Pathname.new(path)
+          next path unless pathname.absolute?
           next if File.directory?(path)
           begin
-            Pathname.new(path).relative_path_from(gem_dir).to_s
+            pathname.relative_path_from(gem_dir).to_s
           rescue ArgumentError
             path
           end

data/lib/bundler/source/rubygems/remote.rb

@@ -4,9 +4,9 @@ module Bundler
   class Source
     class Rubygems
       class Remote
-        attr_reader :uri, :anonymized_uri, :original_uri
+        attr_reader :uri, :anonymized_uri, :original_uri, :cooldown
 
-        def initialize(uri)
+        def initialize(uri, cooldown: nil)
           orig_uri = uri
           uri = Bundler.settings.mirror_for(uri)
           @original_uri = orig_uri if orig_uri != uri
@@ -14,6 +14,16 @@ module Bundler
 
           @uri = apply_auth(uri, fallback_auth).freeze
           @anonymized_uri = remove_auth(@uri).freeze
+          @cooldown = cooldown
+        end
+
+        # Returns the cooldown days that apply to this remote, resolving the
+        # precedence CLI > config > Gemfile per-source. Returns nil if no
+        # cooldown applies.
+        def effective_cooldown
+          override = Bundler.settings[:cooldown]
+          return override if override
+          @cooldown
         end
 
         MAX_CACHE_SLUG_HOST_SIZE = 255 - 1 - 32 # 255 minus dot minus MD5 length

data/lib/bundler/source/rubygems.rb

@@ -11,11 +11,12 @@ module Bundler
       API_REQUEST_SIZE = 100
       REQUIRE_MUTEX = Mutex.new
 
-      attr_accessor :remotes
+      attr_accessor :remotes, :remote_cooldowns
 
       def initialize(options = {})
         @options = options
         @remotes = []
+        @remote_cooldowns = {}
         @dependency_names = []
         @allow_remote = false
         @allow_cached = false
@@ -25,7 +26,8 @@ module Bundler
         @gem_installers = {}
         @gem_installers_mutex = Mutex.new
 
-        Array(options["remotes"]).reverse_each {|r| add_remote(r) }
+        cooldown = options["cooldown"]
+        Array(options["remotes"]).reverse_each {|r| add_remote(r, cooldown: cooldown) }
 
         @lockfile_remotes = @remotes if options["from_lockfile"]
       end
@@ -148,6 +150,13 @@ module Bundler
           # sources, and large_idx.merge! small_idx is way faster than
           # small_idx.merge! large_idx.
           index = @allow_remote ? remote_specs.dup : Index.new
+
+          # Snapshot per-version `created_at` from the remote info before installed
+          # / cached specs overwrite the EndpointSpecification objects that carry
+          # it. The cooldown filter consults `created_at` on every candidate, so
+          # local stubs need the published date back-filled to participate.
+          remote_created_at = collect_remote_created_at(index)
+
           index.merge!(cached_specs) if @allow_cached
           index.merge!(installed_specs) if @allow_local
 
@@ -161,6 +170,8 @@ module Bundler
             end
           end
 
+          backfill_created_at(index, remote_created_at) unless remote_created_at.empty?
+
           index
         end
       end
@@ -243,9 +254,14 @@ module Bundler
         cached_path
       end
 
-      def add_remote(source)
+      def add_remote(source, cooldown: nil)
         uri = normalize_uri(source)
         @remotes.unshift(uri) unless @remotes.include?(uri)
+        @remote_cooldowns[uri] = cooldown if cooldown
+      end
+
+      def cooldown_for(uri)
+        @remote_cooldowns[uri]
       end
 
       def spec_names
@@ -266,7 +282,7 @@ module Bundler
 
       def remote_fetchers
         @remote_fetchers ||= remotes.to_h do |uri|
-          remote = Source::Rubygems::Remote.new(uri)
+          remote = Source::Rubygems::Remote.new(uri, cooldown: cooldown_for(uri))
           [remote, Bundler::Fetcher.new(remote)]
         end.freeze
       end
@@ -314,6 +330,13 @@ module Bundler
         @allow_remote && api_fetchers.any?
       end
 
+      def clear_cache
+        @specs = nil
+        @installed_specs = nil
+        @default_specs = nil
+        @cached_specs = nil
+      end
+
       protected
 
       def remote_names
@@ -456,6 +479,31 @@ module Bundler
 
       private
 
+      def collect_remote_created_at(index)
+        return {} unless @allow_remote
+
+        snapshot = {}
+        index.each do |spec|
+          next unless spec.respond_to?(:created_at) && spec.created_at
+          # Remember the remote that supplied the date too: when a source has
+          # several remotes with different per-URI cooldown settings we must
+          # restore the same one during backfill so `effective_cooldown` agrees.
+          snapshot[[spec.name, spec.version]] = [spec.created_at, spec.remote]
+        end
+        snapshot
+      end
+
+      def backfill_created_at(index, snapshot)
+        index.each do |spec|
+          next unless spec.respond_to?(:created_at=)
+          next if spec.created_at
+          remote_created_at, remote = snapshot[[spec.name, spec.version]]
+          next unless remote_created_at
+          spec.created_at = remote_created_at
+          spec.remote ||= remote if remote && spec.respond_to?(:remote=)
+        end
+      end
+
       def lockfile_remotes
         @lockfile_remotes || credless_remotes
       end
@@ -508,7 +556,7 @@ module Bundler
 
       # We are using a mutex to reaed and write from/to the hash.
       # The reason this double synchronization was added is for performance
-      # and lock the mutex for the shortest possible amount of time. Otherwise,
+      # and to lock the mutex for the shortest possible amount of time. Otherwise,
       # all threads are fighting over this mutex and when it gets acquired it gets locked
       # until a threads finishes downloading a gem, leaving the other threads waiting
       # doing nothing.

data/lib/bundler/source_list.rb

@@ -59,8 +59,8 @@ module Bundler
       add_source_to_list Plugin.source(source).new(options), @plugin_sources
     end
 
-    def add_global_rubygems_remote(uri)
-      global_rubygems_source.add_remote(uri)
+    def add_global_rubygems_remote(uri, cooldown: nil)
+      global_rubygems_source.add_remote(uri, cooldown: cooldown)
       global_rubygems_source
     end
 
@@ -136,6 +136,10 @@ module Bundler
       all_sources.each(&:remote!)
     end
 
+    def clear_cache
+      rubygems_sources.each(&:clear_cache)
+    end
+
     private
 
     def map_sources(replacement_sources)
@@ -165,6 +169,10 @@ module Bundler
         # locked sources never include credentials so always prefer remotes from the gemfile
         replacement_source.remotes = gemfile_source.remotes
 
+        # cooldowns are only ever declared in the Gemfile, so carry them over
+        # along with the remotes they apply to
+        replacement_source.remote_cooldowns = gemfile_source.remote_cooldowns
+
         yield replacement_source if block_given?
 
         replacement_source

data/lib/bundler/templates/newgem/newgem.gemspec.tt

@@ -22,6 +22,12 @@ Gem::Specification.new do |spec|
   spec.metadata["changelog_uri"] = "<%= config[:changelog_uri] %>"
 <%- end -%>
 
+  # Uncomment the line below to require MFA for gem pushes.
+  # This helps protect your gem from supply chain attacks by ensuring
+  # no one can publish a new version without multi-factor authentication.
+  # See: https://guides.rubygems.org/mfa-requirement-opt-in/
+  # spec.metadata["rubygems_mfa_required"] = "true"
+
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
   gemspec = File.basename(__FILE__)
@@ -48,5 +54,5 @@ Gem::Specification.new do |spec|
 <%- end -%>
 
   # For more information and examples about making a new gem, check out our
-  # guide at: https://bundler.io/guides/creating_gem.html
+  # guide at: https://guides.rubygems.org/make-your-own-gem/
 end