bundler 4.0.12 → 4.0.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 94fc49b469e2eb2c15c70f7bb43e4503f0de0962380b5b6eea5909bff3a08d1e
-  data.tar.gz: 301b0eb9cb089ba4fda55fcbcd1ad1e65c608c35107906a415546245d58d1368
+  metadata.gz: 6aecb16228f32866a007c26b7a70fd787bcf81d42ee002004ba3ec2dd2625694
+  data.tar.gz: 5bce03c60cbf8034dfc540848298fbe3d8958314dc8513b61c0e8238f180f096
 SHA512:
-  metadata.gz: ca630b85c261a32145258e2264627f9beca9c45c72cc21ad195a72774d28808fbe57a9b6242af937ac2ee85d636f0f7f73278c97aeae7cf8a7b1de58f7480f50
-  data.tar.gz: 40329f0aa226b3e314c740e765ae8d22e298666fcf05454bb9b1788639e4ef1b8bea18cb74f2da33245b0faefcd2dac70175169067f375841decc36bd01523d7
+  metadata.gz: 4500a906181c0c43b1384fd9dda403dcc00ec11466911c156b01b309f2886336e756057af742396786ad2a0111e1a650729ad7bc03d09d04b0984a3770d4ebf4
+  data.tar.gz: 11e96f5ebdeca17df80db3506f010fd190b35c12cc8fd82532f6eeea9b51aa7b113a353c1cf88df215846c0226696a672813a79bf06202a3e5ffd7b543b0805a

data/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## 4.0.13 / 2026-06-03
+
+### Enhancements:
+
+* Do not hard-code permissions for new gem directories during bundle install. Pull request [#9557](https://github.com/ruby/rubygems/pull/9557) by maxfelsher-cgi
+* Clear gem specification cache after acquiring process lock. Pull request [#9310](https://github.com/ruby/rubygems/pull/9310) by ngan
+* Show release date with bundle outdated. Pull request [#9337](https://github.com/ruby/rubygems/pull/9337) by hsbt
+
+### Bug fixes:
+
+* Apply cooldown to locally installed gem versions. Pull request [#9582](https://github.com/ruby/rubygems/pull/9582) by hsbt
+
+### Security:
+
+* Add `cooldown` to delay newly published gem. Pull request [#9576](https://github.com/ruby/rubygems/pull/9576) by hsbt
+
 ## 4.0.12 / 2026-05-20
 
 ### Enhancements:

data/lib/bundler/build_metadata.rb

@@ -5,7 +5,7 @@ module Bundler
   module BuildMetadata
     # begin ivars
     @built_at = nil
-    @git_commit_sha = "665f998196".freeze
+    @git_commit_sha = "003f20f0dc".freeze
     # end ivars
 
     # A hash representation of the build metadata.

data/lib/bundler/cli/add.rb

@@ -14,6 +14,9 @@ module Bundler
     def run
       Bundler.ui.level = "warn" if options[:quiet]
 
+      Bundler::CLI::Common.validate_cooldown!(options[:cooldown])
+      Bundler.settings.set_command_option_if_given :cooldown, options[:cooldown]
+
       validate_options!
       inject_dependencies
       perform_bundle_install unless options["skip-install"]

data/lib/bundler/cli/common.rb

@@ -2,6 +2,12 @@
 
 module Bundler
   module CLI::Common
+    def self.validate_cooldown!(value)
+      return if value.nil?
+      return if value.is_a?(Integer) && value >= 0
+      raise InvalidOption, "Expected `--cooldown` to be a non-negative integer, got #{value.inspect}"
+    end
+
     def self.output_post_install_messages(messages)
       return if Bundler.settings["ignore_messages"]
       messages.to_a.each do |name, msg|

data/lib/bundler/cli/install.rb

@@ -112,6 +112,9 @@ module Bundler
 
       Bundler.settings.set_command_option_if_given :jobs, options["jobs"]
 
+      Bundler::CLI::Common.validate_cooldown!(options["cooldown"])
+      Bundler.settings.set_command_option_if_given :cooldown, options["cooldown"]
+
       Bundler.settings.set_command_option_if_given :no_prune, options["no-prune"]
 
       Bundler.settings.set_command_option_if_given :no_install, options["no-install"]

data/lib/bundler/cli/outdated.rb

@@ -26,6 +26,9 @@ module Bundler
     def run
       check_for_deployment_mode!
 
+      Bundler::CLI::Common.validate_cooldown!(options[:cooldown])
+      Bundler.settings.set_command_option_if_given :cooldown, options[:cooldown]
+
       Bundler.definition.validate_runtime!
       current_specs = Bundler.ui.silence { Bundler.definition.resolve }
 
@@ -199,7 +202,15 @@ module Bundler
       end
 
       spec_outdated_info = "#{active_spec.name} (newest #{spec_version}, " \
-        "installed #{current_version}#{dependency_version})"
+        "installed #{current_version}#{dependency_version}"
+
+      release_date = release_date_for(active_spec)
+      spec_outdated_info += ", released #{release_date}" unless release_date.empty?
+
+      remaining = cooldown_days_remaining(active_spec)
+      spec_outdated_info += ", in cooldown for #{remaining} more day#{"s" if remaining > 1}" if remaining
+
+      spec_outdated_info += ")"
 
       output_message = if options[:parseable]
         spec_outdated_info.to_s
@@ -215,13 +226,25 @@ module Bundler
     def gem_column_for(current_spec, active_spec, dependency, groups)
       current_version = "#{current_spec.version}#{current_spec.git_version}"
       spec_version = "#{active_spec.version}#{active_spec.git_version}"
+      remaining = cooldown_days_remaining(active_spec)
+      spec_version += " (cooldown #{remaining}d)" if remaining
       dependency = dependency.requirement if dependency
 
       ret_val = [active_spec.name, current_version, spec_version, dependency.to_s, groups.to_s]
+      ret_val << release_date_for(active_spec)
       ret_val << loaded_from_for(active_spec).to_s if Bundler.ui.debug?
       ret_val
     end
 
+    def cooldown_days_remaining(spec, now = Time.now)
+      return nil unless spec.respond_to?(:created_at) && spec.created_at
+      return nil unless spec.respond_to?(:remote) && spec.remote
+      days = spec.remote.effective_cooldown
+      return nil if days.nil? || days <= 0
+      remaining = days - ((now - spec.created_at) / 86_400.0)
+      remaining > 0 ? remaining.ceil : nil
+    end
+
     def check_for_deployment_mode!
       return unless Bundler.frozen_bundle?
       suggested_command = if Bundler.settings.locations("frozen").keys.&([:global, :local]).any?
@@ -283,11 +306,28 @@ module Bundler
     end
 
     def table_header
-      header = ["Gem", "Current", "Latest", "Requested", "Groups"]
+      header = ["Gem", "Current", "Latest", "Requested", "Groups", "Release Date"]
       header << "Path" if Bundler.ui.debug?
       header
     end
 
+    def release_date_for(spec)
+      return "" unless spec.respond_to?(:date)
+
+      date = spec.date
+      return "" unless date
+
+      return "" unless Gem.const_defined?(:DEFAULT_SOURCE_DATE_EPOCH)
+      default_date = Time.at(Gem::DEFAULT_SOURCE_DATE_EPOCH).utc
+      default_date = Time.utc(default_date.year, default_date.month, default_date.day)
+
+      date = date.utc if date.respond_to?(:utc)
+
+      return "" if date == default_date
+
+      date.strftime("%Y-%m-%d")
+    end
+
     def justify(row, sizes)
       row.each_with_index.map do |element, index|
         element.ljust(sizes[index])

data/lib/bundler/cli/update.rb

@@ -66,6 +66,8 @@ module Bundler
       opts["force"] = options[:redownload] if options[:redownload]
 
       Bundler.settings.set_command_option_if_given :jobs, opts["jobs"]
+      Bundler::CLI::Common.validate_cooldown!(options[:cooldown])
+      Bundler.settings.set_command_option_if_given :cooldown, options[:cooldown]
 
       Bundler.definition.validate_runtime!
 

data/lib/bundler/cli.rb

@@ -274,6 +274,7 @@ module Bundler
     method_option "target-rbconfig", type: :string, banner: "Path to rbconfig.rb for the deployment target platform"
     method_option "without", type: :array, banner: "Exclude gems that are part of the specified named group (removed)."
     method_option "with", type: :array, banner: "Include gems that are part of the specified named group (removed)."
+    method_option "cooldown", type: :numeric, banner: "Only consider gem versions published at least N days ago. Use 0 to disable."
     def install
       %w[clean deployment frozen no-prune path shebang without with].each do |option|
         remembered_flag_deprecation(option)
@@ -324,6 +325,7 @@ module Bundler
     method_option "strict", type: :boolean, banner: "Do not allow any gem to be updated past latest --patch | --minor | --major"
     method_option "conservative", type: :boolean, banner: "Use bundle install conservative update behavior and do not allow shared dependencies to be updated."
     method_option "all", type: :boolean, banner: "Update everything."
+    method_option "cooldown", type: :numeric, banner: "Only consider gem versions published at least N days ago. Use 0 to disable."
     def update(*gems)
       require_relative "cli/update"
       Bundler.settings.temporary(no_install: false) do
@@ -405,6 +407,7 @@ module Bundler
     method_option "skip-install", type: :boolean, banner: "Adds gem to the Gemfile but does not install it"
     method_option "optimistic", type: :boolean, banner: "Adds optimistic declaration of version to gem"
     method_option "strict", type: :boolean, banner: "Adds strict declaration of version to gem"
+    method_option "cooldown", type: :numeric, banner: "Only consider gem versions published at least N days ago. Use 0 to disable."
     def add(*gems)
       require_relative "cli/add"
       Add.new(options.dup, gems).run
@@ -435,6 +438,7 @@ module Bundler
     method_option "filter-patch", type: :boolean, banner: "Only list patch newer versions"
     method_option "parseable", aliases: "--porcelain", type: :boolean, banner: "Use minimal formatting for more parseable output"
     method_option "only-explicit", type: :boolean, banner: "Only list gems specified in your Gemfile, not their dependencies"
+    method_option "cooldown", type: :numeric, banner: "Only consider gem versions published at least N days ago. Use 0 to disable."
     def outdated(*gems)
       require_relative "cli/outdated"
       Outdated.new(options, gems).run

data/lib/bundler/dsl.rb

@@ -116,6 +116,10 @@ module Bundler
       options = args.last.is_a?(Hash) ? args.pop.dup : {}
       options = normalize_hash(options)
       source = normalize_source(source)
+      cooldown = options["cooldown"]
+      if cooldown && !(cooldown.is_a?(Integer) && cooldown >= 0)
+        raise InvalidOption, "Expected `cooldown` to be a non-negative integer, got #{cooldown.inspect}"
+      end
 
       if options.key?("type")
         options["type"] = options["type"].to_s
@@ -130,9 +134,9 @@ module Bundler
         source_opts = options.merge("uri" => source)
         with_source(@sources.add_plugin_source(options["type"], source_opts), &blk)
       elsif block_given?
-        with_source(@sources.add_rubygems_source("remotes" => source), &blk)
+        with_source(@sources.add_rubygems_source("remotes" => source, "cooldown" => cooldown), &blk)
       else
-        @sources.add_global_rubygems_remote(source)
+        @sources.add_global_rubygems_remote(source, cooldown: cooldown)
       end
     end
 

data/lib/bundler/endpoint_specification.rb

@@ -5,7 +5,7 @@ module Bundler
   class EndpointSpecification < Gem::Specification
     include MatchRemoteMetadata
 
-    attr_reader :name, :version, :platform, :checksum
+    attr_reader :name, :version, :platform, :checksum, :created_at
     attr_writer :dependencies
     attr_accessor :remote, :locked_platform
 
@@ -145,6 +145,7 @@ module Bundler
       unless data
         @required_ruby_version = nil
         @required_rubygems_version = nil
+        @created_at = nil
         return
       end
 
@@ -161,6 +162,15 @@ module Bundler
           @required_rubygems_version = Gem::Requirement.new(v)
         when "ruby"
           @required_ruby_version = Gem::Requirement.new(v)
+        when "created_at"
+          value = v.is_a?(Array) ? v.last : v
+          if value.is_a?(String)
+            @created_at = begin
+              Time.new(value)
+            rescue ArgumentError
+              nil
+            end
+          end
         end
       end
     rescue StandardError => e

data/lib/bundler/installer.rb

@@ -63,6 +63,11 @@ module Bundler
       Bundler.create_bundle_path
 
       ProcessLock.lock do
+        # Invalidate any stale gem specification cache from before we acquired the lock.
+        # Another process may have installed gems while we were waiting.
+        Gem::Specification.reset
+        @definition.sources.clear_cache
+
         @definition.ensure_equivalent_gemfile_and_lockfile(options[:deployment])
 
         if @definition.dependencies.empty?

data/lib/bundler/man/bundle-add.1

@@ -4,7 +4,7 @@
 .SH "NAME"
 \fBbundle\-add\fR \- Add gem to the Gemfile and run bundle install
 .SH "SYNOPSIS"
-\fBbundle add\fR \fIGEM_NAME\fR [\-\-group=GROUP] [\-\-version=VERSION] [\-\-source=SOURCE] [\-\-path=PATH] [\-\-git=GIT|\-\-github=GITHUB] [\-\-branch=BRANCH] [\-\-ref=REF] [\-\-quiet] [\-\-skip\-install] [\-\-strict|\-\-optimistic]
+\fBbundle add\fR \fIGEM_NAME\fR [\-\-group=GROUP] [\-\-version=VERSION] [\-\-source=SOURCE] [\-\-path=PATH] [\-\-git=GIT|\-\-github=GITHUB] [\-\-branch=BRANCH] [\-\-ref=REF] [\-\-cooldown=NUMBER] [\-\-quiet] [\-\-skip\-install] [\-\-strict|\-\-optimistic]
 .SH "DESCRIPTION"
 Adds the named gem to the [\fBGemfile(5)\fR][Gemfile(5)] and run \fBbundle install\fR\. \fBbundle install\fR can be avoided by using the flag \fB\-\-skip\-install\fR\.
 .SH "OPTIONS"
@@ -50,6 +50,9 @@ Adds optimistic declaration of version\.
 .TP
 \fB\-\-strict\fR
 Adds strict declaration of version\.
+.TP
+\fB\-\-cooldown=<number>\fR
+Only consider gem versions published at least \fInumber\fR days ago when resolving\. Pass \fB0\fR to disable cooldown for this run\. See \fBcooldown\fR in bundle\-config(1) for precedence rules\.
 .SH "EXAMPLES"
 .IP "1." 4
 You can add the \fBrails\fR gem to the Gemfile without any version restriction\. The source of the gem will be the global source\.

data/lib/bundler/man/bundle-add.1.ronn

@@ -5,7 +5,7 @@ bundle-add(1) -- Add gem to the Gemfile and run bundle install
 
 `bundle add` <GEM_NAME> [--group=GROUP] [--version=VERSION] [--source=SOURCE]
            [--path=PATH] [--git=GIT|--github=GITHUB] [--branch=BRANCH] [--ref=REF]
-           [--quiet] [--skip-install] [--strict|--optimistic]
+           [--cooldown=NUMBER] [--quiet] [--skip-install] [--strict|--optimistic]
 
 ## DESCRIPTION
 
@@ -56,6 +56,11 @@ Adds the named gem to the [`Gemfile(5)`][Gemfile(5)] and run `bundle install`.
 * `--strict`:
   Adds strict declaration of version.
 
+* `--cooldown=<number>`:
+  Only consider gem versions published at least <number> days ago when
+  resolving. Pass `0` to disable cooldown for this run. See `cooldown`
+  in bundle-config(1) for precedence rules.
+
 ## EXAMPLES
 
 1. You can add the `rails` gem to the Gemfile without any version restriction.

data/lib/bundler/man/bundle-config.1

@@ -69,162 +69,126 @@ The canonical form of this configuration is \fB"without"\fR\. To convert the can
 Any periods in the configuration keys must be replaced with two underscores when setting it via environment variables\. The configuration key \fBlocal\.rack\fR becomes the environment variable \fBBUNDLE_LOCAL__RACK\fR\.
 .SH "LIST OF AVAILABLE KEYS"
 The following is a list of all configuration keys and their purpose\. You can learn more about their operation in bundle install(1) \fIbundle\-install\.1\.html\fR\.
-.TP
-\fBapi_request_size\fR (\fBBUNDLE_API_REQUEST_SIZE\fR)
-Configure how many dependencies to fetch when resolving the specifications\. This configuration is only used when fetchig specifications from RubyGems servers that didn't implement the Compact Index API\. Defaults to 100\.
-.TP
-\fBauto_install\fR (\fBBUNDLE_AUTO_INSTALL\fR)
-Automatically run \fBbundle install\fR when gems are missing\.
-.TP
-\fBbin\fR (\fBBUNDLE_BIN\fR)
-If configured, \fBbundle binstubs\fR will install executables from gems in the bundle to the specified directory\. Otherwise it will create them in a \fBbin\fR directory relative to the Gemfile directory\. These executables run in Bundler's context\. If used, you might add this directory to your environment's \fBPATH\fR variable\. For instance, if the \fBrails\fR gem comes with a \fBrails\fR executable, \fBbundle binstubs\fR will create a \fBbin/rails\fR executable that ensures that all referred dependencies will be resolved using the bundled gems\.
-.TP
-\fBcache_all\fR (\fBBUNDLE_CACHE_ALL\fR)
-Cache all gems, including path and git gems\. This needs to be explicitly before bundler 4, but will be the default on bundler 4\.
-.TP
-\fBcache_all_platforms\fR (\fBBUNDLE_CACHE_ALL_PLATFORMS\fR)
-Cache gems for all platforms\.
-.TP
-\fBcache_path\fR (\fBBUNDLE_CACHE_PATH\fR)
-The directory that bundler will place cached gems in when running \fBbundle package\fR, and that bundler will look in when installing gems\. Defaults to \fBvendor/cache\fR\.
-.TP
-\fBclean\fR (\fBBUNDLE_CLEAN\fR)
-Whether Bundler should run \fBbundle clean\fR automatically after \fBbundle install\fR\. Defaults to \fBtrue\fR in Bundler 4, as long as \fBpath\fR is not explicitly configured\.
-.TP
-\fBconsole\fR (\fBBUNDLE_CONSOLE\fR)
-The console that \fBbundle console\fR starts\. Defaults to \fBirb\fR\.
-.TP
-\fBdefault_cli_command\fR (\fBBUNDLE_DEFAULT_CLI_COMMAND\fR)
-The command that running \fBbundle\fR without arguments should run\. Defaults to \fBcli_help\fR since Bundler 4, but can also be \fBinstall\fR which was the previous default\.
-.TP
-\fBdeployment\fR (\fBBUNDLE_DEPLOYMENT\fR)
-Equivalent to setting \fBfrozen\fR to \fBtrue\fR and \fBpath\fR to \fBvendor/bundle\fR\.
-.TP
-\fBdisable_checksum_validation\fR (\fBBUNDLE_DISABLE_CHECKSUM_VALIDATION\fR)
-Allow installing gems even if they do not match the checksum provided by RubyGems\.
-.TP
-\fBdisable_exec_load\fR (\fBBUNDLE_DISABLE_EXEC_LOAD\fR)
-Stop Bundler from using \fBload\fR to launch an executable in\-process in \fBbundle exec\fR\.
-.TP
-\fBdisable_local_branch_check\fR (\fBBUNDLE_DISABLE_LOCAL_BRANCH_CHECK\fR)
-Allow Bundler to use a local git override without a branch specified in the Gemfile\.
-.TP
-\fBdisable_local_revision_check\fR (\fBBUNDLE_DISABLE_LOCAL_REVISION_CHECK\fR)
-Allow Bundler to use a local git override without checking if the revision present in the lockfile is present in the repository\.
-.TP
-\fBdisable_shared_gems\fR (\fBBUNDLE_DISABLE_SHARED_GEMS\fR)
-Stop Bundler from accessing gems installed to RubyGems' normal location\.
-.TP
-\fBdisable_version_check\fR (\fBBUNDLE_DISABLE_VERSION_CHECK\fR)
-Stop Bundler from checking if a newer Bundler version is available on rubygems\.org\.
-.TP
-\fBforce_ruby_platform\fR (\fBBUNDLE_FORCE_RUBY_PLATFORM\fR)
-Ignore the current machine's platform and install only \fBruby\fR platform gems\. As a result, gems with native extensions will be compiled from source\.
-.TP
-\fBfrozen\fR (\fBBUNDLE_FROZEN\fR)
-Disallow any automatic changes to \fBGemfile\.lock\fR\. Bundler commands will be blocked unless the lockfile can be installed exactly as written\. Usually this will happen when changing the \fBGemfile\fR manually and forgetting to update the lockfile through \fBbundle lock\fR or \fBbundle install\fR\.
-.TP
-\fBgem\.github_username\fR (\fBBUNDLE_GEM__GITHUB_USERNAME\fR)
-Sets a GitHub username or organization to be used in the \fBREADME\fR and \fB\.gemspec\fR files when you create a new gem via \fBbundle gem\fR command\. It can be overridden by passing an explicit \fB\-\-github\-username\fR flag to \fBbundle gem\fR\.
-.TP
-\fBgem\.push_key\fR (\fBBUNDLE_GEM__PUSH_KEY\fR)
-Sets the \fB\-\-key\fR parameter for \fBgem push\fR when using the \fBrake release\fR command with a private gemstash server\.
-.TP
-\fBgemfile\fR (\fBBUNDLE_GEMFILE\fR)
-The name of the file that bundler should use as the \fBGemfile\fR\. This location of this file also sets the root of the project, which is used to resolve relative paths in the \fBGemfile\fR, among other things\. By default, bundler will search up from the current working directory until it finds a \fBGemfile\fR\.
-.TP
-\fBglobal_gem_cache\fR (\fBBUNDLE_GLOBAL_GEM_CACHE\fR)
-Whether Bundler should cache all gems and compiled extensions globally, rather than locally to the configured installation path\.
-.TP
-\fBignore_funding_requests\fR (\fBBUNDLE_IGNORE_FUNDING_REQUESTS\fR)
-When set, no funding requests will be printed\.
-.TP
-\fBignore_messages\fR (\fBBUNDLE_IGNORE_MESSAGES\fR)
-When set, no post install messages will be printed\. To silence a single gem, use dot notation like \fBignore_messages\.httparty true\fR\.
-.TP
-\fBinit_gems_rb\fR (\fBBUNDLE_INIT_GEMS_RB\fR)
-Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init\fR\.
-.TP
-\fBjobs\fR (\fBBUNDLE_JOBS\fR)
-The number of gems Bundler can download and install in parallel\. Defaults to the number of available processors\.
-.TP
-\fBlockfile\fR (\fBBUNDLE_LOCKFILE\fR)
-The path to the lockfile that bundler should use\. By default, Bundler adds \fB\.lock\fR to the end of the \fBgemfile\fR entry\. Can be set to \fBfalse\fR in the Gemfile to disable lockfile creation entirely (see gemfile(5))\.
-.TP
-\fBlockfile_checksums\fR (\fBBUNDLE_LOCKFILE_CHECKSUMS\fR)
-Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources\. Defaults to true\.
-.TP
-\fBno_install\fR (\fBBUNDLE_NO_INSTALL\fR)
-Whether \fBbundle package\fR should skip installing gems\.
-.TP
-\fBno_prune\fR (\fBBUNDLE_NO_PRUNE\fR)
-Whether Bundler should leave outdated gems unpruned when caching\.
-.TP
-\fBonly\fR (\fBBUNDLE_ONLY\fR)
-A space\-separated list of groups to install only gems of the specified groups\. Please check carefully if you want to install also gems without a group, because they get put inside \fBdefault\fR group\. For example \fBonly test:default\fR will install all gems specified in test group and without one\.
-.TP
-\fBpath\fR (\fBBUNDLE_PATH\fR)
-The location on disk where all gems in your bundle will be located regardless of \fB$GEM_HOME\fR or \fB$GEM_PATH\fR values\. Bundle gems not found in this location will be installed by \fBbundle install\fR\. When not set, Bundler install by default to a \fB\.bundle\fR directory relative to repository root in Bundler 4, and to the default system path (\fBGem\.dir\fR) before Bundler 4\. That means that before Bundler 4, Bundler shares this location with Rubygems, and \fBgem install \|\.\|\.\|\.\fR will have gems installed in the same location and therefore, gems installed without \fBpath\fR set will show up by calling \fBgem list\fR\. This will not be the case in Bundler 4\.
-.TP
-\fBpath\.system\fR (\fBBUNDLE_PATH__SYSTEM\fR)
-Whether Bundler will install gems into the default system path (\fBGem\.dir\fR)\.
-.TP
-\fBplugins\fR (\fBBUNDLE_PLUGINS\fR)
-Enable Bundler's experimental plugin system\.
-.TP
-\fBprefer_patch\fR (\fBBUNDLE_PREFER_PATCH\fR)
-Prefer updating only to next patch version during updates\. Makes \fBbundle update\fR calls equivalent to \fBbundler update \-\-patch\fR\.
-.TP
-\fBredirect\fR (\fBBUNDLE_REDIRECT\fR)
-The number of redirects allowed for network requests\. Defaults to \fB5\fR\.
-.TP
-\fBretry\fR (\fBBUNDLE_RETRY\fR)
-The number of times to retry failed network requests\. Defaults to \fB3\fR\.
-.TP
-\fBshebang\fR (\fBBUNDLE_SHEBANG\fR)
-The program name that should be invoked for generated binstubs\. Defaults to the ruby install name used to generate the binstub\.
-.TP
-\fBsilence_deprecations\fR (\fBBUNDLE_SILENCE_DEPRECATIONS\fR)
-Whether Bundler should silence deprecation warnings for behavior that will be changed in the next major version\.
-.TP
-\fBsilence_root_warning\fR (\fBBUNDLE_SILENCE_ROOT_WARNING\fR)
-Silence the warning Bundler prints when installing gems as root\.
-.TP
-\fBsimulate_version\fR (\fBBUNDLE_SIMULATE_VERSION\fR)
-The virtual version Bundler should use for activating feature flags\. Can be used to simulate all the new functionality that will be enabled in a future major version\.
-.TP
-\fBssl_ca_cert\fR (\fBBUNDLE_SSL_CA_CERT\fR)
-Path to a designated CA certificate file or folder containing multiple certificates for trusted CAs in PEM format\.
-.TP
-\fBssl_client_cert\fR (\fBBUNDLE_SSL_CLIENT_CERT\fR)
-Path to a designated file containing a X\.509 client certificate and key in PEM format\.
-.TP
-\fBssl_verify_mode\fR (\fBBUNDLE_SSL_VERIFY_MODE\fR)
-The SSL verification mode Bundler uses when making HTTPS requests\. Defaults to verify peer\.
-.TP
-\fBsystem_bindir\fR (\fBBUNDLE_SYSTEM_BINDIR\fR)
-The location where RubyGems installs binstubs\. Defaults to \fBGem\.bindir\fR\.
-.TP
-\fBtimeout\fR (\fBBUNDLE_TIMEOUT\fR)
-The seconds allowed before timing out for network requests\. Defaults to \fB10\fR\.
-.TP
-\fBupdate_requires_all_flag\fR (\fBBUNDLE_UPDATE_REQUIRES_ALL_FLAG\fR)
-Require passing \fB\-\-all\fR to \fBbundle update\fR when everything should be updated, and disallow passing no options to \fBbundle update\fR\.
-.TP
-\fBuser_agent\fR (\fBBUNDLE_USER_AGENT\fR)
-The custom user agent fragment Bundler includes in API requests\.
-.TP
-\fBverbose\fR (\fBBUNDLE_VERBOSE\fR)
-Whether Bundler should print verbose output\. Defaults to \fBfalse\fR, unless the \fB\-\-verbose\fR CLI flag is used\.
-.TP
-\fBversion\fR (\fBBUNDLE_VERSION\fR)
-The version of Bundler to use when running under Bundler environment\. Defaults to \fBlockfile\fR\. You can also specify \fBsystem\fR or \fBx\.y\.z\fR\. \fBlockfile\fR will use the Bundler version specified in the \fBGemfile\.lock\fR, \fBsystem\fR will use the system version of Bundler, and \fBx\.y\.z\fR will use the specified version of Bundler\.
-.TP
-\fBwith\fR (\fBBUNDLE_WITH\fR)
-A space\-separated or \fB:\fR\-separated list of groups whose gems bundler should install\.
-.TP
-\fBwithout\fR (\fBBUNDLE_WITHOUT\fR)
-A space\-separated or \fB:\fR\-separated list of groups whose gems bundler should not install\.
+.IP "\(bu" 4
+\fBapi_request_size\fR (\fBBUNDLE_API_REQUEST_SIZE\fR): Configure how many dependencies to fetch when resolving the specifications\. This configuration is only used when fetchig specifications from RubyGems servers that didn't implement the Compact Index API\. Defaults to 100\.
+.IP "\(bu" 4
+\fBauto_install\fR (\fBBUNDLE_AUTO_INSTALL\fR): Automatically run \fBbundle install\fR when gems are missing\.
+.IP "\(bu" 4
+\fBbin\fR (\fBBUNDLE_BIN\fR): If configured, \fBbundle binstubs\fR will install executables from gems in the bundle to the specified directory\. Otherwise it will create them in a \fBbin\fR directory relative to the Gemfile directory\. These executables run in Bundler's context\. If used, you might add this directory to your environment's \fBPATH\fR variable\. For instance, if the \fBrails\fR gem comes with a \fBrails\fR executable, \fBbundle binstubs\fR will create a \fBbin/rails\fR executable that ensures that all referred dependencies will be resolved using the bundled gems\.
+.IP "\(bu" 4
+\fBcache_all\fR (\fBBUNDLE_CACHE_ALL\fR): Cache all gems, including path and git gems\. This needs to be explicitly before bundler 4, but will be the default on bundler 4\.
+.IP "\(bu" 4
+\fBcache_all_platforms\fR (\fBBUNDLE_CACHE_ALL_PLATFORMS\fR): Cache gems for all platforms\.
+.IP "\(bu" 4
+\fBcache_path\fR (\fBBUNDLE_CACHE_PATH\fR): The directory that bundler will place cached gems in when running \fBbundle package\fR, and that bundler will look in when installing gems\. Defaults to \fBvendor/cache\fR\.
+.IP "\(bu" 4
+\fBclean\fR (\fBBUNDLE_CLEAN\fR): Whether Bundler should run \fBbundle clean\fR automatically after \fBbundle install\fR\. Defaults to \fBtrue\fR in Bundler 4, as long as \fBpath\fR is not explicitly configured\.
+.IP "\(bu" 4
+\fBconsole\fR (\fBBUNDLE_CONSOLE\fR): The console that \fBbundle console\fR starts\. Defaults to \fBirb\fR\.
+.IP "\(bu" 4
+\fBcooldown\fR (\fBBUNDLE_COOLDOWN\fR): Number of days a published gem version must age before bundler will resolve to it\. Defaults to unset (no cooldown)\. Pass \fB0\fR to disable cooldown for an individual run\.
+.IP
+The effective cooldown for any given gem is resolved from three layers, highest precedence first:
+.IP "1." 4
+CLI flag \fB\-\-cooldown N\fR on \fBinstall\fR, \fBupdate\fR, \fBadd\fR, and \fBoutdated\fR\.
+.IP "2." 4
+This setting (\fBbundle config set cooldown N\fR or \fBBUNDLE_COOLDOWN=N\fR)\.
+.IP "3." 4
+The per\-source \fBcooldown:\fR keyword in the Gemfile, such as \fBsource "https://rubygems\.org", cooldown: 7\fR\.
+.IP "" 0
+.IP
+The CLI flag and this setting apply uniformly to every source, including ones declared with their own \fBcooldown:\fR value\. To keep a private registry permanently exempt while still cooling down public gems, declare \fBsource "https://internal", cooldown: 0\fR in the Gemfile; remember that \fB\-\-cooldown N\fR on the command line will still override it for that single run\.
+.IP
+Cooldown filtering depends on the gem server providing a per\-version \fBcreated_at\fR timestamp in the v2 compact\-index format\. Versions without that metadata \- older gem servers, historical entries that predate the v2 cutover on \fBrubygems\.org\fR, or private registries that still emit the v1 format \- are treated as outside the cooldown window and remain resolvable\. If you rely on cooldown for supply\-chain protection, confirm that the gem server emits \fBcreated_at\fR in its \fB/info/<gem>\fR responses\.
+.IP "\(bu" 4
+\fBdefault_cli_command\fR (\fBBUNDLE_DEFAULT_CLI_COMMAND\fR): The command that running \fBbundle\fR without arguments should run\. Defaults to \fBcli_help\fR since Bundler 4, but can also be \fBinstall\fR which was the previous default\.
+.IP "\(bu" 4
+\fBdeployment\fR (\fBBUNDLE_DEPLOYMENT\fR): Equivalent to setting \fBfrozen\fR to \fBtrue\fR and \fBpath\fR to \fBvendor/bundle\fR\.
+.IP "\(bu" 4
+\fBdisable_checksum_validation\fR (\fBBUNDLE_DISABLE_CHECKSUM_VALIDATION\fR): Allow installing gems even if they do not match the checksum provided by RubyGems\.
+.IP "\(bu" 4
+\fBdisable_exec_load\fR (\fBBUNDLE_DISABLE_EXEC_LOAD\fR): Stop Bundler from using \fBload\fR to launch an executable in\-process in \fBbundle exec\fR\.
+.IP "\(bu" 4
+\fBdisable_local_branch_check\fR (\fBBUNDLE_DISABLE_LOCAL_BRANCH_CHECK\fR): Allow Bundler to use a local git override without a branch specified in the Gemfile\.
+.IP "\(bu" 4
+\fBdisable_local_revision_check\fR (\fBBUNDLE_DISABLE_LOCAL_REVISION_CHECK\fR): Allow Bundler to use a local git override without checking if the revision present in the lockfile is present in the repository\.
+.IP "\(bu" 4
+\fBdisable_shared_gems\fR (\fBBUNDLE_DISABLE_SHARED_GEMS\fR): Stop Bundler from accessing gems installed to RubyGems' normal location\.
+.IP "\(bu" 4
+\fBdisable_version_check\fR (\fBBUNDLE_DISABLE_VERSION_CHECK\fR): Stop Bundler from checking if a newer Bundler version is available on rubygems\.org\.
+.IP "\(bu" 4
+\fBforce_ruby_platform\fR (\fBBUNDLE_FORCE_RUBY_PLATFORM\fR): Ignore the current machine's platform and install only \fBruby\fR platform gems\. As a result, gems with native extensions will be compiled from source\.
+.IP "\(bu" 4
+\fBfrozen\fR (\fBBUNDLE_FROZEN\fR): Disallow any automatic changes to \fBGemfile\.lock\fR\. Bundler commands will be blocked unless the lockfile can be installed exactly as written\. Usually this will happen when changing the \fBGemfile\fR manually and forgetting to update the lockfile through \fBbundle lock\fR or \fBbundle install\fR\.
+.IP "\(bu" 4
+\fBgem\.github_username\fR (\fBBUNDLE_GEM__GITHUB_USERNAME\fR): Sets a GitHub username or organization to be used in the \fBREADME\fR and \fB\.gemspec\fR files when you create a new gem via \fBbundle gem\fR command\. It can be overridden by passing an explicit \fB\-\-github\-username\fR flag to \fBbundle gem\fR\.
+.IP "\(bu" 4
+\fBgem\.push_key\fR (\fBBUNDLE_GEM__PUSH_KEY\fR): Sets the \fB\-\-key\fR parameter for \fBgem push\fR when using the \fBrake release\fR command with a private gemstash server\.
+.IP "\(bu" 4
+\fBgemfile\fR (\fBBUNDLE_GEMFILE\fR): The name of the file that bundler should use as the \fBGemfile\fR\. This location of this file also sets the root of the project, which is used to resolve relative paths in the \fBGemfile\fR, among other things\. By default, bundler will search up from the current working directory until it finds a \fBGemfile\fR\.
+.IP "\(bu" 4
+\fBglobal_gem_cache\fR (\fBBUNDLE_GLOBAL_GEM_CACHE\fR): Whether Bundler should cache all gems and compiled extensions globally, rather than locally to the configured installation path\.
+.IP "\(bu" 4
+\fBignore_funding_requests\fR (\fBBUNDLE_IGNORE_FUNDING_REQUESTS\fR): When set, no funding requests will be printed\.
+.IP "\(bu" 4
+\fBignore_messages\fR (\fBBUNDLE_IGNORE_MESSAGES\fR): When set, no post install messages will be printed\. To silence a single gem, use dot notation like \fBignore_messages\.httparty true\fR\.
+.IP "\(bu" 4
+\fBinit_gems_rb\fR (\fBBUNDLE_INIT_GEMS_RB\fR): Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init\fR\.
+.IP "\(bu" 4
+\fBjobs\fR (\fBBUNDLE_JOBS\fR): The number of gems Bundler can download and install in parallel\. Defaults to the number of available processors\.
+.IP "\(bu" 4
+\fBlockfile\fR (\fBBUNDLE_LOCKFILE\fR): The path to the lockfile that bundler should use\. By default, Bundler adds \fB\.lock\fR to the end of the \fBgemfile\fR entry\. Can be set to \fBfalse\fR in the Gemfile to disable lockfile creation entirely (see gemfile(5))\.
+.IP "\(bu" 4
+\fBlockfile_checksums\fR (\fBBUNDLE_LOCKFILE_CHECKSUMS\fR): Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources\. Defaults to true\.
+.IP "\(bu" 4
+\fBno_install\fR (\fBBUNDLE_NO_INSTALL\fR): Whether \fBbundle package\fR should skip installing gems\.
+.IP "\(bu" 4
+\fBno_prune\fR (\fBBUNDLE_NO_PRUNE\fR): Whether Bundler should leave outdated gems unpruned when caching\.
+.IP "\(bu" 4
+\fBonly\fR (\fBBUNDLE_ONLY\fR): A space\-separated list of groups to install only gems of the specified groups\. Please check carefully if you want to install also gems without a group, because they get put inside \fBdefault\fR group\. For example \fBonly test:default\fR will install all gems specified in test group and without one\.
+.IP "\(bu" 4
+\fBpath\fR (\fBBUNDLE_PATH\fR): The location on disk where all gems in your bundle will be located regardless of \fB$GEM_HOME\fR or \fB$GEM_PATH\fR values\. Bundle gems not found in this location will be installed by \fBbundle install\fR\. When not set, Bundler install by default to a \fB\.bundle\fR directory relative to repository root in Bundler 4, and to the default system path (\fBGem\.dir\fR) before Bundler 4\. That means that before Bundler 4, Bundler shares this location with Rubygems, and \fBgem install \|\.\|\.\|\.\fR will have gems installed in the same location and therefore, gems installed without \fBpath\fR set will show up by calling \fBgem list\fR\. This will not be the case in Bundler 4\.
+.IP "\(bu" 4
+\fBpath\.system\fR (\fBBUNDLE_PATH__SYSTEM\fR): Whether Bundler will install gems into the default system path (\fBGem\.dir\fR)\.
+.IP "\(bu" 4
+\fBplugins\fR (\fBBUNDLE_PLUGINS\fR): Enable Bundler's experimental plugin system\.
+.IP "\(bu" 4
+\fBprefer_patch\fR (\fBBUNDLE_PREFER_PATCH\fR): Prefer updating only to next patch version during updates\. Makes \fBbundle update\fR calls equivalent to \fBbundler update \-\-patch\fR\.
+.IP "\(bu" 4
+\fBredirect\fR (\fBBUNDLE_REDIRECT\fR): The number of redirects allowed for network requests\. Defaults to \fB5\fR\.
+.IP "\(bu" 4
+\fBretry\fR (\fBBUNDLE_RETRY\fR): The number of times to retry failed network requests\. Defaults to \fB3\fR\.
+.IP "\(bu" 4
+\fBshebang\fR (\fBBUNDLE_SHEBANG\fR): The program name that should be invoked for generated binstubs\. Defaults to the ruby install name used to generate the binstub\.
+.IP "\(bu" 4
+\fBsilence_deprecations\fR (\fBBUNDLE_SILENCE_DEPRECATIONS\fR): Whether Bundler should silence deprecation warnings for behavior that will be changed in the next major version\.
+.IP "\(bu" 4
+\fBsilence_root_warning\fR (\fBBUNDLE_SILENCE_ROOT_WARNING\fR): Silence the warning Bundler prints when installing gems as root\.
+.IP "\(bu" 4
+\fBsimulate_version\fR (\fBBUNDLE_SIMULATE_VERSION\fR): The virtual version Bundler should use for activating feature flags\. Can be used to simulate all the new functionality that will be enabled in a future major version\.
+.IP "\(bu" 4
+\fBssl_ca_cert\fR (\fBBUNDLE_SSL_CA_CERT\fR): Path to a designated CA certificate file or folder containing multiple certificates for trusted CAs in PEM format\.
+.IP "\(bu" 4
+\fBssl_client_cert\fR (\fBBUNDLE_SSL_CLIENT_CERT\fR): Path to a designated file containing a X\.509 client certificate and key in PEM format\.
+.IP "\(bu" 4
+\fBssl_verify_mode\fR (\fBBUNDLE_SSL_VERIFY_MODE\fR): The SSL verification mode Bundler uses when making HTTPS requests\. Defaults to verify peer\.
+.IP "\(bu" 4
+\fBsystem_bindir\fR (\fBBUNDLE_SYSTEM_BINDIR\fR): The location where RubyGems installs binstubs\. Defaults to \fBGem\.bindir\fR\.
+.IP "\(bu" 4
+\fBtimeout\fR (\fBBUNDLE_TIMEOUT\fR): The seconds allowed before timing out for network requests\. Defaults to \fB10\fR\.
+.IP "\(bu" 4
+\fBupdate_requires_all_flag\fR (\fBBUNDLE_UPDATE_REQUIRES_ALL_FLAG\fR): Require passing \fB\-\-all\fR to \fBbundle update\fR when everything should be updated, and disallow passing no options to \fBbundle update\fR\.
+.IP "\(bu" 4
+\fBuser_agent\fR (\fBBUNDLE_USER_AGENT\fR): The custom user agent fragment Bundler includes in API requests\.
+.IP "\(bu" 4
+\fBverbose\fR (\fBBUNDLE_VERBOSE\fR): Whether Bundler should print verbose output\. Defaults to \fBfalse\fR, unless the \fB\-\-verbose\fR CLI flag is used\.
+.IP "\(bu" 4
+\fBversion\fR (\fBBUNDLE_VERSION\fR): The version of Bundler to use when running under Bundler environment\. Defaults to \fBlockfile\fR\. You can also specify \fBsystem\fR or \fBx\.y\.z\fR\. \fBlockfile\fR will use the Bundler version specified in the \fBGemfile\.lock\fR, \fBsystem\fR will use the system version of Bundler, and \fBx\.y\.z\fR will use the specified version of Bundler\.
+.IP "\(bu" 4
+\fBwith\fR (\fBBUNDLE_WITH\fR): A space\-separated or \fB:\fR\-separated list of groups whose gems bundler should install\.
+.IP "\(bu" 4
+\fBwithout\fR (\fBBUNDLE_WITHOUT\fR): A space\-separated or \fB:\fR\-separated list of groups whose gems bundler should not install\.
+.IP "" 0
 .SH "BUILD OPTIONS"
 You can use \fBbundle config\fR to give Bundler the flags to pass to the gem installer every time bundler tries to install a particular gem\.
 .P

data/lib/bundler/man/bundle-config.1.ronn

@@ -137,6 +137,36 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
    explicitly configured.
 * `console` (`BUNDLE_CONSOLE`):
    The console that `bundle console` starts. Defaults to `irb`.
+* `cooldown` (`BUNDLE_COOLDOWN`):
+   Number of days a published gem version must age before bundler will
+   resolve to it. Defaults to unset (no cooldown). Pass `0` to disable
+   cooldown for an individual run.
+
+   The effective cooldown for any given gem is resolved from three
+   layers, highest precedence first:
+
+     1. CLI flag `--cooldown N` on `install`, `update`, `add`, and
+        `outdated`.
+     2. This setting (`bundle config set cooldown N` or
+        `BUNDLE_COOLDOWN=N`).
+     3. The per-source `cooldown:` keyword in the Gemfile, such as
+        `source "https://rubygems.org", cooldown: 7`.
+
+   The CLI flag and this setting apply uniformly to every source,
+   including ones declared with their own `cooldown:` value. To keep a
+   private registry permanently exempt while still cooling down public
+   gems, declare `source "https://internal", cooldown: 0` in the
+   Gemfile; remember that `--cooldown N` on the command line will
+   still override it for that single run.
+
+   Cooldown filtering depends on the gem server providing a per-version
+   `created_at` timestamp in the v2 compact-index format. Versions
+   without that metadata - older gem servers, historical entries that
+   predate the v2 cutover on `rubygems.org`, or private registries that
+   still emit the v1 format - are treated as outside the cooldown
+   window and remain resolvable. If you rely on cooldown for
+   supply-chain protection, confirm that the gem server emits
+   `created_at` in its `/info/<gem>` responses.
 * `default_cli_command` (`BUNDLE_DEFAULT_CLI_COMMAND`):
    The command that running `bundle` without arguments should run. Defaults to
    `cli_help` since Bundler 4, but can also be `install` which was the previous

data/lib/bundler/man/bundle-install.1

@@ -4,7 +4,7 @@
 .SH "NAME"
 \fBbundle\-install\fR \- Install the dependencies specified in your Gemfile
 .SH "SYNOPSIS"
-\fBbundle install\fR [\-\-force] [\-\-full\-index] [\-\-gemfile=GEMFILE] [\-\-jobs=NUMBER] [\-\-local] [\-\-lockfile=LOCKFILE] [\-\-no\-cache] [\-\-no\-lock] [\-\-prefer\-local] [\-\-quiet] [\-\-retry=NUMBER] [\-\-standalone[=GROUP[ GROUP\|\.\|\.\|\.]]] [\-\-trust\-policy=TRUST\-POLICY] [\-\-target\-rbconfig=TARGET\-RBCONFIG]
+\fBbundle install\fR [\-\-cooldown=NUMBER] [\-\-force] [\-\-full\-index] [\-\-gemfile=GEMFILE] [\-\-jobs=NUMBER] [\-\-local] [\-\-lockfile=LOCKFILE] [\-\-no\-cache] [\-\-no\-lock] [\-\-prefer\-local] [\-\-quiet] [\-\-retry=NUMBER] [\-\-standalone[=GROUP[ GROUP\|\.\|\.\|\.]]] [\-\-trust\-policy=TRUST\-POLICY] [\-\-target\-rbconfig=TARGET\-RBCONFIG]
 .SH "DESCRIPTION"
 Install the gems specified in your Gemfile(5)\. If this is the first time you run bundle install (and a \fBGemfile\.lock\fR does not exist), Bundler will fetch all remote sources, resolve dependencies and install all needed gems\.
 .P
@@ -13,6 +13,9 @@ If a \fBGemfile\.lock\fR does exist, and you have not updated your Gemfile(5), B
 If a \fBGemfile\.lock\fR does exist, and you have updated your Gemfile(5), Bundler will use the dependencies in the \fBGemfile\.lock\fR for all gems that you did not update, but will re\-resolve the dependencies of gems that you did update\. You can find more information about this update process below under \fICONSERVATIVE UPDATING\fR\.
 .SH "OPTIONS"
 .TP
+\fB\-\-cooldown=<number>\fR
+Only consider gem versions published at least \fInumber\fR days ago when resolving\. Pass \fB0\fR to disable cooldown for this run, overriding any per\-source or global configuration\. See \fBcooldown\fR in bundle\-config(1) for details on the precedence between the CLI flag, Bundler config, and Gemfile per\-source settings\.
+.TP
 \fB\-\-force\fR, \fB\-\-redownload\fR
 Force reinstalling every gem, even if already installed\.
 .TP

data/lib/bundler/man/bundle-install.1.ronn

@@ -3,7 +3,8 @@ bundle-install(1) -- Install the dependencies specified in your Gemfile
 
 ## SYNOPSIS
 
-`bundle install` [--force]
+`bundle install` [--cooldown=NUMBER]
+                 [--force]
                  [--full-index]
                  [--gemfile=GEMFILE]
                  [--jobs=NUMBER]
@@ -37,6 +38,13 @@ update process below under [CONSERVATIVE UPDATING][].
 
 ## OPTIONS
 
+* `--cooldown=<number>`:
+  Only consider gem versions published at least <number> days ago when
+  resolving. Pass `0` to disable cooldown for this run, overriding any
+  per-source or global configuration. See `cooldown` in bundle-config(1)
+  for details on the precedence between the CLI flag, Bundler config,
+  and Gemfile per-source settings.
+
 * `--force`, `--redownload`:
   Force reinstalling every gem, even if already installed.
 

data/lib/bundler/man/bundle-outdated.1

@@ -4,7 +4,7 @@
 .SH "NAME"
 \fBbundle\-outdated\fR \- List installed gems with newer versions available
 .SH "SYNOPSIS"
-\fBbundle outdated\fR [GEM] [\-\-local] [\-\-pre] [\-\-source] [\-\-filter\-strict | \-\-strict] [\-\-update\-strict] [\-\-parseable | \-\-porcelain] [\-\-group=GROUP] [\-\-groups] [\-\-patch|\-\-minor|\-\-major] [\-\-filter\-major] [\-\-filter\-minor] [\-\-filter\-patch] [\-\-only\-explicit]
+\fBbundle outdated\fR [GEM] [\-\-local] [\-\-pre] [\-\-source] [\-\-filter\-strict | \-\-strict] [\-\-update\-strict] [\-\-parseable | \-\-porcelain] [\-\-group=GROUP] [\-\-groups] [\-\-patch|\-\-minor|\-\-major] [\-\-filter\-major] [\-\-filter\-minor] [\-\-filter\-patch] [\-\-only\-explicit] [\-\-cooldown=NUMBER]
 .SH "DESCRIPTION"
 Outdated lists the names and versions of gems that have a newer version available in the given source\. Calling outdated with [GEM [GEM]] will only check for newer versions of the given gems\. Prerelease gems are ignored by default\. If your gems are up to date, Bundler will exit with a status of 0\. Otherwise, it will exit 1\.
 .SH "OPTIONS"
@@ -53,6 +53,9 @@ Only list patch newer versions\.
 .TP
 \fB\-\-only\-explicit\fR
 Only list gems specified in your Gemfile, not their dependencies\.
+.TP
+\fB\-\-cooldown=<number>\fR
+Annotate (rather than hide) versions that are still inside the cooldown window of \fInumber\fR days\. The prose output appends "in cooldown for Nd more days" and the table form adds "(cooldown Nd)" to the Latest column\. See \fBcooldown\fR in bundle\-config(1)\.
 .SH "PATCH LEVEL OPTIONS"
 See bundle update(1) \fIbundle\-update\.1\.html\fR for details\.
 .SH "FILTERING OUTPUT"
@@ -61,42 +64,42 @@ The 3 filtering options do not affect the resolution of versions, merely what ve
 If the regular output shows the following:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
-* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default
-* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
+* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default             2023\-11\-10
+* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test                2022\-08\-19
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-major\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default
+* Gem       Current  Latest  Requested  Groups   Release Date
+* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default  2023\-11\-10
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-minor\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test
+* Gem       Current  Latest  Requested  Groups  Release Date
+* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test    2022\-08\-19
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-patch\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
 .fi
 .IP "" 0
 .P
 Filter options can be combined\. \fB\-\-filter\-minor\fR and \fB\-\-filter\-patch\fR would show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
 .fi
 .IP "" 0
 .P

data/lib/bundler/man/bundle-outdated.1.ronn

@@ -16,6 +16,7 @@ bundle-outdated(1) -- List installed gems with newer versions available
                         [--filter-minor]
                         [--filter-patch]
                         [--only-explicit]
+                        [--cooldown=NUMBER]
 
 ## DESCRIPTION
 
@@ -71,6 +72,12 @@ are up to date, Bundler will exit with a status of 0. Otherwise, it will exit 1.
 * `--only-explicit`:
   Only list gems specified in your Gemfile, not their dependencies.
 
+* `--cooldown=<number>`:
+  Annotate (rather than hide) versions that are still inside the
+  cooldown window of <number> days. The prose output appends "in
+  cooldown for Nd more days" and the table form adds "(cooldown Nd)" to
+  the Latest column. See `cooldown` in bundle-config(1).
+
 ## PATCH LEVEL OPTIONS
 
 See [bundle update(1)](bundle-update.1.html) for details.
@@ -82,29 +89,29 @@ in the output.
 
 If the regular output shows the following:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
-    * hashie    1.2.0    3.4.6   = 1.2.0    default
-    * headless  2.2.3    2.3.1   = 2.2.3    test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
+    * hashie    1.2.0    3.4.6   = 1.2.0    default             2023-11-10
+    * headless  2.2.3    2.3.1   = 2.2.3    test                2022-08-19
 
 `--filter-major` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * hashie    1.2.0    3.4.6   = 1.2.0    default
+    * Gem       Current  Latest  Requested  Groups   Release Date
+    * hashie    1.2.0    3.4.6   = 1.2.0    default  2023-11-10
 
 `--filter-minor` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * headless  2.2.3    2.3.1   = 2.2.3    test
+    * Gem       Current  Latest  Requested  Groups  Release Date
+    * headless  2.2.3    2.3.1   = 2.2.3    test    2022-08-19
 
 `--filter-patch` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
 
 Filter options can be combined. `--filter-minor` and `--filter-patch` would show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
 
 Combining all three `filter` options would be the same result as providing none of them.

data/lib/bundler/man/bundle-update.1

@@ -4,7 +4,7 @@
 .SH "NAME"
 \fBbundle\-update\fR \- Update your gems to the latest available versions
 .SH "SYNOPSIS"
-\fBbundle update\fR \fI*gems\fR [\-\-all] [\-\-group=NAME] [\-\-source=NAME] [\-\-local] [\-\-ruby] [\-\-bundler[=VERSION]] [\-\-force] [\-\-full\-index] [\-\-gemfile=GEMFILE] [\-\-jobs=NUMBER] [\-\-quiet] [\-\-patch|\-\-minor|\-\-major] [\-\-pre] [\-\-strict] [\-\-conservative]
+\fBbundle update\fR \fI*gems\fR [\-\-all] [\-\-group=NAME] [\-\-source=NAME] [\-\-local] [\-\-ruby] [\-\-bundler[=VERSION]] [\-\-cooldown=NUMBER] [\-\-force] [\-\-full\-index] [\-\-gemfile=GEMFILE] [\-\-jobs=NUMBER] [\-\-quiet] [\-\-patch|\-\-minor|\-\-major] [\-\-pre] [\-\-strict] [\-\-conservative]
 .SH "DESCRIPTION"
 Update the gems specified (all gems, if \fB\-\-all\fR flag is used), ignoring the previously installed gems specified in the \fBGemfile\.lock\fR\. In general, you should use bundle install(1) \fIbundle\-install\.1\.html\fR to install the same exact gems and versions across machines\.
 .P
@@ -64,6 +64,9 @@ Do not allow any gem to be updated past latest \fB\-\-patch\fR | \fB\-\-minor\fR
 .TP
 \fB\-\-conservative\fR
 Use bundle install conservative update behavior and do not allow indirect dependencies to be updated\.
+.TP
+\fB\-\-cooldown=<number>\fR
+Only consider gem versions published at least \fInumber\fR days ago when resolving\. Pass \fB0\fR to disable cooldown for this run, overriding any per\-source or global configuration\. Combine with \fB\-\-conservative\fR to minimize transitive churn when bypassing cooldown for an urgent update\. See \fBcooldown\fR in bundle\-config(1)\.
 .SH "UPDATING ALL GEMS"
 If you run \fBbundle update \-\-all\fR, bundler will ignore any previously installed gems and resolve all dependencies again based on the latest versions of all gems available in the sources\.
 .P

data/lib/bundler/man/bundle-update.1.ronn

@@ -9,6 +9,7 @@ bundle-update(1) -- Update your gems to the latest available versions
                         [--local]
                         [--ruby]
                         [--bundler[=VERSION]]
+                        [--cooldown=NUMBER]
                         [--force]
                         [--full-index]
                         [--gemfile=GEMFILE]
@@ -91,6 +92,13 @@ gem.
 * `--conservative`:
   Use bundle install conservative update behavior and do not allow indirect dependencies to be updated.
 
+* `--cooldown=<number>`:
+  Only consider gem versions published at least <number> days ago when
+  resolving. Pass `0` to disable cooldown for this run, overriding any
+  per-source or global configuration. Combine with `--conservative` to
+  minimize transitive churn when bypassing cooldown for an urgent
+  update. See `cooldown` in bundle-config(1).
+
 ## UPDATING ALL GEMS
 
 If you run `bundle update --all`, bundler will ignore

data/lib/bundler/remote_specification.rb

@@ -12,7 +12,7 @@ module Bundler
 
     attr_reader :name, :version, :platform
     attr_writer :dependencies
-    attr_accessor :source, :remote, :locked_platform
+    attr_accessor :source, :remote, :locked_platform, :created_at
 
     def initialize(name, version, platform, spec_fetcher)
       @name         = name

data/lib/bundler/resolver.rb

@@ -184,6 +184,9 @@ module Bundler
 
         platforms_explanation = specs_matching_other_platforms.any? ? " for any resolution platforms (#{package.platforms.join(", ")})" : ""
         custom_explanation = "#{constraint} could not be found in #{repository_for(package)}#{platforms_explanation}"
+        if hint = cooldown_hint(specs_matching_other_platforms)
+          custom_explanation += " (#{hint})"
+        end
 
         label = "#{name} (#{constraint_string})"
         extended_explanation = other_specs_matching_message(specs_matching_other_platforms, label) if specs_matching_other_platforms.any?
@@ -353,6 +356,10 @@ module Bundler
         message << "\n#{other_specs_matching_message(specs, matching_part)}"
       end
 
+      if hint = cooldown_hint(specs_matching_requirement)
+        message << "\n\n#{hint}."
+      end
+
       if specs_matching_requirement.any? && (hint = platform_mismatch_hint)
         message << "\n\n#{hint}"
       end
@@ -396,7 +403,7 @@ module Bundler
     end
 
     def filter_specs(specs, package)
-      filter_remote_specs(filter_prereleases(specs, package), package)
+      filter_remote_specs(filter_cooldown(filter_prereleases(specs, package)), package)
     end
 
     def filter_prereleases(specs, package)
@@ -405,6 +412,40 @@ module Bundler
       specs.reject {|s| s.version.prerelease? }
     end
 
+    def filter_cooldown(specs)
+      return specs if specs.empty?
+      excluded_versions = cooldown_excluded_versions(specs)
+      return specs if excluded_versions.empty?
+      specs.reject {|s| excluded_versions.include?([s.name, s.version]) }
+    end
+
+    def cooldown_excluded_versions(specs)
+      excluded = {}
+      specs.each do |spec|
+        next unless cooldown_excluded?(spec)
+        excluded[[spec.name, spec.version]] = true
+      end
+      excluded
+    end
+
+    def cooldown_hint(specs)
+      excluded_versions = cooldown_excluded_versions(specs)
+      return nil if excluded_versions.empty?
+      "#{excluded_versions.size} version#{"s" if excluded_versions.size > 1} excluded by the cooldown setting; pass `--cooldown 0` to bypass"
+    end
+
+    def cooldown_excluded?(spec)
+      return false unless spec.respond_to?(:created_at) && spec.created_at
+      return false unless spec.respond_to?(:remote) && spec.remote
+      days = spec.remote.effective_cooldown
+      return false if days.nil? || days <= 0
+      (cooldown_now - spec.created_at) < (days * 86_400)
+    end
+
+    def cooldown_now
+      @cooldown_now ||= Time.now
+    end
+
     def filter_remote_specs(specs, package)
       if package.prefer_local?
         local_specs = specs.select {|s| s.is_a?(StubSpecification) }

data/lib/bundler/rubygems_ext.rb

@@ -465,6 +465,28 @@ module Gem
     Resolver::APISet::GemParser.prepend(UnfreezeCompactIndexParsedResponse)
   end
 
+  # RubyGems before 4.0.13 split compact index dependency/requirement entries
+  # on every colon, which mangles metadata values that contain colons such as
+  # the `created_at` timestamps the cooldown feature relies on. Split only on
+  # the first colon so those values survive on older RubyGems.
+  #
+  # The module is defined unconditionally so it stays testable on any RubyGems,
+  # but only prepended when the host RubyGems still has the buggy behavior.
+  module SplitCompactIndexEntryOnFirstColon
+    private
+
+    def parse_dependency(string)
+      dependency = string.split(":", 2)
+      dependency[-1] = dependency[-1].split("&") if dependency.size > 1
+      dependency[0] = -dependency[0]
+      dependency
+    end
+  end
+
+  unless Gem.rubygems_version >= Gem::Version.new("4.0.13")
+    Resolver::APISet::GemParser.prepend(SplitCompactIndexEntryOnFirstColon)
+  end
+
   if Gem.rubygems_version < Gem::Version.new("3.6.0")
     class Package; end
     require "rubygems/package/tar_reader"

data/lib/bundler/rubygems_gem_installer.rb

@@ -20,7 +20,7 @@ module Bundler
       strict_rm_rf spec.extension_dir
 
       SharedHelpers.filesystem_access(gem_dir, :create) do
-        FileUtils.mkdir_p gem_dir, mode: 0o755
+        FileUtils.mkdir_p gem_dir
       end
 
       SharedHelpers.filesystem_access(gem_dir, :write) do

data/lib/bundler/settings.rb

@@ -42,6 +42,7 @@ module Bundler
     ].freeze
 
     NUMBER_KEYS = %w[
+      cooldown
       jobs
       redirect
       retry

data/lib/bundler/source/git/git_proxy.rb

@@ -432,9 +432,14 @@ module Bundler
         end
 
         def capture3_args_for(cmd, dir)
-          return ["git", *cmd] unless dir
+          # Disable automatic maintenance so a background commit-graph write in
+          # the source repo can't race the hardlinking local clone and fail with
+          # "hardlink different from source".
+          opts = ["-c", "gc.auto=0", "-c", "maintenance.auto=false"]
 
-          ["git", "-C", dir.to_s, *cmd]
+          return ["git", *opts, *cmd] unless dir
+
+          ["git", "-C", dir.to_s, *opts, *cmd]
         end
 
         def extra_clone_args

data/lib/bundler/source/rubygems/remote.rb

@@ -4,9 +4,9 @@ module Bundler
   class Source
     class Rubygems
       class Remote
-        attr_reader :uri, :anonymized_uri, :original_uri
+        attr_reader :uri, :anonymized_uri, :original_uri, :cooldown
 
-        def initialize(uri)
+        def initialize(uri, cooldown: nil)
           orig_uri = uri
           uri = Bundler.settings.mirror_for(uri)
           @original_uri = orig_uri if orig_uri != uri
@@ -14,6 +14,16 @@ module Bundler
 
           @uri = apply_auth(uri, fallback_auth).freeze
           @anonymized_uri = remove_auth(@uri).freeze
+          @cooldown = cooldown
+        end
+
+        # Returns the cooldown days that apply to this remote, resolving the
+        # precedence CLI > config > Gemfile per-source. Returns nil if no
+        # cooldown applies.
+        def effective_cooldown
+          override = Bundler.settings[:cooldown]
+          return override if override
+          @cooldown
         end
 
         MAX_CACHE_SLUG_HOST_SIZE = 255 - 1 - 32 # 255 minus dot minus MD5 length

data/lib/bundler/source/rubygems.rb

@@ -16,6 +16,7 @@ module Bundler
       def initialize(options = {})
         @options = options
         @remotes = []
+        @remote_cooldowns = {}
         @dependency_names = []
         @allow_remote = false
         @allow_cached = false
@@ -25,7 +26,8 @@ module Bundler
         @gem_installers = {}
         @gem_installers_mutex = Mutex.new
 
-        Array(options["remotes"]).reverse_each {|r| add_remote(r) }
+        cooldown = options["cooldown"]
+        Array(options["remotes"]).reverse_each {|r| add_remote(r, cooldown: cooldown) }
 
         @lockfile_remotes = @remotes if options["from_lockfile"]
       end
@@ -148,6 +150,13 @@ module Bundler
           # sources, and large_idx.merge! small_idx is way faster than
           # small_idx.merge! large_idx.
           index = @allow_remote ? remote_specs.dup : Index.new
+
+          # Snapshot per-version `created_at` from the remote info before installed
+          # / cached specs overwrite the EndpointSpecification objects that carry
+          # it. The cooldown filter consults `created_at` on every candidate, so
+          # local stubs need the published date back-filled to participate.
+          remote_created_at = collect_remote_created_at(index)
+
           index.merge!(cached_specs) if @allow_cached
           index.merge!(installed_specs) if @allow_local
 
@@ -161,6 +170,8 @@ module Bundler
             end
           end
 
+          backfill_created_at(index, remote_created_at) unless remote_created_at.empty?
+
           index
         end
       end
@@ -243,9 +254,14 @@ module Bundler
         cached_path
       end
 
-      def add_remote(source)
+      def add_remote(source, cooldown: nil)
         uri = normalize_uri(source)
         @remotes.unshift(uri) unless @remotes.include?(uri)
+        @remote_cooldowns[uri] = cooldown if cooldown
+      end
+
+      def cooldown_for(uri)
+        @remote_cooldowns[uri]
       end
 
       def spec_names
@@ -266,7 +282,7 @@ module Bundler
 
       def remote_fetchers
         @remote_fetchers ||= remotes.to_h do |uri|
-          remote = Source::Rubygems::Remote.new(uri)
+          remote = Source::Rubygems::Remote.new(uri, cooldown: cooldown_for(uri))
           [remote, Bundler::Fetcher.new(remote)]
         end.freeze
       end
@@ -314,6 +330,13 @@ module Bundler
         @allow_remote && api_fetchers.any?
       end
 
+      def clear_cache
+        @specs = nil
+        @installed_specs = nil
+        @default_specs = nil
+        @cached_specs = nil
+      end
+
       protected
 
       def remote_names
@@ -456,6 +479,31 @@ module Bundler
 
       private
 
+      def collect_remote_created_at(index)
+        return {} unless @allow_remote
+
+        snapshot = {}
+        index.each do |spec|
+          next unless spec.respond_to?(:created_at) && spec.created_at
+          # Remember the remote that supplied the date too: when a source has
+          # several remotes with different per-URI cooldown settings we must
+          # restore the same one during backfill so `effective_cooldown` agrees.
+          snapshot[[spec.name, spec.version]] = [spec.created_at, spec.remote]
+        end
+        snapshot
+      end
+
+      def backfill_created_at(index, snapshot)
+        index.each do |spec|
+          next unless spec.respond_to?(:created_at=)
+          next if spec.created_at
+          remote_created_at, remote = snapshot[[spec.name, spec.version]]
+          next unless remote_created_at
+          spec.created_at = remote_created_at
+          spec.remote ||= remote if remote && spec.respond_to?(:remote=)
+        end
+      end
+
       def lockfile_remotes
         @lockfile_remotes || credless_remotes
       end

data/lib/bundler/source_list.rb

@@ -59,8 +59,8 @@ module Bundler
       add_source_to_list Plugin.source(source).new(options), @plugin_sources
     end
 
-    def add_global_rubygems_remote(uri)
-      global_rubygems_source.add_remote(uri)
+    def add_global_rubygems_remote(uri, cooldown: nil)
+      global_rubygems_source.add_remote(uri, cooldown: cooldown)
       global_rubygems_source
     end
 
@@ -136,6 +136,10 @@ module Bundler
       all_sources.each(&:remote!)
     end
 
+    def clear_cache
+      rubygems_sources.each(&:clear_cache)
+    end
+
     private
 
     def map_sources(replacement_sources)

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "4.0.12".freeze
+  VERSION = "4.0.13".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= gem_version.segments.first

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 4.0.12
+  version: 4.0.13
 platform: ruby
 authors:
 - André Arko