Can you in your own gem depend on gems from another server? Or does it need to be configured on the client?

If not, and the current defacto standard gem server doesn't accept v1 anymore, we're good I suppose?

Most gems in Ruby/Rails projects come from rubygems, so if they were published long ago, any exploits should have already been found hopefully. Any old gems that would attempt to release a new compromised version would now get a created_at timestamp and the cooldown applies.

Unless you can compromise the gem server to overwrite created_at fields, I don't see any exploits here.

Private gem servers are either already trusted (if they're your own) or already under some scrutiny and extra care already being taken (ideally), but this last case applies to very few projects I'm sure.

Yea, all the new advice around using dependency cooldowns only works if _someone_ is installing these things before you and finding the vulnerabilities.

It seems like the advice right now is to become a freerider while there are still people installing closer to release that will do free work for you finding out there's something nasty in the release.

Once everyone is waiting 2 weeks to install an update, then the value of everyone waiting goes down dramatically.

The point is to allow the automated scanners a chance to run.

Every security company and their cousin wants to be the one to find the next big dependency malware.