RubyGems 4.0.13 and Bundler 4.0.13 Released with New Supply-Chain Security Protections

June 3, 2026

The RubyGems team has released RubyGems 4.0.13 and Bundler 4.0.13, bringing a combination of security improvements, bug fixes, and quality-of-life enhancements for Ruby developers.

Built for Ruby on Rails

Build Maps Without
Google APIs

Generate beautiful production-ready maps directly from your Rails backend. Fast rendering, zero external dependencies, full control.

View Live Demo → Read Docs

✓ No API fees ✓ Self-hosted ✓ Rails Native ✓ Fast Rendering

Why developers switch

Replace expensive map stacks.

Stop relying on third-party map billing and bloated JS libraries. Render static or dynamic maps directly in Ruby.

Try It Now

While this is a relatively small release, it includes a notable new security feature designed to help protect developers from supply-chain attacks.

Cooldown Protection for Newly Published Gems

The headline feature of Bundler 4.0.13 is the introduction of a cooldown mechanism for newly published gems.

The new feature delays the installation of freshly published gem versions, providing an additional layer of defense against malicious package releases and compromised maintainer accounts. Similar protections have been discussed and implemented across several package ecosystems as software supply-chain attacks continue to grow in frequency and sophistication.

For teams that prioritize stability and security, this feature offers a practical safeguard against accidentally installing a malicious version immediately after publication.

Security Improvements in RubyGems

RubyGems 4.0.13 also addresses a security-related issue involving archive extraction.

The update prevents package extraction from escaping the intended destination directory through pre-existing symbolic links. This mitigation helps reduce the risk of unexpected file writes during gem installation and extraction processes.

Additional Enhancements

Several other improvements are included in this release:

• Better handling of symbolic links on Windows systems.
• Immediate closure of standard input when using popen2e.
• Bundler 4.0.13 is now installed as a default gem with RubyGems 4.0.13.
• bundle outdated now displays release dates, making dependency reviews easier.
• Gem specification caches are properly cleared after acquiring process locks.
• Improved handling of cooldown logic for locally installed gem versions.

Updating RubyGems and Bundler

Developers can upgrade to the latest versions using:

gem update --system
gem install bundler
bundle update --bundler=4.0.13

Why This Release Matters

Although RubyGems 4.0.13 and Bundler 4.0.13 do not introduce major new developer-facing features, they continue a broader industry trend toward stronger package ecosystem security.

The addition of cooldown protection is particularly noteworthy. As open-source software increasingly becomes critical infrastructure, mechanisms that reduce the risk of supply-chain compromise are becoming just as important as new features and performance improvements.

For Ruby developers and organizations that rely on RubyGems in production environments, upgrading to 4.0.13 provides both security benefits and several welcome quality-of-life improvements.