Skip to content
This repository was archived by the owner on Apr 8, 2026. It is now read-only.

Add optional created_at field to GemVersion#183

Merged
eileencodes merged 3 commits intorubygems:masterfrom
marcbest:feature/created-at-in-info
Apr 7, 2026
Merged

Add optional created_at field to GemVersion#183
eileencodes merged 3 commits intorubygems:masterfrom
marcbest:feature/created-at-in-info

Conversation

@marcbest
Copy link
Copy Markdown
Contributor

@marcbest marcbest commented Apr 1, 2026
edited
Loading

Problem

Supply chain attacks targeting package registries are a growing concern. Other package managers have already shipped minimum age features — npm, pnpm, and yarn all allow users to reject recently published versions during resolution.

Bundler currently has no equivalent. Adding one requires knowing when each gem version was published, but the compact index has no publication timestamp. Without it, clients must make a separate V1 API call per gem (/api/v1/versions/<gem>.json) — adding seconds of latency and hitting the RubyGems.org rate limit (10 req/s) on projects with 50+ gems.

Solution

Add an optional created_at field to GemVersion. When populated, it is appended to the requirements section of the /info line:

1.0.0 rack:>= 1.0|checksum:abc123,ruby:>= 2.7.0,created_at:2024-05-01T12:00:00Z

When nil, the field is omitted entirely:

  • Full backwards compatibility — old clients ignore unknown requirement fields, old servers simply don't populate it
  • No flag or query parameter needed — the server decides whether to include it
  • Zero extra API calls — clients read created_at from data already fetched during resolution

Changes

  • GemVersion struct: added created_at as 8th field (default nil)
  • GemVersion#to_line: appends created_at:<timestamp> when present
  • build_version test helper: accepts optional :created_at kwarg
  • 3 new specs: timestamp present, timestamp with other requirements, omitted when nil

Downstream

@marcbest
Add optional created_at field to GemVersion
227a947 
Add a created_at field to the GemVersion struct so that the /info
endpoint can include the publication timestamp for each gem version.

When present, created_at is appended to the requirements section of
the info line. When nil, the field is omitted for backwards
compatibility.
@marcbest marcbest mentioned this pull request Apr 1, 2026
Open
@marcbest marcbest closed this Apr 1, 2026
@eileencodes
Copy link
Copy Markdown
Member

eileencodes commented Apr 7, 2026

Hi @marcbest looks like you accidentally closed this? I'll reopen because so we can discuss adding this.

@eileencodes eileencodes reopened this Apr 7, 2026
@eileencodes
Undo Claude's mistake
c6151cb 
We need this line for CI.
@eileencodes eileencodes merged commit 9e15296 into rubygems:master Apr 7, 2026
18 checks passed
@marcbest
Copy link
Copy Markdown
Contributor Author

marcbest commented Apr 7, 2026

Hi @marcbest looks like you accidentally closed this? I'll reopen because so we can discuss adding this.

Thanks @eileencodes 🙇

I had closed it as I thought I was being a bit hasty after noticing there was already some discussion here: ruby/rubygems#9113

Thanks for picking it up!

@hsbt
Copy link
Copy Markdown
Member

hsbt commented Apr 8, 2026

👍

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@tenderlove tenderlove tenderlove approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marcbest @eileencodes @hsbt @tenderlove