Feature: min_age option for Bundler (supply chain security)

[marcbest]

Problem

Supply chain attacks targeting package registries are a growing concern. Other package managers have already shipped minimum age features:

• npm — min-release-age (v11.10.0)
• pnpm — minimumReleaseAge (v10.16)
• yarn — npmMinimalAgeGate (v4.10)

Bundler has no equivalent. There is currently no way to prevent recently published gem versions from being resolved and installed.

Proposal

Add a min_age config option to Bundler that filters out gem versions published fewer than N days ago during resolution.

bundle config set min_age 3
bundle config set min_age_exclude "rails,nokogiri,my-company-*"
bundle install

Behaviour

• Versions published fewer than min_age days ago are excluded from resolution candidates
• min_age_exclude accepts comma-separated gem names with wildcard support
• Fails open — if the API is unreachable or returns unexpected data, the gem is allowed (never blocks installs due to network issues)
• Respects --frozen and --local modes (no network calls)
• Only checks rubygems.org-sourced gems (skips git/path sources)

Configuration

• bundle config set min_age N / BUNDLE_MIN_AGE=N
• bundle config set min_age_exclude "pattern,..." / BUNDLE_MIN_AGE_EXCLUDE="pattern,..."
• CLI flags: --min-age N and --min-age-exclude "..." on install, update, and lock

Compact index consideration

Ideally, created_at would be included in the compact index /info endpoint so no extra API calls are needed

[hsbt]

Please discuss that at #9113