Parse compact index created_at strictly as ISO8601

Time.new accepts a bare year like "2026" and returns a local-time
value instead of raising, so a malformed created_at was silently
turned into a wrong timestamp. Use Time.iso8601 so anything that is
not a real ISO8601 string falls back to nil.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: hsbt

lib/rubygems/resolver/api_specification.rb

@@ -116,8 +116,9 @@ def parse_created_at(value)
     value = value.first if value.is_a?(Array)
     return unless value.is_a?(String)
 
+    require "time"
     begin
-      Time.new(value)
+      Time.iso8601(value)
     rescue ArgumentError
       nil
     end

test/rubygems/test_gem_resolver_api_specification.rb

@@ -42,7 +42,7 @@ def test_initialize_created_at
 
     spec = Gem::Resolver::APISpecification.new set, data
 
-    assert_equal Time.new("2026-06-05T10:30:45Z"), spec.created_at
+    assert_equal Time.utc(2026, 6, 5, 10, 30, 45), spec.created_at
   end
 
   def test_initialize_created_at_invalid
@@ -60,6 +60,21 @@ def test_initialize_created_at_invalid
     assert_nil spec.created_at
   end
 
+  def test_initialize_created_at_non_iso8601
+    set = Gem::Resolver::APISet.new
+    data = {
+      name: "rails",
+      number: "3.0.3",
+      platform: "ruby",
+      dependencies: [],
+      requirements: { created_at: ["2026"] },
+    }
+
+    spec = Gem::Resolver::APISpecification.new set, data
+
+    assert_nil spec.created_at
+  end
+
   def test_fetch_development_dependencies
     specs = spec_fetcher do |fetcher|
       fetcher.spec "rails", "3.0.3" do |s|