https://github.com/ruby/rubygems/commit/bb4d791cb4

This allows you to specify the lockfile to use. This is useful if
you want to use different lockfiles for different ruby versions or
platforms. You can also skip writing the lockfile by using a false
value.

https://github.com/ruby/rubygems/commit/2896aa3fc2

Co-authored-by: Colby Swandale <996377+colby-swandale@users.noreply.github.com>

- ### Problem

  When you have a Gemfile that contains git gems, each repository will
  be fetched one by one. This is extremelly slow.
  A simple Gemfile with 5 git gems (small repositories) can take up
  to 10 seconds just to fetch the repos.

  We can speed this up by running multiple git process and fetching
  repositories silmutaneously.

  ### Solution

  The repositories are fetched in Bundler when `Source::Git#specs` is
  called.
  The problem is that `source.specs` is called in various places
  depending on Gemfile.

  I think the issue is that calling `source.specs` feels like that
  as a "side effect" we are going to clone repositories. I believe
  that fetching repositories should be an explicit call.

  For instance:

  ```ruby
  source "https://rubygems.org"

  gem "foo", github: "foo/foo"

  # The repository foo will be fetched as a side effect to the call to `source.spec_names`
  # https://github.com/ruby/rubygems/blob/6cc7d71dac3d0275c9727cf200c7acfbf6c78d37/bundler/lib/bundler/source_map.rb#L21
  ```

  ```ruby
  source "https://rubygems.org"

  gem "bar", source: "https://example.org"
  gem "foo", github: "foo/foo"

  # The repository foo will be fetched on a different codepath
  # https://github.com/ruby/rubygems/blob/6cc7d71dac3d0275c9727cf200c7acfbf6c78d37/bundler/lib/bundler/source/rubygems_aggregate.rb#L35

  # That is because the gem "bar" has a source that doesn't have the `/dependencies` API
  # endpoint and therefore Bundler enters a different branch condition.
  ```

  I opted to add a self explanatory call to fetch the git source
  repositories just before we start the resolution, and *just*
  before any other calls to `source.specs` is performed.

https://github.com/ruby/rubygems/commit/f0ef526f23

- ### Problem

  Running `bundle lock --add-checksums` doesn't add the checksum of
  gems hosted on server that don't implement the compact index API.

  This result in a lockfile which is unusable in production as
  some checksums will be missing and Bundler raising an error.
  Users can work around this problem by running:

  `BUNDLE_LOCKFILE_CHECKSUMS=true bundle install --force`

  But this means redownloading and installing all gems which isn't
  great and slow on large apps.

  ### Context

  Bundler uses the Compact Index API to get the checksum of gems,
  but most private gem servers don't implement the compact index API
  (such as cloudsmith or packagecloud). This results in a soft failure
  on bundler side, and bundler leaving out blank checksum for those
  gems.

  ### Solution

  For gems that are hosted on private servers that don't send back
  the checksum of the gem, I'd like to fallback to the
  `bundle install` mechanism, which don't rely on an external API but
  instead compute the checksum of the package installed on disk.

  This patch goes through the spec that didn't return a checksum,
  and compute one if the package exists on disk.
  This solution makes the  `bundle lock --add-checksums` command
  actually usable in real world scenarios while keeping the
  `bundle lock` command fast enough.

https://github.com/rubygems/rubygems/commit/8e9abb5472