[rubygems/rubygems] Deprecate Gemfile without an explicit global source

Raise a warning when parsing a Gemfile and it doesn't have a global source. Gemfiles like this, specially now that rubygems sources are are no longer merged into a single source for security, are very confusing because they generate a different lockfile depending on the gems you have locally installed. This is because bundler always use an implicit global source that defaults to locally installed gems.

https://github.com/rubygems/rubygems/commit/b7523ad21c

1 files changed, 7 insertions, 0 deletions

diff --git a/lib/bundler/dsl.rb b/lib/bundler/dsl.rb
index ac955894a7..4e38df1ce9 100644
--- a/lib/bundler/dsl.rb
+++ b/lib/bundler/dsl.rb
@@ -447,6 +447,13 @@ repo_name ||= user_name
     end
 
     def check_rubygems_source_safety
+      if @sources.implicit_global_source?
+        Bundler::SharedHelpers.major_deprecation 2, "This Gemfile does not include an explicit global source. " \
+          "Not using an explicit global source may result in a different lockfile being generated depending on " \
+          "the gems you have installed locally before bundler is run." \
+          "Instead, define a global source in your Gemfile like this: source \"https://rubygems.org\"."
+      end
+
       return unless @sources.aggregate_global_source?
 
       if Bundler.feature_flag.bundler_3_mode?