[rubygems/rubygems] Deprecate Gemfile without an explicit global source

Raise a warning when parsing a Gemfile and it doesn't have a global source. Gemfiles like this, specially now that rubygems sources are are no longer merged into a single source for security, are very confusing because they generate a different lockfile depending on the gems you have locally installed. This is because bundler always use an implicit global source that defaults to locally installed gems.

https://github.com/rubygems/rubygems/commit/b7523ad21c

1 files changed, 17 insertions, 0 deletions

diff --git a/spec/bundler/bundler/dsl_spec.rb b/spec/bundler/bundler/dsl_spec.rb
index a47dd6e399..cfc4a7855d 100644
--- a/spec/bundler/bundler/dsl_spec.rb
+++ b/spec/bundler/bundler/dsl_spec.rb
@@ -241,4 +241,21 @@ RSpec.describe Bundler::Dsl do
       end
     end
   end
+
+  describe "#check_primary_source_safety" do
+    context "when a global source is not defined implicitly" do
+      it "will raise a major deprecation warning" do
+        not_a_global_source = double("not-a-global-source", no_remotes?: true, multiple_remotes?: false)
+        allow(Bundler::Source::Rubygems).to receive(:new).and_return(not_a_global_source)
+
+        warning = "This Gemfile does not include an explicit global source. " \
+          "Not using an explicit global source may result in a different lockfile being generated depending on " \
+          "the gems you have installed locally before bundler is run." \
+          "Instead, define a global source in your Gemfile like this: source \"https://rubygems.org\"."
+        expect(Bundler::SharedHelpers).to receive(:major_deprecation).with(2, warning)
+
+        subject.check_primary_source_safety
+      end
+    end
+  end
 end