Preserve per-source cooldown when converging sources from the lockfile

[bryanwoods]

What was the end-user or developer problem that led to this PR?

While rolling out cooldown on our apps I noticed that a per-source cooldown declared in the Gemfile (source "https://rubygems.org", cooldown: 7) stops having any effect once a Gemfile.lock exists. bundle update, and bundle install after adding a new gem to the Gemfile, both resolve to versions inside the cooldown window as if no cooldown was configured. The same value set through bundle config set cooldown 7 or --cooldown 7 is honored in those scenarios.

Repro:

$ printf 'source "https://rubygems.org"\ngem "rack", "3.2.0"\n' > Gemfile
$ bundle lock
$ printf 'source "https://rubygems.org", cooldown: 10000\ngem "rack"\n' > Gemfile
$ bundle lock --update rack
# silently updates to the newest rack, despite a window that excludes
# every version ever published. With `bundle config set cooldown 10000`
# instead, resolution correctly reports all versions excluded.

The cause is in SourceList#replace_rubygems_source. When the Gemfile sources are converged with the lockfile sources, the locked source object replaces the Gemfile one and only remotes is copied across. The @remote_cooldowns hash stays behind on the discarded Gemfile source, so cooldown_for returns nil for every remote and the fetchers are built without a cooldown.

What is your fix for the problem, implemented in this PR?

Carry the cooldowns over together with the remotes they apply to when a rubygems source is replaced by its locked equivalent.

Added two specs that fail on master: bundle update with a lockfile present, and resolving a gem added to the Gemfile after the lockfile was written.

Make sure the following tasks are checked

• Describe the problem / feature
• Write tests for features and bug fixes
• Write code to solve the problem
• Make sure you follow the current code style and write meaningful commit messages without tags

[hsbt]

Thanks for the clear repro. I confirmed your issue locally.

The new specs fail on master and pass with the fix. Your diagnosis is correctly.

[hsbt]

I will release 4.0.14 with this in this week.