dependabot-python 0.301.1 → 0.303.0

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -1,6 +1,7 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "toml-rb"
 require "open3"
 require "dependabot/dependency"
@@ -18,59 +19,86 @@ module Dependabot
     class FileUpdater
       class PoetryFileUpdater
         require_relative "pyproject_preparer"
+        extend T::Sig
 
-        attr_reader :dependencies
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
+        attr_reader :dependencies
+
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
         def initialize(dependencies:, dependency_files:, credentials:)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
-        end
-
+          @updated_dependency_files = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
+          @prepared_pyproject = T.let(nil, T.nilable(String))
+          @pyproject = T.let(nil, T.nilable(Dependabot::DependencyFile))
+          @lockfile = T.let(nil, T.nilable(Dependabot::DependencyFile))
+          @updated_lockfile_content = T.let(nil, T.nilable(String))
+          @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
+          @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
+          @updated_pyproject_content = T.let(nil, T.nilable(String))
+          @python_helper_path = T.let(nil, T.nilable(String))
+          @poetry_lock = T.let(nil, T.nilable(Dependabot::DependencyFile))
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def updated_dependency_files
           @updated_dependency_files ||= fetch_updated_dependency_files
         end
 
         private
 
+        sig { returns(Dependabot::Dependency) }
         def dependency
           # For now, we'll only ever be updating a single dependency
-          dependencies.first
+          T.must(dependencies.first)
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def fetch_updated_dependency_files
           updated_files = []
 
-          if file_changed?(pyproject)
+          if file_changed?(T.must(pyproject))
             updated_files <<
               updated_file(
-                file: pyproject,
-                content: updated_pyproject_content
+                file: T.must(pyproject),
+                content: T.must(updated_pyproject_content)
               )
           end
 
-          raise "Expected lockfile to change!" if lockfile && lockfile.content == updated_lockfile_content
+          raise "Expected lockfile to change!" if lockfile && lockfile&.content == updated_lockfile_content
 
           if lockfile
             updated_files <<
-              updated_file(file: lockfile, content: updated_lockfile_content)
+              updated_file(file: T.must(lockfile), content: updated_lockfile_content)
           end
 
           updated_files
         end
 
+        sig { returns(T.nilable(String)) }
         def updated_pyproject_content
-          content = pyproject.content
-          return content unless requirement_changed?(pyproject, dependency)
+          content = T.must(pyproject).content
+          return content unless requirement_changed?(T.must(pyproject), dependency)
 
           updated_content = content.dup
 
-          dependency.requirements.zip(dependency.previous_requirements).each do |new_r, old_r|
-            next unless new_r[:file] == pyproject.name && old_r[:file] == pyproject.name
+          dependency.requirements.zip(T.must(dependency.previous_requirements)).each do |new_r, old_r|
+            next unless new_r[:file] == pyproject&.name && T.must(old_r)[:file] == pyproject&.name
 
-            updated_content = replace_dep(dependency, updated_content, new_r, old_r)
+            updated_content = replace_dep(dependency, T.must(updated_content), new_r, T.must(old_r))
           end
 
           raise DependencyFileContentNotChanged, "Content did not change!" if content == updated_content
@@ -78,6 +106,14 @@ module Dependabot
           updated_content
         end
 
+        sig do
+          params(
+            dep: Dependabot::Dependency,
+            content: String,
+            new_r: T::Hash[Symbol, T.untyped],
+            old_r: T::Hash[Symbol, T.untyped]
+          ).returns(String)
+        end
         def replace_dep(dep, content, new_r, old_r)
           new_req = new_r[:requirement]
           old_req = old_r[:requirement]
@@ -86,8 +122,8 @@ module Dependabot
           declaration_match = content.match(declaration_regex)
           if declaration_match
             declaration = declaration_match[:declaration]
-            new_declaration = declaration.sub(old_req, new_req)
-            content.sub(declaration, new_declaration)
+            new_declaration = T.must(declaration).sub(old_req, new_req)
+            content.sub(T.must(declaration), new_declaration)
           else
             content.gsub(table_declaration_regex(dep, new_r)) do |match|
               match.gsub(/(\s*version\s*=\s*["'])#{Regexp.escape(old_req)}/,
@@ -96,12 +132,13 @@ module Dependabot
           end
         end
 
+        sig { returns(String) }
         def updated_lockfile_content
           @updated_lockfile_content ||=
             begin
               new_lockfile = updated_lockfile_content_for(prepared_pyproject)
 
-              original_locked_python = TomlRB.parse(lockfile.content)["metadata"]["python-versions"]
+              original_locked_python = TomlRB.parse(T.must(lockfile).content)["metadata"]["python-versions"]
 
               new_lockfile.gsub!(/\[metadata\]\n.*python-versions[^\n]+\n/m) do |match|
                 match.gsub(/(["']).*(['"])\n\Z/, '\1' + original_locked_python + '\1' + "\n")
@@ -109,17 +146,18 @@ module Dependabot
 
               tmp_hash =
                 TomlRB.parse(new_lockfile)["metadata"]["content-hash"]
-              correct_hash = pyproject_hash_for(updated_pyproject_content)
+              correct_hash = pyproject_hash_for(updated_pyproject_content.to_s)
 
-              new_lockfile.gsub(tmp_hash, correct_hash)
+              new_lockfile.gsub(tmp_hash, T.must(correct_hash).to_s)
             end
         end
 
+        sig { returns(String) }
         def prepared_pyproject
           @prepared_pyproject ||=
             begin
               content = updated_pyproject_content
-              content = sanitize(content)
+              content = sanitize(T.must(content))
               content = freeze_other_dependencies(content)
               content = freeze_dependencies_being_updated(content)
               content = update_python_requirement(content)
@@ -127,18 +165,20 @@ module Dependabot
             end
         end
 
+        sig { params(pyproject_content: String).returns(String) }
         def freeze_other_dependencies(pyproject_content)
           PyprojectPreparer
             .new(pyproject_content: pyproject_content, lockfile: lockfile)
             .freeze_top_level_dependencies_except(dependencies)
         end
 
+        sig { params(pyproject_content: String).returns(String) }
         def freeze_dependencies_being_updated(pyproject_content)
           pyproject_object = TomlRB.parse(pyproject_content)
           poetry_object = pyproject_object.fetch("tool").fetch("poetry")
 
           dependencies.each do |dep|
-            if dep.requirements.find { |r| r[:file] == pyproject.name }
+            if dep.requirements.find { |r| r[:file] == pyproject&.name }
               lock_declaration_to_new_version!(poetry_object, dep)
             else
               create_declaration_at_new_version!(poetry_object, dep)
@@ -148,12 +188,14 @@ module Dependabot
           TomlRB.dump(pyproject_object)
         end
 
+        sig { params(pyproject_content: String).returns(String) }
         def update_python_requirement(pyproject_content)
           PyprojectPreparer
             .new(pyproject_content: pyproject_content)
             .update_python_requirement(language_version_manager.python_version)
         end
 
+        sig { params(poetry_object: T::Hash[String, T.untyped], dep: Dependabot::Dependency).returns(T::Array[String]) }
         def lock_declaration_to_new_version!(poetry_object, dep)
           Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
             names = poetry_object[type]&.keys || []
@@ -168,6 +210,7 @@ module Dependabot
           end
         end
 
+        sig { params(poetry_object: T::Hash[String, T.untyped], dep: Dependabot::Dependency).void }
         def create_declaration_at_new_version!(poetry_object, dep)
           subdep_type = dep.production? ? "dependencies" : "dev-dependencies"
 
@@ -175,12 +218,14 @@ module Dependabot
           poetry_object[subdep_type][dep.name] = dep.version
         end
 
+        sig { params(pyproject_content: String).returns(String) }
         def sanitize(pyproject_content)
           PyprojectPreparer
             .new(pyproject_content: pyproject_content)
             .sanitize
         end
 
+        sig { params(pyproject_content: String).returns(String) }
         def updated_lockfile_content_for(pyproject_content)
           SharedHelpers.in_a_temporary_directory do
             SharedHelpers.with_git_configured(credentials: credentials) do
@@ -201,6 +246,7 @@ module Dependabot
 
         # Using `--lock` avoids doing an install.
         # Using `--no-interaction` avoids asking for passwords.
+        sig { returns(String) }
         def run_poetry_update_command
           run_poetry_command(
             "pyenv exec poetry update #{dependency.name} --lock --no-interaction",
@@ -208,10 +254,12 @@ module Dependabot
           )
         end
 
+        sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
         def run_poetry_command(command, fingerprint: nil)
           SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
         end
 
+        sig { params(pyproject_content: Object).returns(Integer) }
         def write_temporary_dependency_files(pyproject_content)
           dependency_files.each do |file|
             path = file.name
@@ -226,12 +274,22 @@ module Dependabot
           File.write("pyproject.toml", pyproject_content)
         end
 
+        sig { void }
         def add_auth_env_vars
           Python::FileUpdater::PyprojectPreparer
-            .new(pyproject_content: pyproject.content)
+            .new(pyproject_content: T.must(pyproject&.content))
             .add_auth_env_vars(credentials)
         end
 
+        sig do
+          params(
+            pyproject_content: String
+          ).returns(T.nilable(T.any(
+                                T::Hash[String, T.untyped],
+                                String,
+                                T::Array[T::Hash[String, T.untyped]]
+                              )))
+        end
         def pyproject_hash_for(pyproject_content)
           SharedHelpers.in_a_temporary_directory do |dir|
             SharedHelpers.with_git_configured(credentials: credentials) do
@@ -246,6 +304,7 @@ module Dependabot
           end
         end
 
+        sig { params(dep: Dependabot::Dependency, old_req: T::Hash[Symbol, T.untyped]).returns(Regexp) }
         def declaration_regex(dep, old_req)
           group = old_req[:groups].first
 
@@ -253,35 +312,42 @@ module Dependabot
           /#{header_regex}\n.*?(?<declaration>(?:^\s*|["'])#{escape(dep)}["']?\s*=[^\n]*)$/mi
         end
 
+        sig { params(dep: Dependabot::Dependency, old_req: T::Hash[Symbol, T.untyped]).returns(Regexp) }
         def table_declaration_regex(dep, old_req)
           /tool\.poetry\.#{old_req[:groups].first}\.#{escape(dep)}\]\n.*?\s*version\s* =.*?\n/m
         end
 
+        sig { params(dep: Dependency).returns(String) }
         def escape(dep)
           Regexp.escape(dep.name).gsub("\\-", "[-_.]")
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
         def file_changed?(file)
           dependencies.any? { |dep| requirement_changed?(file, dep) }
         end
 
+        sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
         def requirement_changed?(file, dependency)
           changed_requirements =
-            dependency.requirements - dependency.previous_requirements
+            dependency.requirements - T.must(dependency.previous_requirements)
 
           changed_requirements.any? { |f| f[:file] == file.name }
         end
 
+        sig { params(file: Dependabot::DependencyFile, content: String).returns(Dependabot::DependencyFile) }
         def updated_file(file:, content:)
           updated_file = file.dup
           updated_file.content = content
           updated_file
         end
 
+        sig { params(name: String).returns(String) }
         def normalise(name)
           NameNormaliser.normalise(name)
         end
 
+        sig { returns(FileParser::PythonRequirementParser) }
         def python_requirement_parser
           @python_requirement_parser ||=
             FileParser::PythonRequirementParser.new(
@@ -289,6 +355,7 @@ module Dependabot
             )
         end
 
+        sig { returns(Dependabot::Python::LanguageVersionManager) }
         def language_version_manager
           @language_version_manager ||=
             LanguageVersionManager.new(
@@ -296,19 +363,23 @@ module Dependabot
             )
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pyproject
           @pyproject ||=
             dependency_files.find { |f| f.name == "pyproject.toml" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def lockfile
           @lockfile ||= poetry_lock
         end
 
+        sig { returns(String) }
         def python_helper_path
           NativeHelpers.python_helper_path
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def poetry_lock
           dependency_files.find { |f| f.name == "poetry.lock" }
         end

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -1,8 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "toml-rb"
-
+require "sorbet-runtime"
 require "dependabot/dependency"
 require "dependabot/python/file_parser"
 require "dependabot/python/file_updater"
@@ -14,13 +14,18 @@ module Dependabot
   module Python
     class FileUpdater
       class PyprojectPreparer
+        extend T::Sig
+
+        sig { params(pyproject_content: String, lockfile: T.nilable(Dependabot::DependencyFile)).void }
         def initialize(pyproject_content:, lockfile: nil)
           @pyproject_content = pyproject_content
           @lockfile = lockfile
+          @parsed_lockfile = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
         end
 
         # For hosted Dependabot token will be nil since the credentials aren't present.
         # This is for those running Dependabot themselves and for dry-run.
+        sig { params(credentials: T.nilable(T::Array[Dependabot::Credential])).void }
         def add_auth_env_vars(credentials)
           TomlRB.parse(@pyproject_content).dig("tool", "poetry", "source")&.each do |source|
             cred = credentials&.find { |c| c["index-url"] == source["url"] }
@@ -37,6 +42,7 @@ module Dependabot
           end
         end
 
+        sig { params(requirement: String).returns(String) }
         def update_python_requirement(requirement)
           pyproject_object = TomlRB.parse(@pyproject_content)
           if (python_specification = pyproject_object.dig("tool", "poetry", "dependencies", "python"))
@@ -48,6 +54,7 @@ module Dependabot
           TomlRB.dump(pyproject_object)
         end
 
+        sig { returns(String) }
         def sanitize
           # {{ name }} syntax not allowed
           pyproject_content
@@ -57,6 +64,7 @@ module Dependabot
 
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/AbcSize
+        sig { params(dependencies: T::Array[Dependabot::Dependency]).returns(String) }
         def freeze_top_level_dependencies_except(dependencies)
           return pyproject_content unless lockfile
 
@@ -75,14 +83,14 @@ module Dependabot
 
               next unless (locked_version = locked_details&.fetch("version"))
 
-              next if source_types.include?(locked_details&.dig("source", "type"))
+              next if source_types.include?(locked_details.dig("source", "type"))
 
-              if locked_details&.dig("source", "type") == "git"
+              if locked_details.dig("source", "type") == "git"
                 poetry_object[key][dep_name] = {
-                  "git" => locked_details&.dig("source", "url"),
-                  "rev" => locked_details&.dig("source", "reference")
+                  "git" => locked_details.dig("source", "url"),
+                  "rev" => locked_details.dig("source", "reference")
                 }
-                subdirectory = locked_details&.dig("source", "subdirectory")
+                subdirectory = locked_details.dig("source", "subdirectory")
                 poetry_object[key][dep_name]["subdirectory"] = subdirectory if subdirectory
               elsif poetry_object[key][dep_name].is_a?(Hash)
                 poetry_object[key][dep_name]["version"] = locked_version
@@ -103,20 +111,25 @@ module Dependabot
 
         private
 
+        sig { returns(String) }
         attr_reader :pyproject_content
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :lockfile
 
+        sig { params(dep_name: String).returns(T.nilable(T::Hash[String, T.untyped])) }
         def locked_details(dep_name)
           parsed_lockfile.fetch("package")
                          .find { |d| d["name"] == normalise(dep_name) }
         end
 
+        sig { params(name: String).returns(String) }
         def normalise(name)
           NameNormaliser.normalise(name)
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def parsed_lockfile
-          @parsed_lockfile ||= TomlRB.parse(lockfile.content)
+          @parsed_lockfile ||= TomlRB.parse(lockfile&.content)
         end
       end
     end

data/lib/dependabot/python/file_updater.rb

@@ -114,12 +114,12 @@ module Dependabot
 
       sig { returns(T::Array[DependencyFile]) }
       def updated_pip_compile_based_files
-        PipCompileFileUpdater.new(
+        T.must(PipCompileFileUpdater.new(
           dependencies: dependencies,
           dependency_files: dependency_files,
           credentials: credentials,
           index_urls: pip_compile_index_urls
-        ).updated_dependency_files
+        ).updated_dependency_files)
       end
 
       sig { returns(T::Array[DependencyFile]) }

data/lib/dependabot/python/language.rb

@@ -11,28 +11,43 @@ module Dependabot
 
     class Language < Dependabot::Ecosystem::VersionManager
       extend T::Sig
-      # These versions should match the versions specified at the top of `python/Dockerfile`
-      PYTHON_3_13 = "3.13"
-      PYTHON_3_12 = "3.12"
-      PYTHON_3_11 = "3.11"
-      PYTHON_3_10 = "3.10"
-      PYTHON_3_9  = "3.9"
-      PYTHON_3_8  = "3.8"
+      # This list must match the versions specified at the top of `python/Dockerfile`
+      # ARG PY_3_13=3.13.2
+      PRE_INSTALLED_PYTHON_VERSIONS_RAW = %w(
+        3.13.2
+        3.12.9
+        3.11.11
+        3.10.16
+        3.9.21
+      ).freeze
 
-      DEPRECATED_VERSIONS = T.let([Version.new(PYTHON_3_8)].freeze, T::Array[Dependabot::Version])
+      PRE_INSTALLED_PYTHON_VERSIONS = T.let(PRE_INSTALLED_PYTHON_VERSIONS_RAW.map do |v|
+        Version.new(v)
+      end.sort, T::Array[Dependabot::Python::Version])
 
-      # Keep versions in ascending order
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(PYTHON_3_9),
-        Version.new(PYTHON_3_10),
-        Version.new(PYTHON_3_11),
-        Version.new(PYTHON_3_12),
-        Version.new(PYTHON_3_13)
-      ].freeze, T::Array[Dependabot::Version])
+      PRE_INSTALLED_VERSIONS_MAP = T.let(
+        PRE_INSTALLED_PYTHON_VERSIONS.to_h do |v|
+          [Dependabot::Python::Version.new(T.must(v.segments[0..1]).join(".")), v]
+        end,
+        T::Hash[Dependabot::Python::Version, Dependabot::Python::Version]
+      )
+
+      PRE_INSTALLED_HIGHEST_VERSION = T.let(T.must(PRE_INSTALLED_PYTHON_VERSIONS.max), Dependabot::Python::Version)
+
+      SUPPORTED_VERSIONS = T.let(
+        PRE_INSTALLED_PYTHON_VERSIONS.map do |v|
+          Dependabot::Python::Version.new(T.must(v.segments[0..1]&.join(".")))
+        end,
+        T::Array[Dependabot::Python::Version]
+      )
+
+      NON_SUPPORTED_HIGHEST_VERSION = "3.8"
+
+      DEPRECATED_VERSIONS = T.let([Version.new(NON_SUPPORTED_HIGHEST_VERSION)].freeze, T::Array[Dependabot::Version])
 
       sig do
         params(
-          detected_version: String,
+          detected_version: T.nilable(String),
           raw_version: T.nilable(String),
           requirement: T.nilable(Requirement)
         ).void
@@ -40,7 +55,7 @@ module Dependabot
       def initialize(detected_version:, raw_version: nil, requirement: nil)
         super(
           name: LANGUAGE,
-          detected_version: major_minor_version(detected_version),
+          detected_version: detected_version ? major_minor_version(detected_version) : nil,
           version: raw_version ? Version.new(raw_version) : nil,
           deprecated_versions: DEPRECATED_VERSIONS,
           supported_versions: SUPPORTED_VERSIONS,
@@ -48,25 +63,12 @@ module Dependabot
        )
       end
 
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        return false unless detected_version
-        return false if unsupported?
-
-        deprecated_versions.include?(detected_version)
-      end
-
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        return false unless detected_version
-
-        supported_versions.all? { |supported| supported > detected_version }
-      end
-
       private
 
-      sig { params(version: String).returns(Dependabot::Python::Version) }
+      sig { params(version: String).returns(T.nilable(Dependabot::Python::Version)) }
       def major_minor_version(version)
+        return nil if version.empty?
+
         major_minor = T.let(T.must(Version.new(version).segments[0..1]&.join(".")), String)
 
         Version.new(major_minor)

data/lib/dependabot/python/language_version_manager.rb

@@ -9,14 +9,6 @@ module Dependabot
   module Python
     class LanguageVersionManager
       extend T::Sig
-      # This list must match the versions specified at the top of `python/Dockerfile`
-      PRE_INSTALLED_PYTHON_VERSIONS = %w(
-        3.13.2
-        3.12.9
-        3.11.11
-        3.10.16
-        3.9.21
-      ).freeze
 
       sig { params(python_requirement_parser: T.untyped).void }
       def initialize(python_requirement_parser:)
@@ -62,7 +54,34 @@ module Dependabot
             user_specified_python_version
           end
         else
-          python_version_matching_imputed_requirements || PRE_INSTALLED_PYTHON_VERSIONS.first
+          python_version_matching_imputed_requirements || Language::PRE_INSTALLED_HIGHEST_VERSION.to_s
+        end
+      end
+
+      sig { params(requirement_string: T.nilable(String)).returns(T.nilable(String)) }
+      def normalize_python_exact_version(requirement_string)
+        return requirement_string if requirement_string.nil? || requirement_string.strip.empty?
+
+        requirement_string = requirement_string.strip
+
+        # If the requirement already has a wildcard, return nil
+        return nil if requirement_string == "*"
+
+        # If the requirement is not an exact version such as not X.Y.Z, =X.Y.Z, ==X.Y.Z, ===X.Y.Z
+        # then return the requirement as is
+        return requirement_string unless requirement_string.match?(/^=?={0,2}\s*\d+\.\d+(\.\d+)?(-[a-z0-9.-]+)?$/i)
+
+        parts = requirement_string.gsub(/^=+/, "").split(".")
+
+        case parts.length
+        when 1 # Only major version (X)
+          ">= #{parts[0]}.0.0 < #{parts[0].to_i + 1}.0.0" # Ensure only major version range
+        when 2 # Major.Minor (X.Y)
+          ">= #{parts[0]}.#{parts[1]}.0 < #{parts[0].to_i}.#{parts[1].to_i + 1}.0" # Ensure only minor version range
+        when 3 # Major.Minor.Patch (X.Y.Z)
+          ">= #{parts[0]}.#{parts[1]}.0 < #{parts[0].to_i}.#{parts[1].to_i + 1}.0" # Convert to >= X.Y.0
+        else
+          requirement_string
         end
       end
 
@@ -72,15 +91,22 @@ module Dependabot
 
         # If the requirement string isn't already a range (eg ">3.10"), coerce it to "major.minor.*".
         # The patch version is ignored because a non-matching patch version is unlikely to affect resolution.
-        requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if requirement_string.start_with?(/\d/)
+        requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if /^\d/.match?(requirement_string)
+
+        requirement_string = normalize_python_exact_version(requirement_string)
+
+        if requirement_string.nil? || requirement_string.strip.empty?
+          return Language::PRE_INSTALLED_HIGHEST_VERSION.to_s
+        end
 
         # Try to match one of our pre-installed Python versions
         requirement = T.must(Python::Requirement.requirements_array(requirement_string).first)
-        version = PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(Python::Version.new(v)) }
-        return version if version
 
-        # Otherwise we have to raise
-        supported_versions = PRE_INSTALLED_PYTHON_VERSIONS.map { |x| x.gsub(/\.\d+$/, ".*") }.join(", ")
+        version = Language::PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(v) }
+        return version.to_s if version
+
+        # Otherwise we have to raise an error
+        supported_versions = Language::SUPPORTED_VERSIONS.map { |v| "#{v}.*" }.join(", ")
         raise ToolVersionNotSupported.new("Python", python_requirement_string, supported_versions)
       end
 
@@ -100,14 +126,13 @@ module Dependabot
 
       sig { params(requirements: T.untyped).returns(T.nilable(String)) }
       def python_version_matching(requirements)
-        PRE_INSTALLED_PYTHON_VERSIONS.find do |version_string|
-          version = Python::Version.new(version_string)
+        Language::PRE_INSTALLED_PYTHON_VERSIONS.find do |version|
           requirements.all? do |req|
             next req.any? { |r| r.satisfied_by?(version) } if req.is_a?(Array)
 
             req.satisfied_by?(version)
           end
-        end
+        end.to_s
       end
     end
   end