dependabot-python 0.369.0 → 0.371.0

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -16,29 +16,31 @@ module Dependabot
       class PyprojectPreparer
         extend T::Sig
 
-        # Builds a regex pattern that matches a PEP 508 package name,
-        # treating hyphens, underscores, and dots as interchangeable per PEP 508.
-        sig { params(name: String).returns(String) }
-        def self.pep508_name_pattern(name)
-          Regexp.escape(name).gsub("\\-", "[-_.]").gsub("_", "[-_.]").gsub("\\.", "[-_.]")
-        end
-        private_class_method :pep508_name_pattern
+        # Fixed regex for extracting the name+extras prefix from a PEP 508 entry.
+        # Does not interpolate library input, avoiding polynomial backtracking.
+        PEP508_PREFIX = T.let(
+          /\A(?<prefix>(?<name>[a-zA-Z0-9](?:[a-zA-Z0-9._-]*[a-zA-Z0-9])?)(?:\[[^\]]*\])?)/i,
+          Regexp
+        )
 
         # Pins a single PEP 508 dependency entry string to a specific version,
         # preserving extras and environment markers.
-        sig { params(entry: String, name_pattern: String, version: String).returns(String) }
-        def self.pin_pep508_entry(entry, name_pattern, version)
-          if entry.match?(/\A#{name_pattern}(\[.*?\])?\s*[><=!~]/i)
-            entry.sub(
-              /(?<pre>#{name_pattern}(?:\[.*?\])?)\s*[><=!~][^;]*?(?=\s*;|\s*\z)/i,
-              "\\k<pre>==#{version}"
-            )
-          else
-            entry.sub(
-              /(?<pre>#{name_pattern}(?:\[.*?\])?)(?<rest>\s*(?:;.*)?)/i,
-              "\\k<pre>==#{version}\\k<rest>"
-            )
-          end
+        sig { params(entry: String, version: String).returns(String) }
+        def self.pin_pep508_entry(entry, version)
+          prefix_match = entry.match(PEP508_PREFIX)
+          return entry unless prefix_match
+
+          prefix = T.must(prefix_match[:prefix])
+          rest = T.must(entry[prefix.length..])
+
+          # Skip direct references (e.g. "pkg @ git+https://...") — already pinned to a URL
+          return entry if rest.match?(/\A\s*@\s/)
+
+          # Extract the environment marker ("; ..." suffix) if present
+          marker_match = rest.match(/(\s*;.*)/)
+          marker = marker_match ? marker_match[1] : ""
+
+          "#{prefix}==#{version}#{marker}"
         end
         private_class_method :pin_pep508_entry
 
@@ -79,12 +81,14 @@ module Dependabot
 
         sig { params(dep_arrays: T::Array[T::Array[String]], dep: Dependabot::Dependency).void }
         def self.pin_pep621_dep_in_arrays!(dep_arrays, dep)
-          name_pattern = pep508_name_pattern(dep.name)
+          normalised_name = NameNormaliser.normalise(dep.name)
           dep_arrays.each do |arr|
             arr.each_with_index do |entry, i|
-              next unless entry.match?(/\A#{name_pattern}(\[.*?\])?\s*(\z|[><=!~;,])/i)
+              match = entry.match(PEP508_PREFIX)
+              next unless match
+              next unless NameNormaliser.normalise(T.must(match[:name])) == normalised_name
 
-              arr[i] = pin_pep508_entry(entry, name_pattern, T.must(dep.version))
+              arr[i] = pin_pep508_entry(entry, T.must(dep.version))
             end
           end
         end
@@ -138,8 +142,8 @@ module Dependabot
             .gsub('#{', "{")
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
-        # rubocop:disable Metrics/AbcSize
+        UNSUPPORTED_SOURCE_TYPES = T.let(%w(directory file url).freeze, T::Array[String])
+
         sig { params(dependencies: T::Array[Dependabot::Dependency]).returns(String) }
         def freeze_top_level_dependencies_except(dependencies)
           return pyproject_content unless lockfile
@@ -154,32 +158,10 @@ module Dependabot
           Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
             next unless poetry_object[key]
 
-            source_types = %w(directory file url)
             poetry_object.fetch(key).each do |dep_name, _|
               next if excluded_names.include?(normalise(dep_name))
 
-              locked_details = locked_details(dep_name)
-
-              next unless (locked_version = locked_details&.fetch("version"))
-
-              next if source_types.include?(locked_details.dig("source", "type"))
-
-              if locked_details.dig("source", "type") == "git"
-                poetry_object[key][dep_name] = {
-                  "git" => locked_details.dig("source", "url"),
-                  "rev" => locked_details.dig("source", "reference")
-                }
-                subdirectory = locked_details.dig("source", "subdirectory")
-                poetry_object[key][dep_name]["subdirectory"] = subdirectory if subdirectory
-              elsif poetry_object[key][dep_name].is_a?(Hash)
-                poetry_object[key][dep_name]["version"] = locked_version
-              elsif poetry_object[key][dep_name].is_a?(Array)
-                # if it has multiple-constraints, locking to a single version is
-                # going to result in a bad lockfile, ignore
-                next
-              else
-                poetry_object[key][dep_name] = locked_version
-              end
+              freeze_poetry_dep!(poetry_object[key], dep_name)
             end
           end
 
@@ -188,8 +170,6 @@ module Dependabot
 
           TomlRB.dump(pyproject_object)
         end
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/PerceivedComplexity
 
         private
 
@@ -199,6 +179,33 @@ module Dependabot
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :lockfile
 
+        sig { params(deps_hash: T::Hash[String, T.untyped], dep_name: String).void }
+        def freeze_poetry_dep!(deps_hash, dep_name)
+          details = locked_details(dep_name)
+          return unless (locked_version = details&.fetch("version"))
+
+          source_type = details.dig("source", "type")
+          return if UNSUPPORTED_SOURCE_TYPES.include?(source_type)
+
+          if source_type == "git"
+            freeze_git_dep!(deps_hash, dep_name, details)
+          elsif deps_hash[dep_name].is_a?(Hash)
+            deps_hash[dep_name]["version"] = locked_version
+          elsif !deps_hash[dep_name].is_a?(Array)
+            deps_hash[dep_name] = locked_version
+          end
+        end
+
+        sig { params(deps_hash: T::Hash[String, T.untyped], dep_name: String, details: T::Hash[String, T.untyped]).void }
+        def freeze_git_dep!(deps_hash, dep_name, details)
+          deps_hash[dep_name] = {
+            "git" => details.dig("source", "url"),
+            "rev" => details.dig("source", "reference")
+          }
+          subdirectory = details.dig("source", "subdirectory")
+          deps_hash[dep_name]["subdirectory"] = subdirectory if subdirectory
+        end
+
         sig { params(pyproject_object: T::Hash[String, T.untyped], excluded_names: T::Array[String]).void }
         def freeze_pep621_top_level_deps!(pyproject_object, excluded_names)
           project_object = pyproject_object["project"]
@@ -226,8 +233,7 @@ module Dependabot
             locked_details = locked_details(dep_name)
             next unless (locked_version = locked_details&.fetch("version"))
 
-            name_pattern = self.class.send(:pep508_name_pattern, T.must(match[1]))
-            dep_array[index] = self.class.send(:pin_pep508_entry, entry, name_pattern, locked_version)
+            dep_array[index] = self.class.send(:pin_pep508_entry, entry, locked_version)
           end
         end
 

data/lib/dependabot/python/package_manager.rb

@@ -57,9 +57,19 @@ module Dependabot
 
       LOCKFILE_NAME = "poetry.lock"
 
-      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      POETRY_V1 = "1"
+      POETRY_V2 = "2"
 
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      # Keep versions in ascending order
+      SUPPORTED_VERSIONS = T.let(
+        [
+          Version.new(POETRY_V1),
+          Version.new(POETRY_V2)
+        ].freeze,
+        T::Array[Dependabot::Version]
+      )
+
+      DEPRECATED_VERSIONS = T.let([Version.new(POETRY_V1)].freeze, T::Array[Dependabot::Version])
 
       sig do
         params(
@@ -68,23 +78,31 @@ module Dependabot
         ).void
       end
       def initialize(raw_version, requirement = nil)
+        version = Version.new(raw_version)
         super(
           name: NAME,
-          version: Version.new(raw_version),
+          detected_version: Version.new(T.must(version.segments.first).to_s),
+          version: version,
           deprecated_versions: DEPRECATED_VERSIONS,
           supported_versions: SUPPORTED_VERSIONS,
           requirement: requirement,
        )
       end
 
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
+      # Poetry supports requires-poetry constraints in pyproject.toml;
+      # other Python package managers don't have an equivalent mechanism.
+      sig { override.void }
+      def raise_if_unsupported!
+        super
+        return unless requirement
+        return unless version
+        return if T.cast(T.must(requirement).satisfied_by?(T.must(version)), T::Boolean)
+
+        raise Dependabot::ToolVersionNotSupported.new(
+          NAME,
+          version.to_s,
+          requirement.to_s
+        )
       end
     end
 

data/lib/dependabot/python/poetry_plugin_installer.rb

@@ -0,0 +1,95 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "shellwords"
+require "sorbet-runtime"
+require "toml-rb"
+require "dependabot/dependency_file"
+require "dependabot/errors"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Python
+    class PoetryPluginInstaller
+      extend T::Sig
+
+      # Only allow valid PyPI package names to prevent command injection
+      VALID_PLUGIN_NAME = /\A[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?\z/
+
+      # Only allow valid version constraint characters to prevent command injection
+      VALID_CONSTRAINT = /\A[a-zA-Z0-9.*,!=<>~^ ]+\z/
+
+      sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).returns(PoetryPluginInstaller) }
+      def self.from_dependency_files(dependency_files)
+        pyproject_content = dependency_files.find { |f| f.name == "pyproject.toml" }&.content
+        new(pyproject_content: pyproject_content)
+      end
+
+      sig { params(pyproject_content: T.nilable(String)).void }
+      def initialize(pyproject_content:)
+        @pyproject_content = T.let(pyproject_content, T.nilable(String))
+        @plugins_installed = T.let(false, T::Boolean)
+      end
+
+      sig { void }
+      def install_required_plugins
+        return if @plugins_installed
+
+        required_plugins.each do |name, constraint|
+          install_plugin(name, constraint)
+        end
+
+        @plugins_installed = true
+      end
+
+      private
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :pyproject_content
+
+      sig { returns(T::Hash[String, String]) }
+      def required_plugins
+        return {} unless pyproject_content
+
+        parsed = TomlRB.parse(pyproject_content)
+        plugins = parsed.dig("tool", "poetry", "requires-plugins")
+        return {} unless plugins.is_a?(Hash)
+
+        plugins.each_with_object({}) do |(name, constraint), result|
+          next unless name.is_a?(String) && constraint.is_a?(String)
+          next unless valid_plugin_name?(name)
+          next unless valid_constraint?(constraint)
+
+          result[name] = constraint
+        end
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+        {}
+      end
+
+      sig { params(name: String).returns(T::Boolean) }
+      def valid_plugin_name?(name)
+        VALID_PLUGIN_NAME.match?(name)
+      end
+
+      sig { params(constraint: String).returns(T::Boolean) }
+      def valid_constraint?(constraint)
+        VALID_CONSTRAINT.match?(constraint)
+      end
+
+      sig { params(name: String, constraint: String).void }
+      def install_plugin(name, constraint)
+        Dependabot.logger.info("Installing Poetry plugin: #{name}@#{constraint}")
+
+        escaped = Shellwords.shellescape("#{name}@#{constraint}")
+        SharedHelpers.run_shell_command(
+          "pyenv exec poetry self add #{escaped}",
+          fingerprint: "pyenv exec poetry self add <plugin_name>@<constraint>"
+        )
+      rescue SharedHelpers::HelperSubprocessFailed => e
+        Dependabot.logger.warn(
+          "Failed to install Poetry plugin #{name}@#{constraint}: #{e.message}"
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/python/shared_file_fetcher.rb

@@ -26,6 +26,19 @@ module Dependabot
       DEPENDENCY_TYPES = T.let(%w(packages dev-packages).freeze, T::Array[String])
       MAX_FILE_SIZE = T.let(500_000, Integer)
 
+      # Regex patterns for detecting Python requirements.txt manifest variants.
+      # Ported from github/dependency-snapshots-api.
+      #
+      # Matches "requirements" preceded by a hyphen, period, underscore, start-of-string, or slash,
+      # followed by non-whitespace chars and ".txt".
+      # Examples: requirements.txt, requirements.prod.txt, requirements/production.txt
+      REQUIREMENTS_TXT_REGEX = T.let(%r{(?:[-._]|^|/)requirements[^\s]*\.txt$}i, Regexp)
+
+      # More lenient: matches "require" with optional prefix (no dots/whitespace)
+      # and optional hyphen/underscore/slash suffix. Does not match "require" as a substring.
+      # Examples: require.txt, require-test.txt, py3-require.txt, pyenv_require_e2e.txt
+      REQUIRE_TXT_REGEX = T.let(%r{[^\s|.]*require(?:[-_/][^\s|.]*)?\.txt$}i, Regexp)
+
       sig { abstract.returns(T::Array[String]) }
       def self.ecosystem_specific_required_files; end
 
@@ -169,7 +182,7 @@ module Dependabot
 
             repo_contents
               .select { |f| f.type == "file" }
-              .select { |f| f.name.end_with?(".txt", ".in") }
+              .select { |f| potential_requirements_file?(f.name) }
               .reject { |f| f.size > MAX_FILE_SIZE }
               .map { |f| fetch_file_from_host(f.name) }
               .select { |f| requirements_file?(f) }
@@ -193,7 +206,7 @@ module Dependabot
 
         repo_contents(dir: relative_reqs_dir)
           .select { |f| f.type == "file" }
-          .select { |f| f.name.end_with?(".txt", ".in") }
+          .select { |f| potential_requirements_file?(File.join(relative_reqs_dir, f.name)) }
           .reject { |f| f.size > MAX_FILE_SIZE }
           .map { |f| fetch_file_from_host("#{relative_reqs_dir}/#{f.name}") }
           .select { |f| requirements_file?(f) }
@@ -379,6 +392,24 @@ module Dependabot
         uneditable_reqs + editable_reqs
       end
 
+      # Checks if a filename matches known Python requirements.txt naming patterns.
+      sig { params(path: String).returns(T::Boolean) }
+      def requirements_txt_filename?(path)
+        path.match?(REQUIREMENTS_TXT_REGEX) || path.match?(REQUIRE_TXT_REGEX)
+      end
+
+      # When the feature flag is enabled, only considers .txt files whose names match
+      # requirements patterns (plus all .in files). When disabled, falls back to the
+      # original behavior of accepting any .txt or .in file.
+      sig { params(path: String).returns(T::Boolean) }
+      def potential_requirements_file?(path)
+        unless Dependabot::Experiments.enabled?(:python_requirements_file_name_filtering)
+          return path.end_with?(".txt", ".in")
+        end
+
+        path.end_with?(".in") || requirements_txt_filename?(path)
+      end
+
       sig { params(path: String).returns(String) }
       def clean_path(path)
         Pathname.new(path).cleanpath.to_path

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -18,6 +18,7 @@ require "dependabot/python/requirement"
 require "dependabot/python/native_helpers"
 require "dependabot/python/authed_url_builder"
 require "dependabot/python/name_normaliser"
+require "dependabot/python/poetry_plugin_installer"
 
 module Dependabot
   module Python
@@ -90,6 +91,7 @@ module Dependabot
           @original_reqs_resolvable = T.let(nil, T.nilable(T::Boolean))
           @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
           @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
+          @poetry_plugin_installer = T.let(nil, T.nilable(PoetryPluginInstaller))
         end
 
         sig { params(requirement: T.nilable(String)).returns(T.nilable(Dependabot::Python::Version)) }
@@ -129,6 +131,9 @@ module Dependabot
 
                 language_version_manager.install_required_python
 
+                # Install any required Poetry plugins declared in pyproject.toml
+                poetry_plugin_installer.install_required_plugins
+
                 # use system git instead of the pure Python dulwich
                 run_poetry_command("pyenv exec poetry config system-git-client true")
 
@@ -385,6 +390,14 @@ module Dependabot
           poetry_lock
         end
 
+        sig { returns(PoetryPluginInstaller) }
+        def poetry_plugin_installer
+          @poetry_plugin_installer ||= T.let(
+            PoetryPluginInstaller.from_dependency_files(dependency_files),
+            T.nilable(PoetryPluginInstaller)
+          )
+        end
+
         sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
         def run_poetry_command(command, fingerprint: nil)
           SharedHelpers.run_shell_command(command, fingerprint: fingerprint)

data/lib/dependabot/python/update_checker/requirements_updater.rb

@@ -11,11 +11,13 @@ require "dependabot/requirements_update_strategy"
 module Dependabot
   module Python
     class UpdateChecker
+      # rubocop:disable Metrics/ClassLength
       class RequirementsUpdater
         extend T::Sig
 
         PYPROJECT_OR_SEPARATOR = T.let(/(?<=[a-zA-Z0-9*])\s*\|+/, Regexp)
         PYPROJECT_SEPARATOR = T.let(/#{PYPROJECT_OR_SEPARATOR}|,/, Regexp)
+        LOWER_BOUND_OPS = T.let(%w(> >=).freeze, T::Array[String])
 
         class UnfixableRequirement < StandardError; end
 
@@ -111,13 +113,25 @@ module Dependabot
         def updated_pyproject_requirement(req)
           return req unless latest_resolvable_version
           return req unless req.fetch(:requirement)
-          return req if new_version_satisfies?(req) && !has_lockfile
+          return req if skip_pyproject_update?(req)
 
+          pyproject_update_for_strategy(req)
+        rescue UnfixableRequirement
+          req.merge(requirement: :unfixable)
+        end
+
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
+        def skip_pyproject_update?(req)
+          new_version_satisfies?(req) && !has_lockfile &&
+            update_strategy != RequirementsUpdateStrategy::BumpVersions
+        end
+
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        def pyproject_update_for_strategy(req)
           # If the requirement uses || syntax then we always want to widen it
           return widen_pyproject_requirement(req) if req.fetch(:requirement).match?(PYPROJECT_OR_SEPARATOR)
 
-          # If the requirement is a development dependency we always want to
-          # bump it
+          # If the requirement is a development dependency we always want to bump it
           return update_pyproject_version(req) if req.fetch(:groups).include?("dev-dependencies")
 
           case update_strategy
@@ -126,37 +140,40 @@ module Dependabot
           when RequirementsUpdateStrategy::BumpVersionsIfNecessary then update_pyproject_version_if_needed(req)
           else raise "Unexpected update strategy: #{update_strategy}"
           end
-        rescue UnfixableRequirement
-          req.merge(requirement: :unfixable)
         end
 
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def update_pyproject_version_if_needed(req)
           return req if new_version_satisfies?(req)
 
-          update_pyproject_version(req)
+          update_pyproject_version_core(req, bump_lower_bound: false)
         end
 
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def update_pyproject_version(req)
+          return req if req[:requirement] == "*"
+
+          update_pyproject_version_core(req, bump_lower_bound: true)
+        end
+
+        sig do
+          params(
+            req: T::Hash[Symbol, T.untyped],
+            bump_lower_bound: T::Boolean
+          ).returns(T::Hash[Symbol, T.untyped])
+        end
+        def update_pyproject_version_core(req, bump_lower_bound:)
           requirement_strings = req[:requirement].split(",").map(&:strip)
 
           new_requirement =
             if requirement_strings.any? { |r| r.match?(/^=|^\d/) }
-              # If there is an equality operator, just update that. It must
-              # be binding and any other requirements will be being ignored
               find_and_update_equality_match(requirement_strings)
             elsif requirement_strings.any? { |r| r.start_with?("~", "^") }
-              # If a compatibility operator is being used, just bump its
-              # version (and remove any other requirements)
               v_req = requirement_strings.find { |r| r.start_with?("~", "^") }
               bump_version(v_req, latest_resolvable_version.to_s)
-            elsif new_version_satisfies?(req)
-              # Otherwise we're looking at a range operator. No change
-              # required if it's already satisfied
-              req.fetch(:requirement)
+            elsif bump_lower_bound
+              bump_requirements_range(requirement_strings)
             else
-              # But if it's not, update it
               update_requirements_range(requirement_strings)
             end
 
@@ -250,24 +267,36 @@ module Dependabot
 
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def update_requirement(req)
-          requirement_strings = req[:requirement].split(",").map(&:strip)
-
-          new_requirement =
-            if requirement_strings.any? { |r| r.match?(/^[=\d]/) }
-              find_and_update_equality_match(requirement_strings)
-            elsif requirement_strings.any? { |r| r.start_with?("~=") }
-              tw_req = requirement_strings.find { |r| r.start_with?("~=") }
-              bump_version(tw_req, latest_resolvable_version.to_s)
-            elsif new_version_satisfies?(req)
-              req.fetch(:requirement)
-            else
-              update_requirements_range(requirement_strings)
-            end
+          new_requirement = updated_requirement_string(req)
           req.merge(requirement: new_requirement)
         rescue UnfixableRequirement
           req.merge(requirement: :unfixable)
         end
 
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T.any(String, Symbol)) }
+        def updated_requirement_string(req)
+          requirement_strings = req[:requirement].split(",").map(&:strip)
+
+          if requirement_strings.any? { |r| r.match?(/^[=\d]/) }
+            find_and_update_equality_match(requirement_strings)
+          elsif requirement_strings.any? { |r| r.start_with?("~=") }
+            tw_req = requirement_strings.find { |r| r.start_with?("~=") }
+            bump_version(tw_req, latest_resolvable_version.to_s)
+          elsif bump_lower_bound?(requirement_strings)
+            bump_requirements_range(requirement_strings)
+          elsif new_version_satisfies?(req)
+            req.fetch(:requirement)
+          else
+            update_requirements_range(requirement_strings)
+          end
+        end
+
+        sig { params(requirement_strings: T::Array[String]).returns(T::Boolean) }
+        def bump_lower_bound?(requirement_strings)
+          update_strategy == RequirementsUpdateStrategy::BumpVersions &&
+            requirement_strings.any? { |r| r.strip.start_with?(">") }
+        end
+
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def widen_requirement(req)
           return req if new_version_satisfies?(req)
@@ -344,6 +373,59 @@ module Dependabot
             .sort_by { |r| requirement_class.new(r).requirements.first.last }.join(",").delete(" ")
         end
 
+        # Bumps the lower bound of a range requirement to the latest version
+        # Used by BumpVersions strategy to increase the minimum version
+        sig { params(requirement_strings: T::Array[String]).returns(String) }
+        def bump_requirements_range(requirement_strings)
+          ruby_requirements = requirement_strings.map { |r| requirement_class.new(r) }
+
+          validate_lower_bounds_not_too_high(ruby_requirements)
+
+          updated_requirement_strings = ruby_requirements.map { |r| bump_single_requirement(r) }
+
+          updated_requirement_strings
+            .sort_by { |r| requirement_class.new(r).requirements.first.last }.join(",").delete(" ")
+        end
+
+        sig { params(ruby_requirements: T::Array[Dependabot::Python::Requirement]).void }
+        def validate_lower_bounds_not_too_high(ruby_requirements)
+          ruby_requirements.each do |r|
+            op, version = r.requirements.first
+            raise UnfixableRequirement if LOWER_BOUND_OPS.include?(op) && version > T.must(latest_resolvable_version)
+          end
+        end
+
+        sig { params(req: Dependabot::Python::Requirement).returns(String) }
+        def bump_single_requirement(req)
+          op, version = req.requirements.first
+
+          case op
+          when ">=" then ">=" + T.must(latest_resolvable_version).to_s
+          # Strict lower bound becomes inclusive because the resolved version
+          # is the exact target — using ">" would exclude it.
+          when ">" then ">=" + T.must(latest_resolvable_version).to_s
+          when "<" then bump_upper_bound_less_than(req, version)
+          when "<=" then bump_upper_bound_less_or_equal(req)
+          when "~>", "~=" then bump_version(req.to_s, T.must(latest_resolvable_version).to_s)
+          when "!=" then req.to_s
+          else req.to_s
+          end
+        end
+
+        sig { params(req: Dependabot::Python::Requirement, version: Gem::Version).returns(String) }
+        def bump_upper_bound_less_than(req, version)
+          return req.to_s if req.satisfied_by?(T.must(latest_resolvable_version))
+
+          "<" + update_greatest_version(version, T.must(latest_resolvable_version))
+        end
+
+        sig { params(req: Dependabot::Python::Requirement).returns(String) }
+        def bump_upper_bound_less_or_equal(req)
+          return req.to_s if req.satisfied_by?(T.must(latest_resolvable_version))
+
+          "<=" + T.must(latest_resolvable_version).to_s
+        end
+
         # Updates the version in a constraint to be the given version
         sig { params(req_string: String, version_to_be_permitted: String).returns(String) }
         def bump_version(req_string, version_to_be_permitted)
@@ -448,6 +530,7 @@ module Dependabot
           Python::Requirement
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/dependabot/python/update_checker.rb

@@ -407,16 +407,24 @@ module Dependabot
 
       sig { returns(T::Boolean) }
       def check_pypi_for_library_match
-        return false unless updating_pyproject? && library_details && !T.must(library_details)["name"].nil?
+        return false unless updating_pyproject?
+
+        library_details_temp = library_details
+        return false unless library_details_temp && !library_details_temp["name"].nil?
+
+        has_library_metadata = !library_details_temp["description"].nil?
 
         response = Dependabot::RegistryClient.get(
-          url: "https://pypi.org/pypi/#{normalised_name(T.must(library_details)['name'])}/json/"
+          url: "https://pypi.org/pypi/#{normalised_name(library_details_temp['name'])}/json/"
         )
-        return false unless response.status == 200
+        return has_library_metadata unless response.status == 200
 
-        (JSON.parse(response.body)["info"] || {})["summary"] == T.must(library_details)["description"]
+        local_description = library_details_temp["description"]
+        return true if local_description.nil?
+
+        (JSON.parse(response.body)["info"] || {})["summary"] == local_description
       rescue Excon::Error::Timeout, Excon::Error::Socket, URI::InvalidURIError
-        false
+        has_library_metadata
       end
 
       sig { returns(T::Boolean) }