[Bug] Python dependencies with pip-compile do not respect 'ignored_versions'

[JimNero009]

Hello!
Found an issue today with the running of the pip package manager. On our internal fork, we are passing in 'ignored_versions' to the update checker in order to prevent major bumps of libraries. For the most part, this works great. However, I've found that in the case of bumping a python project that uses a setup.py with pip-compile, the ignored versions are not properly taken into account.

I have traced the issue to this line: https://github.com/dependabot/dependabot-core/blob/master/python/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb#L79

In this line, pip-compile is run against one dependency without any version restrictions. This can (and does, in the case where the update checker has an ignored_versions property) generate situations where the value of an update_checker's 'latest_version' (which correctly filters with ignored_versions) is a version that is semantically before it's 'latest_resolvable_version' (which is what the pip-compile command ultimately generates). It is the 'latest_resolvable_version' that is ultimately used as the version to bump to, hence the bug.

There is a way to pass restrictions to the pip-compile command, though (see 'updating requirements' in https://pypi.org/project/pip-tools/), so this situation should be rectifiable. However, I'm not sure how best to change the syntax of 'versions to ignore' (which might be something like >=7.0.0) and 'restrictions on this update' (which would be something like <7.0.0) in the general case.

[JimNero009]

Here's how I've fixed it for the time being in our internal fork -- would love to hear what you think! #1566

[deivid-rodriguez]

We closed the linked PR since we got there late and the OP lost interest in the mean time, but this seems like a valid issue so let's keep it open.