poetry: ^1.2.3.0 (caret with four components) are not detected

[rarkins]

Discussed in #26939

^{Originally posted by msw-kialo January 30, 2024}

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

No response

If you're self-hosting Renovate, select which platform you are using.

None

Was this something which used to work for you, and then stopped?

I have not seen this working

Describe the problem

TLDR: No updates for constraints like ^69.0.0.20240115 (four components), but for >=69.0.0.20240115.

Most PyPI packages providing types for other libraries (types-) use four components as version numbers: the original three components from the target library and a following version indicating the revision of the type package it.

While this appears to not be compliant with poetry's defined version constraints, it does work in everyday use. IMO RenovateBot should support what works with the manager itself.
BTW: DependaBot correctly updates them; that is the reason we stumbled across this (as we correctly migrate from DependaBot to RenovateBot).

These packages aren't even listed on the dependency dashboard.

Workaround: Using an inequality operator instead of caret, resolves the issue. However, poetry add $package uses the caret operator by default (making it error-prone to avoid it).

Reproduction Repository: https://github.com/msw-kialo/renovate-poetry-fails-semver (two dependencies one with inequality and one with caret; RenovateBot PR for one; DependaBot PRs for both) forked to https://github.com/renovate-reproductions/26939

Relevant debug logs

Logs

DEBUG: packageFiles with updates
{
  "baseBranch": "main"
  "config": {
    "poetry": [
      {
        "deps": [
          {
            "datasource": "pypi",
            "currentValue": "^ 69.0.0.20240115",
            "managerData": {
              "nestedVersion": false
            },
            "skipReason": "invalid-version",
            "depName": "types-setuptools",
            "depType": "dependencies",
            "lockedVersion": "69.0.0.20240115",
            "updates": [],
            "packageName": "types-setuptools"
          },
          {
            "datasource": "pypi",
            "currentValue": ">= 2023.3.1.0",
            "managerData": {
              "nestedVersion": false
            },
            "versioning": "pep440",
            "depName": "types-pytz",
            "depType": "dependencies",
            "lockedVersion": "2023.3.1.0",
            "updates": [
              {
                "bucket": "non-major",
                "newVersion": "2023.3.1.1",
                "newValue": ">= 2023.3.1.0",
                "releaseTimestamp": "2023-09-20T15:14:27.000Z",
                "newMajor": 2023,
                "newMinor": 3,
                "updateType": "patch",
                "isRange": true,
                "isLockfileUpdate": true,
                "branchName": "renovate/types-pytz-2023.x-lockfile"
              }
            ],
            "packageName": "types-pytz",
            "warnings": [],
            "sourceUrl": "https://github.com/python/typeshed",
            "registryUrl": "https://pypi.org/pypi",
            "changelogUrl": "https://github.com/typeshed-internal/stub_uploader/blob/main/data/changelogs/pytz.md",
            "currentVersion": "2023.3.1.0",
            "isSingleVersion": true,
            "fixedVersion": "2023.3.1.0"
          }
        ],
        "packageFileVersion": "0.1.0",
        "extractedConstraints": {
          "python": "^3.11"
        },
        "lockFiles": [
          "poetry.lock"
        ],
        "packageFile": "pyproject.toml"
      }
    ]
  }
}

Have you created a minimal reproduction repository?

I have linked to a minimal reproduction in the description above

[viceice]

for me it's more a feature and a versioning misuse 😉

[rarkins]

Yeah, it's borderline

[Gerrit-K]

While the version constraints mentioned above indeed only claim SemVer compatibilty, Poetry's library versioning guideline dictates pep440, which actually supports versions like 1.2.3.4.5.6. Using caret notation for such a version and then running poetry lock correctly updates dependencies, so poetry itself is compatible.

Also, trying to override this behaviour via versioning didn't work in my case:

// ...
    {
      "matchDatasources": ["pypi"],
      "matchPackageNames": ["acryl-datahub"],
      "versioning": "pep440"
    }

I do agree that these versions are rather rare, but to me it still feels like a bug in renovate rather than a versioning misuse.

[rarkins]

Yes, it's valid poetry syntax so should be supported by "poetry" versioning in Renovate