Minimum python version for dependencies are not respected

[onanypoint]

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

Renovate doesn't seem to respect the minimum version of Python required by dependencies.

It has for effect to open PR that can't be merged until the Python version is upgraded. This make us skip potentially available patch releases or previous versions.

When using Poetry, the poetry lock will fail which make it "fail safe" but might not be with other package managers.

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[onanypoint]

Reproduction: https://github.com/onanypoint/renovate-numpy/tree/main

In the proposed reproduction, Python is set to 3.9 and the package numpy to 2.0.0. Renovate opens an update for 2.1.1 which is not compatible with 3.9.

[rarkins]

You need to configure constraintsFiltering: https://docs.renovatebot.com/configuration-options/#constraintsfiltering

[onanypoint]

Thank you for your quick reply!

I have now added this new attribute (after consulting the doc and other issues mentioning it.

{
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "constraintsFiltering": "strict",
    "extends": [
        "config:recommended"
    ],
    "packageRules": [
        {
            "matchDepNames": ["python"],
            "updateTypes": ["major", "minor"],
            "enabled": false
        }
    ]
}

I have done investiguation related to the declaration of the python dependencies in the pyproject.toml

• ~3.9 (Poetry Tilde requirements)
• 3.9.*(Poetry Wildcard requirements)
• ^3.9.1 (Poetry Caret requirements)

They all show a warning in the logs

WARN: Invalid constraint used with strict constraintsFiltering
{
  "packageName": "numpy"
  "constraint": "~3.9" # or any other declaration listed above
  "versioning": "pep440"
}

In the debug logs for packageFiles it seems Renovate is correctly finding the constraint.

packageFiles

{
  "baseBranch": "main"
  "config": {
    "pep621": [
      {
        "deps": [
          {
            "datasource": "pypi",
            "depName": "poetry-core",
            "depType": "build-system.requires",
            "packageName": "poetry-core",
            "skipReason": "unspecified-version",
            "updates": []
          }
        ],
        "packageFile": "pyproject.toml"
      }
    ],
    "poetry": [
      {
        "deps": [
          {
            "commitMessageTopic": "Python",
            "currentValue": "~3.9",
            "currentVersion": "3.9.20",
            "currentVersionTimestamp": "2024-09-09T19:35:23.000Z",
            "datasource": "github-releases",
            "depName": "python",
            "depType": "dependencies",
            "isSingleVersion": false,
            "managerData": {
              "nestedVersion": false
            },
            "packageName": "containerbase/python-prebuild",
            "registryUrl": "https://github.com",
            "registryUrls": null,
            "sourceUrl": "https://github.com/containerbase/python-prebuild",
            "versioning": "poetry",
            "warnings": [],
            "updates": [
              {
                "bucket": "non-major",
                "newVersion": "3.12.6",
                "newValue": "~3.12.0",
                "releaseTimestamp": "2024-09-09T19:26:30.000Z",
                "newMajor": 3,
                "newMinor": 12,
                "newPatch": 6,
                "updateType": "minor",
                "isRange": true,
                "branchName": "renovate/python-3.x"
              }
            ]
          },
          {
            "changelogUrl": "https://numpy.org/doc/stable/release",
            "currentValue": "2.0.0",
            "currentVersion": "2.0.0",
            "currentVersionTimestamp": "2024-06-16T13:06:46.000Z",
            "datasource": "pypi",
            "depName": "numpy",
            "depType": "dependencies",
            "fixedVersion": "2.0.0",
            "homepage": "https://numpy.org",
            "isSingleVersion": true,
            "lockedVersion": "2.0.0",
            "managerData": {
              "nestedVersion": false
            },
            "packageName": "numpy",
            "registryUrl": "https://pypi.org/pypi",
            "sourceUrl": "https://github.com/numpy/numpy",
            "versioning": "pep440",
            "warnings": [],
            "updates": [
              {
                "bucket": "non-major",
                "newVersion": "2.1.1",
                "newValue": "2.1.1",
                "releaseTimestamp": "2024-09-03T15:01:06.000Z",
                "newMajor": 2,
                "newMinor": 1,
                "newPatch": 1,
                "updateType": "minor",
                "branchName": "renovate/numpy-2.x"
              }
            ]
          }
        ],
        "extractedConstraints": {
          "python": "~3.9"
        },
        "lockFiles": [
          "poetry.lock"
        ],
        "packageFile": "pyproject.toml",
        "packageFileVersion": "0.0.1"
      }
    ]
  }
}

When using <3.10 (Poetry Inequality requirements), no warning but no numpy upgrade either. This behavior might be related to #28615.

If we pin the python version to 3.9.18, it works as expected and we have an upgrade for numpy to 2.0.2.

Is it mandatory to pin the python constraint in the dependencies when using strict?

[rarkins]

Hi, please start a new "ask a question" discussion. You create an invalid bug report, which needs closing

[github-actions[bot]]

Hi there,

A maintainer decided this is not a bug, and behaving as designed. The maintainer will explain why this behavior is correct. To avoid confusing future readers, we will close this Discussion.

We want Bug-type Discussions to be about things that we rate as bugs. For more details, please read our development docs about bug handling.

If this bug report makes you think of an idea for a new feature, or how to improve a current feature, feel free to create a new Suggest an Idea Discussion.

Thanks, the Renovate team