Changes to how Dependabot handles Python versions

[jonjanego]

Hi Dependabot community - similar to the recent changes that we made to Maven, we wanted to announce some changes that we've also made to how we identify Python versions and version precedence, so that it aligns with the official Python version specification

There are two main changes that have been made.

The first is the regular expression we use to validate the format of the version string. Initially, it was:

/\A\s*(v?([1-9][0-9]*!)?[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z]+(\.[0-9a-zA-Z]+)*)?(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?)?\s*\z/

This regex allowed empty versions and other loosely interpreted versions like 2sd3ax.

This has been updated to follow the Python version specification, and uses the following regex to determine if a version specifier is valid:

/\A\s*(?ix-m:
        v?
        (?:
          (?:(?<epoch>[0-9]+)!)?                          # epoch
          (?<release>[0-9]+(?:\.[0-9]+)*)                 # release
          (?<pre>                                         # prerelease
            [-_\.]?
            (?<pre_l>(a|b|c|rc|alpha|beta|pre|preview))
            [-_\.]?
            (?<pre_n>[0-9]+)?
          )?
          (?<post>                                        # post release
            (?:-(?<post_n1>[0-9]+))
            |
            (?:
                [-_\.]?
                (?<post_l>post|rev|r)
                [-_\.]?
                (?<post_n2>[0-9]+)?
            )
          )?
          (?<dev>                                          # dev release
            [-_\.]?
            (?<dev_l>dev)
            [-_\.]?
            (?<dev_n>[0-9]+)?
          )?
        )
        (?:\+(?<local>[a-z0-9]+(?:[-_\.][a-z0-9]+)*))?    # local version
      )\s*\z/

The updated regex is more restrictive and won't allow empty or illformed strings like 2sd. If you're using a package that does not conform to the Python spec, Dependabot may fail to identify these and throw an error saying that they are invalid.

Version ordering is the other major change. According to the Python version specification, the right order for version suffixes is .devN < aN < bN < rcN < <no suffix> < .postN. Prior to these changes, the sorting did not work properly and, in the cases where it did, the suffixes were sorted alphabetically as in aN < bN < devN < rcN .... Dependabot is now following the specification, and will follow the ordering standard.

Another consequence of this is the choice of suffix when translating wildcard or caret requirements like 1.8.* into version ranges. Previously, the default for ranges was 0.a. Based on review of the spec, this has been updated to default to 0.dev.

Please let us know in the discussion comments below if you have any questions, and as always, thank you for your support of Dependabot!