poetry: `^1.2.3.0` (caret with four components) are not detected

[rarkins]

Discussed in https://github.com/renovatebot/renovate/discussions/26939

^{Originally posted by **msw-kialo** January 30, 2024} ### How are you running Renovate? Mend Renovate hosted app on github.com ### If you're self-hosting Renovate, tell us what version of Renovate you run. _No response_ ### If you're self-hosting Renovate, select which platform you are using. None ### Was this something which used to work for you, and then stopped? I have not seen this working ### Describe the problem *TLDR*: No updates for constraints like `^69.0.0.20240115` (four components), but for `>=69.0.0.20240115`. Most PyPI packages providing types for other libraries (`types-`) use [four components as version numbers](https://github.com/python/typeshed/blob/main/README.md#package): the original three components from the target library and a following version indicating the revision of the type package it. While this appears to not be compliant with [poetry's defined version constraints](https://python-poetry.org/docs/dependency-specification/#version-constraints), it does work in everyday use. IMO RenovateBot should support what works with the manager itself. BTW: DependaBot correctly updates them; that is the reason we stumbled across this (as we correctly migrate from DependaBot to RenovateBot). These packages aren't even listed on the dependency dashboard. *Workaround*: Using an inequality operator instead of caret, resolves the issue. However, `poetry add $package` uses the caret operator by default (making it error-prone to avoid it). *Reproduction Repository*: https://github.com/msw-kialo/renovate-poetry-fails-semver (two dependencies one with inequality and one with caret; RenovateBot PR for one; DependaBot PRs for both) forked to https://github.com/renovate-reproductions/26939 ### Relevant debug logs

Logs

``` DEBUG: packageFiles with updates { "baseBranch": "main" "config": { "poetry": [ { "deps": [ { "datasource": "pypi", "currentValue": "^ 69.0.0.20240115", "managerData": { "nestedVersion": false }, "skipReason": "invalid-version", "depName": "types-setuptools", "depType": "dependencies", "lockedVersion": "69.0.0.20240115", "updates": [], "packageName": "types-setuptools" }, { "datasource": "pypi", "currentValue": ">= 2023.3.1.0", "managerData": { "nestedVersion": false }, "versioning": "pep440", "depName": "types-pytz", "depType": "dependencies", "lockedVersion": "2023.3.1.0", "updates": [ { "bucket": "non-major", "newVersion": "2023.3.1.1", "newValue": ">= 2023.3.1.0", "releaseTimestamp": "2023-09-20T15:14:27.000Z", "newMajor": 2023, "newMinor": 3, "updateType": "patch", "isRange": true, "isLockfileUpdate": true, "branchName": "renovate/types-pytz-2023.x-lockfile" } ], "packageName": "types-pytz", "warnings": [], "sourceUrl": "https://github.com/python/typeshed", "registryUrl": "https://pypi.org/pypi", "changelogUrl": "https://github.com/typeshed-internal/stub_uploader/blob/main/data/changelogs/pytz.md", "currentVersion": "2023.3.1.0", "isSingleVersion": true, "fixedVersion": "2023.3.1.0" } ], "packageFileVersion": "0.1.0", "extractedConstraints": { "python": "^3.11" }, "lockFiles": [ "poetry.lock" ], "packageFile": "pyproject.toml" } ] } } ```

### Have you created a minimal reproduction repository? I have linked to a minimal reproduction in the description above

[viceice]

for me it's more a feature and a versioning misuse 😉

[rarkins]

Yeah, it's borderline

[Gerrit-K]

While the version constraints mentioned above indeed only claim SemVer compatibilty, Poetry's library versioning guideline dictates pep440, which actually supports versions like 1.2.3.4.5.6. Using caret notation for such a version and then running poetry lock correctly updates dependencies, so poetry itself is compatible.

Also, trying to override this behaviour via versioning didn't work in my case:

// ...
    {
      "matchDatasources": ["pypi"],
      "matchPackageNames": ["acryl-datahub"],
      "versioning": "pep440"
    }

I do agree that these versions are rather rare, but to me it still feels like a bug in renovate rather than a versioning misuse.

[rarkins]

Yes, it's valid poetry syntax so should be supported by "poetry" versioning in Renovate