fix: treat bare version constraints as exact match

When resolving dependencies like certifi@2025.10.5, the bare version string "2025.10.5" was being rejected as an invalid SpecifierSet and falling back to wildcard, which fetched the latest version instead. Now bare versions starting with a digit are automatically prefixed with "==" to create an exact match constraint.
2026-02-04 17:02:02 -06:00
parent 6cf487b224
commit c31a147e1f
2 changed files with 47 additions and 1 deletions
--- a/backend/app/registry_client.py
+++ b/backend/app/registry_client.py
@@ -269,8 +269,18 @@ class PyPIRegistryClient(RegistryClient):
                return None

            # Parse constraint
+            # If constraint looks like a bare version (no operator), treat as exact match
+            # e.g., "2025.10.5" -> "==2025.10.5"
+            effective_constraint = constraint
+            if constraint and constraint[0].isdigit():
+                effective_constraint = f"=={constraint}"
+                logger.debug(
+                    f"Bare version '{constraint}' for {normalized}, "
+                    f"treating as exact match '{effective_constraint}'"
+                )
+
            try:
-                specifier = SpecifierSet(constraint)
+                specifier = SpecifierSet(effective_constraint)
            except InvalidSpecifier:
                # Invalid constraint - treat as wildcard
                logger.warning(