From e4aed31ca3d67f898486621b42388490a36669ad Mon Sep 17 00:00:00 2001
From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com>
Date: Sun, 24 May 2026 13:45:57 -0400
Subject: [PATCH] fix(renovate): bump Python `>=` lower bounds on every release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause of mlx-benchmarks#55: `pyarrow>=17.0.0` sat untouched for
months while pyarrow shipped through 18.x, 19.x, ... 24.x. The
unfixable-CVE PYSEC-2026-113 (CVSS 7.0, fixed in pyarrow 23.0.1) only
came to light when OSV started flagging it on every PR.

Renovate's default `rangeStrategy: auto` maps to `replace` for pep621
and pip_requirements. `replace` only updates a constraint when the new
version falls **outside** the existing range. Since `>=17.0.0` already
satisfies pyarrow 24.0.0, replace no-ops indefinitely. The lower bound
ages out of sync with the actually-installed (lockfile) version and
becomes a stale security floor for downstream library consumers.

The vulnerabilityAlerts block already sets `rangeStrategy: bump` for
CVE-driven updates. This new packageRule mirrors that behavior for
routine releases too, so:

- `pyarrow>=17.0.0` becomes `pyarrow>=24.0.0` (or whatever's current)
  the next time pyarrow ships, without waiting for a CVE.
- Library consumers installing the project as a dependency get an
  accurate security floor, not a years-old one.
- The lockfile and pyproject specifier stay aligned.

Scope: pep621, pip_requirements, pip_setup, poetry, pipenv. npm caret
ranges already get bumped under `replace` because `^X.Y.Z` caps at the
next major; no change needed there. Terraform `>=` constraints have
the same pathology — can extend this rule if it turns up there too.

Impact at the time of this PR: at minimum 18 stale `>=` pins in
mlx-benchmarks, 11 in python-template, 16 in nix-ai/orchestrator,
plus more across the workspace. After this lands, Renovate will open
PRs to bring each of those current at the next scheduled run
(Monday/Thursday mornings per the existing Python schedule rule).

Assisted-by: Claude <noreply@anthropic.com>
---
 renovate-presets.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/renovate-presets.json b/renovate-presets.json
index d7444f4..b5400c1 100644
--- a/renovate-presets.json
+++ b/renovate-presets.json
@@ -228,6 +228,11 @@
       "matchUpdateTypes": ["minor", "patch"],
       "automerge": true,
       "schedule": ["after 7am on Monday", "after 7am on Thursday"]
+    },
+    {
+      "description": "Bump Python `>=` lower bounds so they track the latest released version. Without this, Renovate's default `auto` strategy (= `replace` for pep621/pip_requirements) leaves `pyarrow>=17.0.0` untouched forever even when 24.x is current — the existing range already satisfies the new version, so `replace` no-ops. Setting `bump` forces the lower bound to move with each release, keeping security floors current. Mirrors the `rangeStrategy: bump` already used inside `vulnerabilityAlerts` so routine and CVE-driven bumps behave identically.",
+      "matchManagers": ["pep621", "pip_requirements", "pip_setup", "poetry", "pipenv"],
+      "rangeStrategy": "bump"
     }
   ]
 }