Malformed version string leads to cooldown not being respected #13329
Description
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
pip
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
google-api-python-client==2.184.0
dependabot.yml content
version: 2
enable-beta-ecosystems: true
updates:
- package-ecosystem: pip
schedule:
interval: daily
time: '08:00'
timezone: 'America/Los_Angeles'
cooldown:
default-days: 7
directory: /
Updated dependency
google-api-python-client==2.185.0
What you expected to see, versus what you actually saw
With the cooldown configuration, I would not expect the version to be updated immediately. At the time of writing, v2.185 was just released today (10/17/25). Yet, with this minimal configuration dependabot opens a PR for the new version immediately. I suspect the bug is related to fallback parsing of the manifest. From dependabot's logs I can see:
2025/10/17 20:07:21 INFO <job_1128068417> Checking all dependencies for version updates...
updater | 2025/10/17 20:07:21 INFO <job_1128068417> Checking if google-api-python-client 2.184.0 needs updating
updater | 2025/10/17 20:07:21 INFO <job_1128068417> Fetching release information from json registry at https://pypi.org/pypi/ for google-api-python-client
proxy | 2025/10/17 20:07:21 [015] GET https://pypi.org/pypi/google-api-python-client/json
proxy | 2025/10/17 20:07:21 [015] 200 https://pypi.org/pypi/google-api-python-client/json
updater | 2025/10/17 20:07:21 WARN <job_1128068417> Unexpected error while fetching JSON data: Malformed version string - 1.0beta5prerelease does not match regex.
2025/10/17 20:07:21 WARN <job_1128068417> No valid versions found via JSON API. Falling back to HTML.
updater | 2025/10/17 20:07:21 INFO <job_1128068417> Fetching release information from html registry at https://pypi.org/simple/ for google-api-python-client
proxy | 2025/10/17 20:07:21 [019] GET https://pypi.org/simple/google-api-python-client/
proxy | 2025/10/17 20:07:21 [019] 200 https://pypi.org/simple/google-api-python-client/
updater | 2025/10/17 20:07:22 INFO <job_1128068417> Filtered out 2 yanked versions
updater | 2025/10/17 20:07:22 INFO <job_1128068417> Filtered out 23 pre-release versions
updater | 2025/10/17 20:07:22 INFO <job_1128068417> Latest version is 2.185.0
updater | 2025/10/17 20:07:22 INFO <job_1128068417> Python package resolver : requirements
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
version: 2
enable-beta-ecosystems: true
updates:
- package-ecosystem: pip
schedule:
interval: daily
time: '08:00'
timezone: 'America/Los_Angeles'
cooldown:
default-days: 7
directory: /