Python Pip dependency fixes only work for already-pinned dependencies #1033
Description
Bug 5: Pip dependency fixes only work for already-pinned dependencies
Description
The pip handler assumes dependencies are statically pinned (e.g. pkg==1.2.3).
If a dependency is unpinned or uses ranges (>=, ~=), the regex often fails.
Impact
- Frogbot reports “impacted package not found” even when it exists.
- Common real-world
requirements.txtfiles cannot be fixed.
Suggested Fix
Parse requirements using a PEP 508–compliant parser and support upgrading unpinned or ranged dependencies.
Current behavior
The handler only successfully updates dependencies when they are already pinned to an explicit version (e.g. pkg==1.2.3). If a dependency is unpinned or uses version ranges, the handler fails with “impacted package not found”.
Reproduction steps
Run As Is
Expected behavior
If the vulnerable package exists in the dependency declaration, Frogbot should be able to upgrade it even when:
It is unpinned (pkg)
Uses compatible/ranged specifiers (>=, ~=, etc.)
Is pinned but with spacing/comments
At minimum, it should recognize common formats and either:
update safely, or
emit a specific “format not supported” error describing what it encountered.
JFrog Frogbot version
LATEST
Package manager info
LATEST
Git provider
GitHub
JFrog Frogbot configuration yaml file
DEFAULT
Operating system type and version
ALL
JFrog Xray version
LATEST