fix(vulnerabilities): do not force exact patch version for PyPI datasource in GitHub alerts

[Churro]

Changes

GitHub vulnerability alerts may suggest a particular patch version for PyPI dependencies that could be retracted, currently resulting in no PR being created at all. This change relaxes == to >=, so that the first available version is picked.

Context

• Fixes Python package `requests` not being updated to latest version #29572

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

Test repo: renovate-demo/29572-renovate-python-requests#2

[rarkins]

What about the change to the worker so that it picks the minimal instead of maximum matching version?

[Churro]

What about the change to the worker so that it picks the minimal instead of maximum matching version?

Should be warranted for GitHub alerts with this snippet:

renovate/lib/workers/repository/process/lookup/index.ts

Lines 364 to 366 in e6b04da

	if (config.isVulnerabilityAlert && !config.osvVulnerabilityAlerts) {
	filteredReleases = filteredReleases.slice(0, 1);
	}

For OSV, this is a thing but I wanted to address this in a separate PR - see #29280 (comment)

[rarkins]

Yes you're right, I forgot that this is for non-OSV

[renovate-release]

🎉 This PR is included in version 37.401.5 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 37.401.5

Your semantic-release bot 📦🚀

[rarkins]

Follow-up issue: #29600