fix(renovate): bump Python >= lower bounds on every release

[JacobPEvans]

Summary

Closes the gap that let pyarrow>=17.0.0 sit untouched for months while pyarrow shipped through 18.x → 24.x. Surfaced by mlx-benchmarks#55, where the unfixable-CVE PYSEC-2026-113 (CVSS 7.0 High, fixed in 23.0.1) only became visible when OSV started flagging it on every PR.

Root cause

Renovate's default rangeStrategy: auto maps to replace for pep621 and pip_requirements. replace only bumps a constraint when the new version falls outside the existing range. Since >=17.0.0 is satisfied by 18, 19, 20, 21, 22, 23, and 24, replace no-ops indefinitely. The lower bound ages out of sync with the actual installed (lockfile) version and becomes a stale security floor for downstream consumers of the library.

The vulnerabilityAlerts block already sets rangeStrategy: bump for CVE-driven updates. This PR mirrors that behaviour for routine releases too, on a focused set of Python managers.

Change

One new packageRule appended to renovate-presets.json:

{
  "matchManagers": ["pep621", "pip_requirements", "pip_setup", "poetry", "pipenv"],
  "rangeStrategy": "bump"
}

bump forces the lower bound to track the latest release even when the existing range still satisfies it.

Why this scope

Manager	Default behaviour	Need bump?
pep621 / pip_requirements / pip_setup / poetry / pipenv	>=X ranges no-op forever	Yes — this PR
npm	^X.Y.Z caps at next major; majors are outside-range so replace bumps them	No
cargo	^X.Y.Z / ~X.Y.Z behave like npm	No
terraform	>= 1.0 has the same pathology	Could extend later if it surfaces
pre-commit	Pinned rev: tags get exact-match bumps	No

Impact

At the time of this PR, every workspace repo consuming the preset has stale >= constraints:

Repo	>= pins
mlx-benchmarks	18
nix-ai/orchestrator	16
python-template	11
nix-ai/mlx-server	3
claude-code-plugins/content-guards	2

After this PR lands, Renovate will (on the next scheduled run — Mon/Thu 7am per the existing Python schedule rule) open PRs to bring each of those constraints current. Examples that are demonstrably behind today:

Package	Current pin in mlx-benchmarks	Latest on PyPI
pyarrow	>=17.0.0 (fixed in mlx-benchmarks#55 to 23.0.1)	24.0.0
pandas	>=2.0	3.0.3
psutil	>=5.9	7.2.2
pytest-cov	>=5.0	7.1.0
openai	>=1.0.0	2.38.0
mypy	>=1.11	2.1.0
huggingface-hub	>=0.23	1.16.1
pytest	>=8.3	9.0.3
pre-commit	>=3.8	4.6.0
ruff	>=0.6.9	0.15.14

Bumps will auto-merge for minor/patch (per the existing pep621/pip_requirements auto-merge rule) and human-review for majors (per the Never auto-merge major updates rule already in the preset).

Test plan

• jq empty renovate-presets.json passes
• Pre-commit clean on the changed file
• After merge: wait for Renovate's next Mon/Thu run, watch for the wave of stale-pin bump PRs across consumer repos
• Verify a Python >= bump PR opens against this repo or another consumer within 48h

Out of scope

• The fix/renovate-vuln-bump branch (unpushed WIP that removes dependencyDashboard, osvVulnerabilityAlerts, and several settings). That refactor is broader and should be discussed separately.
• Terraform >= constraint bumping. Same pathology but no concrete example pinned today.
• Bumping the consumer-repo pyproject files manually. Per the original request, the only manual fix is this one renovate rule; everything else flows from Renovate after this lands.

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the Renovate configuration to ensure Python dependency lower bounds are kept up-to-date. By switching the range strategy from the default 'replace' to 'bump' for specific Python managers, the system will now actively update minimum version constraints instead of ignoring them when existing ranges remain satisfied, thereby improving security and alignment with current releases.

Highlights

• Renovate Configuration Update: Added a new package rule to renovate-presets.json that sets rangeStrategy to bump for various Python package managers.
• Improved Dependency Freshness: Forces Python >= lower bounds to track the latest releases, preventing constraints from becoming stale security floors.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

The version range was stuck in place, / While newer code joined in the race. / With 'bump' we now force, / A much better course, / To keep all our builds in good grace.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩