Poetry Dynamic dependency handling

[robaiken]

What are you trying to accomplish?

When a Poetry pyproject.toml lists dependencies or optional-dependencies in [project].dynamic, those are managed by Poetry, not statically declared. Dependabot was parsing them from [project] anyway, creating duplicates and updating the wrong location. This PR skips dynamic PEP 621 dependencies when Poetry is the build backend.

Additionally fixes two CodeQL polynomial-regex alerts in PyprojectPreparer by replacing interpolated name patterns with a fixed PEP508_PREFIX constant and NameNormaliser-based matching. Also refactors freeze_top_level_dependencies_except into smaller helpers, extracts a Pep621Updater from PoetryFileUpdater, and fixes BumpVersions strategy for range requirements.

Anything you want to highlight for special attention from reviewers?

The regex refactoring in pyproject_preparer.rb addresses CodeQL polynomial backtracking alerts. pin_pep508_entry signature changed from (entry, name_pattern, version) to (entry, version) — it uses a fixed regex instead of interpolating dependency names. Name matching now uses NameNormaliser.normalise() comparison instead of dynamic regex patterns.

How will you know you've accomplished your goal?

Poetry projects with dynamic = ["dependencies"] or dynamic = ["optional-dependencies"] in [project] will no longer produce duplicate dependencies or attempt PEP 621 updates for Poetry-managed deps. Range requirements like >=1.0,<2.0 are correctly bumped under the BumpVersions strategy.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Fixes Dependabot’s Poetry handling for PEP 621 dynamic dependency fields to avoid parsing/updating dependencies that are managed dynamically by Poetry, and refactors/strengthens related update logic and regex handling.

Changes:

• Skip PEP 621 dependencies / optional-dependencies parsing when those fields are marked dynamic and Poetry is the backend.
• Refactor PyprojectPreparer regex usage and freezing logic to avoid interpolated patterns and reduce complexity.
• Adjust PEP 508 specifier rewriting logic used by the Poetry PEP 621 updater; add fixtures/specs for dynamic cases.

Show a summary per file

File	Description
python/spec/fixtures/pyproject_files/pep621_dynamic_optional_dependencies.toml	Adds a fixture covering dynamic optional-dependencies in a Poetry-backed project.
python/spec/fixtures/pyproject_files/pep621_dynamic_dependencies.toml	Adds a fixture for dynamic dependencies in a Poetry-backed project.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Adds specs asserting dynamic PEP 621 dependency fields are skipped for Poetry.
python/lib/dependabot/python/file_updater/pyproject_preparer.rb	Replaces interpolated regex patterns with a fixed prefix regex and normalised name matching; refactors freezing logic.
python/lib/dependabot/python/file_updater/poetry_file_updater/pep621_updater.rb	Changes how PEP 508 specifier versions are rewritten to better handle reordering.
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Implements dynamic-field-based skipping of PEP 621 dependency parsing when using Poetry.

Copilot's findings

• Files reviewed: 6/6 changed files
• Comments generated: 3