Fix cooldown bypass when PyPI JSON contains malformed version strings (#13412)

* Fix cooldown bug caused by malformed version strings in PyPI JSON response

Co-authored-by: a-schur <227858738+a-schur@users.noreply.github.com>

* Update test fixture with dynamic dates for cooldown validation

Co-authored-by: a-schur <227858738+a-schur@users.noreply.github.com>

* Use filtering with  Version.correct? to validate versions instead of rescuing exceptions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: a-schur <227858738+a-schur@users.noreply.github.com>
Co-authored-by: a-schur <a-schur@github.com>

Author: Copilot

python/lib/dependabot/python/package/package_details_fetcher.rb

@@ -294,6 +294,12 @@ def format_version_releases(releases_json)
             .returns(T.nilable(Dependabot::Package::PackageRelease))
         end
         def format_version_release(version, release_data)
+          # Skip versions that don't conform to PEP 440
+          unless Dependabot::Python::Version.correct?(version)
+            Dependabot.logger.warn("Skipping invalid version #{version}: does not match PEP 440")
+            return nil
+          end
+
           upload_time = release_data["upload_time"]
           released_at = Time.parse(upload_time) if upload_time
           yanked = release_data["yanked"] || false
@@ -306,7 +312,7 @@ def format_version_release(version, release_data)
             requires_python: release_data["requires_python"]
           )
 
-          release = Dependabot::Package::PackageRelease.new(
+          Dependabot::Package::PackageRelease.new(
             version: Dependabot::Python::Version.new(version),
             released_at: released_at,
             yanked: yanked,
@@ -316,7 +322,6 @@ def format_version_release(version, release_data)
             package_type: package_type,
             language: language
           )
-          release
         end
 
         sig do

python/spec/dependabot/python/package/package_details_fetcher_spec.rb

@@ -124,6 +124,43 @@
       end
     end
 
+    context "when JSON response contains a malformed version string" do
+      let(:dependency_name) { "google-api-python-client" }
+      let(:json_url) { "https://pypi.org/pypi/#{dependency_name}/json" }
+      let(:registry_url) { "#{registry_base}/google-api-python-client/" }
+
+      before do
+        stub_request(:get, json_url).to_return(
+          status: 200,
+          body: fixture("releases_api", "pypi", "pypi_json_response_with_malformed_version.json")
+        )
+        stub_request(:get, registry_url).to_return(
+          status: 200,
+          body: fixture("releases_api", "simple", "simple_index.html")
+        )
+      end
+
+      it "skips the malformed version but continues processing valid versions from JSON" do
+        result = fetch
+
+        expect(result.releases).not_to be_empty
+        expect(a_request(:get, json_url)).to have_been_made.once
+        # Should NOT fall back to HTML since we can process valid versions from JSON
+        expect(a_request(:get, registry_url)).not_to have_been_made
+
+        # Should have only the valid versions (2.184.0 and 2.185.0), not the malformed one
+        version_strings = result.releases.map { |r| r.version.to_s }
+        expect(version_strings).to include("2.184.0", "2.185.0")
+        expect(version_strings).not_to include("1.0beta5prerelease")
+
+        # Verify that valid versions retain their upload_time (released_at)
+        release_version = result.releases.find { |r| r.version.to_s == "2.185.0" }
+        expect(release_version).not_to be_nil
+        expect(release_version.released_at).not_to be_nil
+        expect(release_version.released_at).to be_a(Time)
+      end
+    end
+
     context "with an optional dependency postfix" do
       it "removes optional data from dependency name" do
         expect(fetcher.send(:remove_optional, "pyvista[io]")).to eq("pyvista")

python/spec/fixtures/releases_api/pypi/pypi_json_response_with_malformed_version.json

@@ -0,0 +1,40 @@
+{
+  "info": {
+    "name": "google-api-python-client",
+    "summary": "Google API Client Library for Python",
+    "author": "Google LLC",
+    "license": "Apache 2.0"
+  },
+  "releases": {
+    "1.0beta5prerelease": [
+      {
+        "filename": "google-api-python-client-1.0beta5prerelease.tar.gz",
+        "version": "1.0beta5prerelease",
+        "requires_python": null,
+        "yanked": false,
+        "upload_time": "2010-08-01T00:00:00",
+        "url": "https://files.pythonhosted.org/packages/old/google-api-python-client-1.0beta5prerelease.tar.gz"
+      }
+    ],
+    "2.184.0": [
+      {
+        "filename": "google_api_python_client-2.184.0-py3-none-any.whl",
+        "version": "2.184.0",
+        "requires_python": ">=3.7",
+        "yanked": false,
+        "upload_time": "2025-10-18T14:54:31Z",
+        "url": "https://files.pythonhosted.org/packages/test/google_api_python_client-2.184.0-py3-none-any.whl"
+      }
+    ],
+    "2.185.0": [
+      {
+        "filename": "google_api_python_client-2.185.0-py3-none-any.whl",
+        "version": "2.185.0",
+        "requires_python": ">=3.7",
+        "yanked": false,
+        "upload_time": "2025-10-27T14:54:31Z",
+        "url": "https://files.pythonhosted.org/packages/test/google_api_python_client-2.185.0-py3-none-any.whl"
+      }
+    ]
+  }
+}