From 6f5870787a6491dd26686f1a8c37e7d7ae3bcddb Mon Sep 17 00:00:00 2001
From: Jean-Christophe Morin <jean_christophe_morin@hotmail.com>
Date: Sat, 8 Feb 2025 16:00:24 -0500
Subject: [PATCH 1/3] Exclude yanked PyPI releases

Signed-off-by: Jean-Christophe Morin <jean_christophe_morin@hotmail.com>
---
 nvchecker_source/pypi.py | 4 ++++
 tests/test_pypi.py       | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/nvchecker_source/pypi.py b/nvchecker_source/pypi.py
index 8cf0435..8028af0 100644
--- a/nvchecker_source/pypi.py
+++ b/nvchecker_source/pypi.py
@@ -19,6 +19,10 @@ async def get_version(name, conf, *, cache, **kwargs):
   data = await cache.get_json(url)
 
   for version in data['releases'].keys():
+    # Skip versions that are marked as yanked.
+    if len(data['releases'][version]) != 0 and data['releases'][version][0]['yanked']:
+      continue
+
     try:
       parsed_version = Version(version)
     except InvalidVersion:
diff --git a/tests/test_pypi.py b/tests/test_pypi.py
index 1d6643c..d5a5d8a 100644
--- a/tests/test_pypi.py
+++ b/tests/test_pypi.py
@@ -32,3 +32,8 @@ async def test_pypi_invalid_version(get_version):
         "source": "pypi",
     })
 
+async def test_pypi_yanked_version(get_version):
+    assert await get_version("urllib3", {
+        "source": "pypi",
+        "include_regex": "^(1\\..*)|(2\\.0\\.[0,1])",
+    }) == "1.26.20"

From ca011221cf06b86bd743234977a85fed7b477c40 Mon Sep 17 00:00:00 2001
From: Jean-Christophe Morin <jean_christophe_morin@hotmail.com>
Date: Sun, 9 Feb 2025 14:50:10 -0500
Subject: [PATCH 2/3] Use walrus operator and explicitly require python >= 3.8

Signed-off-by: Jean-Christophe Morin <jean_christophe_morin@hotmail.com>
---
 nvchecker_source/pypi.py | 2 +-
 setup.cfg                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/nvchecker_source/pypi.py b/nvchecker_source/pypi.py
index 8028af0..2237eec 100644
--- a/nvchecker_source/pypi.py
+++ b/nvchecker_source/pypi.py
@@ -20,7 +20,7 @@ async def get_version(name, conf, *, cache, **kwargs):
 
   for version in data['releases'].keys():
     # Skip versions that are marked as yanked.
-    if len(data['releases'][version]) != 0 and data['releases'][version][0]['yanked']:
+    if (vers := data['releases'][version]) and vers[0]['yanked']:
       continue
 
     try:
diff --git a/setup.cfg b/setup.cfg
index 2d757f4..00c3c6e 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -39,10 +39,10 @@ classifiers =
 
 [options]
 zip_safe = True
+python_requires = >=3.8
 
 packages = find_namespace:
 install_requires =
-  setuptools; python_version<"3.8"
   tomli; python_version<"3.11"
   structlog
   platformdirs

From af21f93bd155e54f61eaedd26681c385ab17b927 Mon Sep 17 00:00:00 2001
From: Jean-Christophe Morin <jean_christophe_morin@hotmail.com>
Date: Sun, 9 Feb 2025 14:58:31 -0500
Subject: [PATCH 3/3] Explicitly document the behavior around yanked releases

Signed-off-by: Jean-Christophe Morin <jean_christophe_morin@hotmail.com>
---
 docs/usage.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/usage.rst b/docs/usage.rst
index e41f93a..eecd993 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -589,7 +589,7 @@ Check PyPI
 
   source = "pypi"
 
-Check `PyPI <https://pypi.python.org/>`_ for updates.
+Check `PyPI <https://pypi.python.org/>`_ for updates. Yanked releases are ignored.
 
 pypi
   The name used on PyPI, e.g. ``PySide``.
@@ -683,7 +683,7 @@ Check crates.io
 
   source = "cratesio"
 
-Check `crates.io <https://crates.io/>`_ for updates.
+Check `crates.io <https://crates.io/>`_ for updates. Yanked releases are ignored.
 
 cratesio
   The crate name on crates.io, e.g. ``tokio``.