Pip vulnerabilityAlerts is case sensitive

[RikuTatsumiVisasQ]

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

No response

If you're self-hosting Renovate, select which platform you are using.

None

What is your question?

Pip package names are case-insensitive.
However, if the case of the package name in the vulnerabilityAlerts differs from the case of the package name listed in the requirements, the PR will not be created.
Is it possible to match case-insensitive?

• renovate.json

{
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": [
        "config:recommended"
    ],
    "packageRules": [
        {
            "enabled": false,
            "matchPackagePatterns": [
                "*"
            ]
        }
    ],
    "vulnerabilityAlerts": {
        "enabled": true,
        "addLabels": [
            "security"
        ]
    }
}

• requirements.txt

# PR is created
Pillow==10.0.1

# PR is not created
pillow==10.0.1

Logs (if relevant)

Logs

DEBUG: Using RE2 regex engine
DEBUG: Parsing configs
DEBUG: Checking for config file in /runner/renovate/job_config.json
DEBUG: Detected config in env RENOVATE_CONFIG
{
  "config": {
    "extends": [
      "mergeConfidence:all-badges"
    ],
    "prFooter": "This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/{{platform}}/{{repository}}).",
    "prHeader": "[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)",
    "redisUrl": "redis://mend-developer-platform-renovate-prod.aqffol.ng.0001.use1.cache.amazonaws.com:6379",
    "binarySource": "install",
    "platformCommit": true,
    "repositoryCache": "enabled",
    "cacheTtlOverride": {
      "datasource-docker-hub-tags": 90
    },
    "onboardingConfig": {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "extends": [
        "config:recommended"
      ]
    },
    "gitIgnoredAuthors": [
      "29139614+renovate[bot]@users.noreply.github.com"
    ],
    "customizeDashboard": {
      "repoProblemsHeader": "These problems occurred while renovating this repository. [View logs](https://developer.mend.io//{{platform}}/{{repository}})."
    },
    "repositoryCacheType": "s3://mend-developer-platform-prod/renovate/",
    "dependencyDashboardFooter": "\n- [ ] <!-- manual job -->Check this box to trigger a request for Renovate to run again on this repository\n",
    "allowedPostUpgradeCommands": [
      "^git add --all$",
      "^git reset$",
      "^npx beachball change( --no-fetch)? --no-commit --type (patch|none) --message '{{{commitMessage}}}'$",
      "^pwd$"
    ],
    "allowPostUpgradeCommandTemplating": true
  }
}

DEBUG: File config
{
  "config": {
    "token": "***********",
    "privateKey": "***********",
    "privateKeyOld": "***********",
    "hostRules": [
      {
        "hostType": "docker",
        "matchHost": "docker.io",
        "username": "mdpprod3renovate",
        "password": "***********"
      },
      {
        "hostType": "docker",
        "matchHost": "hub.docker.com",
        "username": "mdpprodrenovatedc2",
        "password": "***********"
      },
      {
        "hostType": "github",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "github-tags",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "github-releases",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "pod",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "terraform-provider",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "rubygems",
        "matchHost": "github.com",
        "token": "***********"
      }
    ]
  }
}

DEBUG: CLI config
{
  "config": {}
}

DEBUG: Env config
{
  "config": {
    "extends": [
      "mergeConfidence:all-badges"
    ],
    "prFooter": "This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/{{platform}}/{{repository}}).",
    "prHeader": "[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)",
    "redisUrl": "redis://mend-developer-platform-renovate-prod.aqffol.ng.0001.use1.cache.amazonaws.com:6379",
    "binarySource": "install",
    "platformCommit": true,
    "repositoryCache": "enabled",
    "cacheTtlOverride": {
      "datasource-docker-hub-tags": 90
    },
    "onboardingConfig": {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "extends": [
        "config:recommended"
      ]
    },
    "gitIgnoredAuthors": [
      "29139614+renovate[bot]@users.noreply.github.com"
    ],
    "customizeDashboard": {
      "repoProblemsHeader": "These problems occurred while renovating this repository. [View logs](https://developer.mend.io//{{platform}}/{{repository}})."
    },
    "repositoryCacheType": "s3://mend-developer-platform-prod/renovate/",
    "dependencyDashboardFooter": "\n- [ ] <!-- manual job -->Check this box to trigger a request for Renovate to run again on this repository\n",
    "allowedPostUpgradeCommands": [
      "^git add --all$",
      "^git reset$",
      "^npx beachball change( --no-fetch)? --no-commit --type (patch|none) --message '{{{commitMessage}}}'$",
      "^pwd$"
    ],
    "allowPostUpgradeCommandTemplating": true,
    "hostRules": [],
    "onboardingNoDeps": true,
    "onboarding": true,
    "forkProcessing": "enabled",
    "requireConfig": "required",
    "platform": "github",
    "username": "renovate[bot]",
    "repositories": [
      "RikuTatsumiVisasQ/test"
    ],
    "gitAuthor": "renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>"
  }
}

DEBUG: Combined config
{
  "config": {
    "token": "***********",
    "privateKey": "***********",
    "privateKeyOld": "***********",
    "hostRules": [
      {
        "hostType": "docker",
        "matchHost": "docker.io",
        "username": "mdpprod3renovate",
        "password": "***********"
      },
      {
        "hostType": "docker",
        "matchHost": "hub.docker.com",
        "username": "mdpprodrenovatedc2",
        "password": "***********"
      },
      {
        "hostType": "github",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "github-tags",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "github-releases",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "pod",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "terraform-provider",
        "matchHost": "api.github.com",
        "token": "***********"
      },
      {
        "hostType": "rubygems",
        "matchHost": "github.com",
        "token": "***********"
      }
    ],
    "extends": [
      "mergeConfidence:all-badges"
    ],
    "prFooter": "This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/{{platform}}/{{repository}}).",
    "prHeader": "[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)",
    "redisUrl": "redis://mend-developer-platform-renovate-prod.aqffol.ng.0001.use1.cache.amazonaws.com:6379",
    "binarySource": "install",
    "platformCommit": true,
    "repositoryCache": "enabled",
    "cacheTtlOverride": {
      "datasource-docker-hub-tags": 90
    },
    "onboardingConfig": {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "extends": [
        "config:recommended"
      ]
    },
    "gitIgnoredAuthors": [
      "29139614+renovate[bot]@users.noreply.github.com"
    ],
    "customizeDashboard": {
      "repoProblemsHeader": "These problems occurred while renovating this repository. [View logs](https://developer.mend.io//{{platform}}/{{repository}})."
    },
    "repositoryCacheType": "s3://mend-developer-platform-prod/renovate/",
    "dependencyDashboardFooter": "\n- [ ] <!-- manual job -->Check this box to trigger a request for Renovate to run again on this repository\n",
    "allowedPostUpgradeCommands": [
      "^git add --all$",
      "^git reset$",
      "^npx beachball change( --no-fetch)? --no-commit --type (patch|none) --message '{{{commitMessage}}}'$",
      "^pwd$"
    ],
    "allowPostUpgradeCommandTemplating": true,
    "onboardingNoDeps": true,
    "onboarding": true,
    "forkProcessing": "enabled",
    "requireConfig": "required",
    "platform": "github",
    "username": "renovate[bot]",
    "repositories": [
      "RikuTatsumiVisasQ/test"
    ],
    "gitAuthor": "renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>"
  }
}

DEBUG: Enabling forkProcessing while in non-autodiscover mode
DEBUG: Found valid git version: 2.43.0
DEBUG: Setting global hostRules
DEBUG: Adding password authentication for docker.io (hostType=docker) to hostRules
DEBUG: Adding password authentication for hub.docker.com (hostType=docker) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github-tags) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github-releases) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=pod) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=terraform-provider) to hostRules
DEBUG: Adding token authentication for github.com (hostType=rubygems) to hostRules
DEBUG: Using default github endpoint: https://api.github.com/
DEBUG: Platform config
{
  "platformConfig": {
    "hostType": "github",
    "endpoint": "https://api.github.com/",
    "isGHApp": true,
    "isGhe": false
  }
  "renovateUsername": "renovate[bot]"
}

DEBUG: Using configured gitAuthor (renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>)
DEBUG: Adding token authentication for api.github.com (hostType=github) to hostRules
DEBUG: Using baseDir: /tmp/renovate
DEBUG: Using cacheDir: /tmp/renovate/cache
DEBUG: Using containerbaseDir: /tmp/renovate/cache/containerbase
DEBUG: Redis cache init
DEBUG: Commits limit = null
DEBUG: Setting global hostRules
DEBUG: Adding password authentication for docker.io (hostType=docker) to hostRules
DEBUG: Adding password authentication for hub.docker.com (hostType=docker) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github-tags) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github-releases) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=pod) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=terraform-provider) to hostRules
DEBUG: Adding token authentication for github.com (hostType=rubygems) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github) to hostRules
DEBUG: validatePresets()
DEBUG: Reinitializing hostRules for repo
DEBUG: Clearing hostRules
DEBUG: Adding password authentication for docker.io (hostType=docker) to hostRules
DEBUG: Adding password authentication for hub.docker.com (hostType=docker) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github-tags) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github-releases) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=pod) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=terraform-provider) to hostRules
DEBUG: Adding token authentication for github.com (hostType=rubygems) to hostRules
DEBUG: Adding token authentication for api.github.com (hostType=github) to hostRules
INFO: Repository started
{
  "renovateVersion": "37.170.0"
}

DEBUG: Using localDir: /tmp/renovate/repos/github/RikuTatsumiVisasQ/test
DEBUG: PackageFiles.clear() - Package files deleted
DEBUG: initRepo("RikuTatsumiVisasQ/test")
DEBUG: hostRules: authentication already set for api.github.com
DEBUG: RikuTatsumiVisasQ/test default branch = main
DEBUG: Using app token for git init
DEBUG: RepoCacheS3.read() - success
DEBUG: Repository cache is restored from revision 13
DEBUG: Resetting npmrc
DEBUG: Resetting npmrc
DEBUG: checkOnboarding()
DEBUG: isOnboarded()
DEBUG: findPr(renovate/configure, Configure Renovate, !open)
DEBUG: Using cached etag for https://api.github.com/repos/RikuTatsumiVisasQ/test/pulls?per_page=20&state=all&sort=updated&direction=desc&page=1
DEBUG: Saving response to cache: https://api.github.com/repos/RikuTatsumiVisasQ/test/pulls?per_page=20&state=all&sort=updated&direction=desc&page=1 with etag W/"ca756b164526b632b4a730cdc400592e7bbc498ee57e35b02598d4bda6114d3a"
DEBUG: getPrList success
{
  "pullsTotal": 2
  "requestsTotal": 1
  "apiQuotaAffected": true
}

DEBUG: findPr(renovate/configure, chore: Configure Renovate, !open)
DEBUG: Checking cached config file name
DEBUG: Using cached etag for https://api.github.com/repos/RikuTatsumiVisasQ/test/contents/.github/renovate.json
DEBUG: Using cached response: https://api.github.com/repos/RikuTatsumiVisasQ/test/contents/.github/renovate.json with etag "292dba2734411709327c702e951a0b1ec43cf8b1" from 2024-02-05T02:54:17.681Z
DEBUG: Existing config file confirmed
DEBUG: Repository config
{
  "fileName": ".github/renovate.json"
  "config": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": [
      "config:recommended"
    ],
    "packageRules": [
      {
        "enabled": false,
        "matchPackagePatterns": [
          "*"
        ]
      }
    ],
    "vulnerabilityAlerts": {
      "enabled": true,
      "addLabels": [
        "security"
      ]
    }
  }
}

DEBUG: Repo is onboarded
DEBUG: Using cached response: https://api.github.com/repos/RikuTatsumiVisasQ/test/contents/.github/renovate.json with etag "292dba2734411709327c702e951a0b1ec43cf8b1" from 2024-02-05T02:54:17.681Z
DEBUG: migrateAndValidate()
DEBUG: No config migration necessary
DEBUG: Setting hostRules from config
DEBUG: Found repo ignorePaths
{
  "ignorePaths": [
    "**/node_modules/**",
    "**/bower_components/**",
    "**/vendor/**",
    "**/examples/**",
    "**/__tests__/**",
    "**/test/**",
    "**/tests/**",
    "**/__fixtures__/**"
  ]
}

DEBUG: GitHub vulnerability details
{
  "alerts": {
    "pip/Pillow": {
      "< 10.2.0": "10.2.0"
    },
    "pip/cryptography": {
      ">= 0.5, <= 40.0.2": "41.0.0",
      ">= 0.8, < 41.0.3": "41.0.3",
      ">= 2.5, < 41.0.4": "41.0.4",
      ">= 3.1, < 41.0.6": "41.0.6"
    }
  }
}

DEBUG: alert package rules
{
  "alertPackageRules": [
    {
      "matchDatasources": [
        "pypi"
      ],
      "matchPackageNames": [
        "Pillow"
      ],
      "matchCurrentVersion": "== 10.0.1",
      "matchFileNames": [
        "requirements.txt"
      ],
      "allowedVersions": "==10.2.0",
      "prBodyNotes": [
        "### GitHub Vulnerability Alerts",
        "#### [CVE-2023-50447](https://nvd.nist.gov/vuln/detail/CVE-2023-50447)\n\nPillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter)."
      ],
      "isVulnerabilityAlert": true,
      "force": {
        "groupName": null,
        "schedule": [],
        "dependencyDashboardApproval": false,
        "minimumReleaseAge": null,
        "rangeStrategy": "update-lockfile",
        "commitMessageSuffix": "[SECURITY]",
        "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
        "prCreation": "immediate",
        "enabled": true,
        "addLabels": [
          "security"
        ]
      }
    },
    {
      "matchDatasources": [
        "pypi"
      ],
      "matchPackageNames": [
        "cryptography"
      ],
      "matchCurrentVersion": "== 39.0.1",
      "matchFileNames": [
        "requirements.txt"
      ],
      "allowedVersions": "==41.0.6",
      "prBodyNotes": [
        "### GitHub Vulnerability Alerts",
        "#### [GHSA-5cpq-8wj7-hf2v](https://github.com/pyca/cryptography/security/advisories/GHSA-5cpq-8wj7-hf2v)\n\npyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.5-40.0.2 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://www.openssl.org/news/secadv/20230530.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
        "#### [GHSA-jm77-qphf-c4w8](https://github.com/pyca/cryptography/security/advisories/GHSA-jm77-qphf-c4w8)\n\npyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8-41.0.2 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230731.txt, https://www.openssl.org/news/secadv/20230719.txt, and https://www.openssl.org/news/secadv/20230714.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
        "#### [GHSA-v8gr-m533-ghj9](https://github.com/pyca/cryptography/security/advisories/GHSA-v8gr-m533-ghj9)\n\npyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 2.5-41.0.3 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230908.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
        "#### [CVE-2023-49083](https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97)\n\n### Summary\n\nCalling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault.\n\n### PoC\nHere is a Python code that triggers the issue:\n```python\nfrom cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates\n\npem_p7 = b\"\"\"\n-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n\"\"\"\n\nder_p7 = b\"\\x30\\x0B\\x06\\x09\\x2A\\x86\\x48\\x86\\xF7\\x0D\\x01\\x07\\x02\"\n\nload_pem_pkcs7_certificates(pem_p7)\nload_der_pkcs7_certificates(der_p7)\n```\n\n### Impact\nExploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability."
      ],
      "isVulnerabilityAlert": true,
      "force": {
        "groupName": null,
        "schedule": "[Circular]",
        "dependencyDashboardApproval": false,
        "minimumReleaseAge": null,
        "rangeStrategy": "update-lockfile",
        "commitMessageSuffix": "[SECURITY]",
        "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
        "prCreation": "immediate",
        "enabled": true,
        "addLabels": "[Circular]"
      }
    }
  ]
}

DEBUG: findIssue(Dependency Dashboard)
DEBUG: Retrieving issueList
DEBUG: Retrieved 1 issues
DEBUG: Found issue 2
DEBUG: Using cached etag for https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2
DEBUG: Saving response to cache: https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2 with etag W/"4e7b8d4c3f0a797b639bcda8e3355dfe7ff8233ceb3a2c9e4e8c4e94e88bffa7"
DEBUG: No baseBranches
DEBUG: extract()
DEBUG: Cached extract result cannot be used due to base branch SHA change (old=dd0ef3aa91230f08208d09a665c72383b42b7a4c, new=f50ed8b397b7552fce3aeda780fe7e5440dad420)
DEBUG: Setting current branch to main
DEBUG: Initializing git repository into /tmp/renovate/repos/github/RikuTatsumiVisasQ/test
DEBUG: Performing blobless clone
DEBUG: git clone completed
{
  "durationMs": 482
}

DEBUG: latest repository commit
{
  "latestCommit": {
    "hash": "f50ed8b397b7552fce3aeda780fe7e5440dad420",
    "date": "2024-02-05T14:36:15+09:00",
    "message": "add",
    "refs": "HEAD -> main, origin/main, origin/HEAD",
    "body": "",
    "author_name": "riku.tatsumi",
    "author_email": "[email protected]"
  }
}

DEBUG: latest commit
{
  "branchName": "main"
  "latestCommitDate": "2024-02-05T14:36:15+09:00"
}

DEBUG: Using file match: (^|/)tasks/[^/]+\.ya?ml$ for manager ansible
DEBUG: Using file match: (^|/)(galaxy|requirements)(\.ansible)?\.ya?ml$ for manager ansible-galaxy
DEBUG: Using file match: (^|/)\.tool-versions$ for manager asdf
DEBUG: Using file match: azure.*pipelines?.*\.ya?ml$ for manager azure-pipelines
DEBUG: Using file match: (^|/)batect(-bundle)?\.ya?ml$ for manager batect
DEBUG: Using file match: (^|/)batect$ for manager batect-wrapper
DEBUG: Using file match: (^|/)WORKSPACE(|\.bazel)$ for manager bazel
DEBUG: Using file match: \.bzl$ for manager bazel
DEBUG: Using file match: (^|/)MODULE\.bazel$ for manager bazel-module
DEBUG: Using file match: (^|/)\.bazelversion$ for manager bazelisk
DEBUG: Using file match: \.bicep$ for manager bicep
DEBUG: Using file match: (^|/)\.?bitbucket-pipelines\.ya?ml$ for manager bitbucket-pipelines
DEBUG: Using file match: buildkite\.ya?ml for manager buildkite
DEBUG: Using file match: \.buildkite/.+\.ya?ml$ for manager buildkite
DEBUG: Using file match: (^|/)bun\.lockb$ for manager bun
DEBUG: Using file match: (^|/)Gemfile$ for manager bundler
DEBUG: Using file match: \.cake$ for manager cake
DEBUG: Using file match: (^|/)Cargo\.toml$ for manager cargo
DEBUG: Using file match: (^|/)\.circleci/config\.ya?ml$ for manager circleci
DEBUG: Using file match: (^|/)cloudbuild\.ya?ml for manager cloudbuild
DEBUG: Using file match: (^|/)Podfile$ for manager cocoapods
DEBUG: Using file match: (^|/)([\w-]*)composer\.json$ for manager composer
DEBUG: Using file match: (^|/)conanfile\.(txt|py)$ for manager conan
DEBUG: Using file match: (^|/)cpanfile$ for manager cpanfile
DEBUG: Using file match: (^|/)(?:deps|bb)\.edn$ for manager deps-edn
DEBUG: Using file match: (^|/)(?:docker-)?compose[^/]*\.ya?ml$ for manager docker-compose
DEBUG: Using file match: (^|/|\.)([Dd]ocker|[Cc]ontainer)file$ for manager dockerfile
DEBUG: Using file match: (^|/)([Dd]ocker|[Cc]ontainer)file[^/]*$ for manager dockerfile
DEBUG: Using file match: (^|/)\.drone\.yml$ for manager droneci
DEBUG: Using file match: (^|/)fleet\.ya?ml for manager fleet
DEBUG: Using file match: (?:^|/)gotk-components\.ya?ml$ for manager flux
DEBUG: Using file match: (^|/)\.fvm/fvm_config\.json$ for manager fvm
DEBUG: Using file match: (^|/)\.gitmodules$ for manager git-submodules
DEBUG: Using file match: (^|/)(workflow-templates|\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\.ya?ml$ for manager github-actions
DEBUG: Using file match: (^|/)action\.ya?ml$ for manager github-actions
DEBUG: Using file match: \.gitlab-ci\.ya?ml$ for manager gitlabci
DEBUG: Using file match: \.gitlab-ci\.ya?ml$ for manager gitlabci-include
DEBUG: Using file match: (^|/)go\.mod$ for manager gomod
DEBUG: Using file match: \.gradle(\.kts)?$ for manager gradle
DEBUG: Using file match: (^|/)gradle\.properties$ for manager gradle
DEBUG: Using file match: (^|/)gradle/.+\.toml$ for manager gradle
DEBUG: Using file match: (^|/)buildSrc/.+\.kt$ for manager gradle
DEBUG: Using file match: \.versions\.toml$ for manager gradle
DEBUG: Using file match: (^|/)versions.props$ for manager gradle
DEBUG: Using file match: (^|/)versions.lock$ for manager gradle
DEBUG: Using file match: (^|/)gradle/wrapper/gradle-wrapper\.properties$ for manager gradle-wrapper
DEBUG: Using file match: (^|/)requirements\.ya?ml$ for manager helm-requirements
DEBUG: Using file match: (^|/)values\.ya?ml$ for manager helm-values
DEBUG: Using file match: (^|/)helmfile\.ya?ml(?:\.gotmpl)?$ for manager helmfile
DEBUG: Using file match: (^|/)Chart\.ya?ml$ for manager helmv3
DEBUG: Using file match: (^|/)bin/hermit$ for manager hermit
DEBUG: Using file match: ^Formula/[^/]+[.]rb$ for manager homebrew
DEBUG: Using file match: \.html?$ for manager html
DEBUG: Using file match: (^|/)plugins\.(txt|ya?ml)$ for manager jenkins
DEBUG: Using file match: (^|/)jsonnetfile\.json$ for manager jsonnet-bundler
DEBUG: Using file match: ^.+\.main\.kts$ for manager kotlin-script
DEBUG: Using file match: (^|/)kustomization\.ya?ml$ for manager kustomize
DEBUG: Using file match: (^|/)project\.clj$ for manager leiningen
DEBUG: Using file match: (^|/|\.)pom\.xml$ for manager maven
DEBUG: Using file match: ^(((\.mvn)|(\.m2))/)?settings\.xml$ for manager maven
DEBUG: Using file match: (^|\/).mvn/wrapper/maven-wrapper.properties$ for manager maven-wrapper
DEBUG: Using file match: (^|/)package\.js$ for manager meteor
DEBUG: Using file match: (^|/)Mintfile$ for manager mint
DEBUG: Using file match: (^|/)mix\.exs$ for manager mix
DEBUG: Using file match: (^|/)flake\.nix$ for manager nix
DEBUG: Using file match: (^|/)\.node-version$ for manager nodenv
DEBUG: Using file match: (^|/)package\.json$ for manager npm
DEBUG: Using file match: \.(?:cs|fs|vb)proj$ for manager nuget
DEBUG: Using file match: \.(?:props|targets)$ for manager nuget
DEBUG: Using file match: (^|/)dotnet-tools\.json$ for manager nuget
DEBUG: Using file match: (^|/)global\.json$ for manager nuget
DEBUG: Using file match: (^|/)\.nvmrc$ for manager nvm
DEBUG: Using file match: (^|/)src/main/features/.+\.json$ for manager osgi
DEBUG: Using file match: (^|/)pyproject\.toml$ for manager pep621
DEBUG: Using file match: (^|/)[\w-]*requirements(-\w+)?\.(txt|pip)$ for manager pip_requirements
DEBUG: Using file match: (^|/)setup\.py$ for manager pip_setup
DEBUG: Using file match: (^|/)Pipfile$ for manager pipenv
DEBUG: Using file match: (^|/)pyproject\.toml$ for manager poetry
DEBUG: Using file match: (^|/)\.pre-commit-config\.ya?ml$ for manager pre-commit
DEBUG: Using file match: (^|/)pubspec\.ya?ml$ for manager pub
DEBUG: Using file match: (^|/)Puppetfile$ for manager puppet
DEBUG: Using file match: (^|/)\.python-version$ for manager pyenv
DEBUG: Using file match: (^|/)\.ruby-version$ for manager ruby-version
DEBUG: Using file match: \.sbt$ for manager sbt
DEBUG: Using file match: project/[^/]*\.scala$ for manager sbt
DEBUG: Using file match: project/build\.properties$ for manager sbt
DEBUG: Using file match: (^|/)setup\.cfg$ for manager setup-cfg
DEBUG: Using file match: (^|/)Package\.swift for manager swift
DEBUG: Using file match: \.tf$ for manager terraform
DEBUG: Using file match: (^|/)\.terraform-version$ for manager terraform-version
DEBUG: Using file match: (^|/)terragrunt\.hcl$ for manager terragrunt
DEBUG: Using file match: (^|/)\.terragrunt-version$ for manager terragrunt-version
DEBUG: Using file match: \.tflint\.hcl$ for manager tflint-plugin
DEBUG: Using file match: ^\.travis\.ya?ml$ for manager travis
DEBUG: Using file match: (^|/)\.vela\.ya?ml$ for manager velaci
DEBUG: Using file match: ^\.woodpecker(?:/[^/]+)?\.ya?ml$ for manager woodpecker
DEBUG: Matched 1 file(s) for manager pip_requirements: requirements.txt
DEBUG: manager extract durations (ms)
{
  "managers": {
    "pip_requirements": 3
  }
}

DEBUG: Found pip_requirements package files
DEBUG: Found 1 package file(s)
INFO: Dependency extraction complete
{
  "baseBranch": "main"
  "stats": {
    "managers": {
      "pip_requirements": {
        "fileCount": 1,
        "depCount": 2
      }
    },
    "total": {
      "fileCount": 1,
      "depCount": 2
    }
  }
}

DEBUG: Dependency: pillow, is disabled
DEBUG: PackageFiles.add() - Package file saved for base branch
{
  "baseBranch": "main"
}

DEBUG: Package releases lookups complete
{
  "baseBranch": "main"
}

DEBUG: branchifyUpgrades
DEBUG: detectSemanticCommits()
DEBUG: getCommitMessages
DEBUG: semanticCommits: detected "unknown"
DEBUG: semanticCommits: disabled
DEBUG: 1 flattened updates found: cryptography
DEBUG: Returning 1 branch(es)
DEBUG: config.repoIsOnboarded=true
DEBUG: packageFiles with updates
{
  "baseBranch": "main"
  "config": {
    "pip_requirements": [
      {
        "deps": [
          {
            "depName": "pillow",
            "currentValue": "==10.0.1",
            "datasource": "pypi",
            "currentVersion": "10.0.1",
            "updates": [],
            "packageName": "pillow",
            "skipReason": "disabled"
          },
          {
            "depName": "cryptography",
            "currentValue": "==39.0.1",
            "datasource": "pypi",
            "currentVersion": "39.0.1",
            "updates": [
              {
                "bucket": "major",
                "newVersion": "41.0.6",
                "newValue": "==41.0.6",
                "releaseTimestamp": "2023-11-27T19:50:29.000Z",
                "newMajor": 41,
                "newMinor": 0,
                "updateType": "major",
                "isRange": true,
                "branchName": "renovate/pypi-cryptography-vulnerability"
              }
            ],
            "packageName": "cryptography",
            "versioning": "pep440",
            "warnings": [],
            "sourceUrl": "https://github.com/pyca/cryptography",
            "registryUrl": "https://pypi.org/pypi",
            "changelogUrl": "https://cryptography.io/en/latest/changelog/",
            "isSingleVersion": true,
            "fixedVersion": "39.0.1"
          }
        ],
        "packageFile": "requirements.txt"
      }
    ]
  }
}

DEBUG: detectSemanticCommits()
DEBUG: semanticCommits: returning "disabled" from cache
DEBUG: processRepo()
DEBUG: Processing 1 branch: renovate/pypi-cryptography-vulnerability
DEBUG: Calculating hourly PRs remaining
DEBUG: currentHourStart=2024-02-05T05:00:00.000+00:00
DEBUG: PR hourly limit remaining: 2
DEBUG: Calculating prConcurrentLimit (10)
DEBUG: getBranchPr(renovate/pypi-cryptography-vulnerability)
DEBUG: findPr(renovate/pypi-cryptography-vulnerability, undefined, open)
DEBUG: findPr(renovate/pypi-cryptography-vulnerability, undefined, closed)
DEBUG: 0 PRs are currently open
DEBUG: PR concurrent limit remaining: 10
DEBUG: Calculated maximum PRs remaining this run: 2
DEBUG: PullRequests limit = 2
DEBUG: Calculating hourly PRs remaining
DEBUG: currentHourStart=2024-02-05T05:00:00.000+00:00
DEBUG: PR hourly limit remaining: 2
DEBUG: Calculating branchConcurrentLimit (10)
DEBUG: 0 already existing branches found: 
DEBUG: Branch concurrent limit remaining: 10
DEBUG: Calculated maximum branches remaining this run: 2
DEBUG: Branches limit = 2
DEBUG: syncBranchState() (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: syncBranchState(): Branch cache not found, creating minimal branchState (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: getBranchPr(renovate/pypi-cryptography-vulnerability) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: findPr(renovate/pypi-cryptography-vulnerability, undefined, open) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: findPr(renovate/pypi-cryptography-vulnerability, undefined, closed) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: branchExists=false (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: dependencyDashboardCheck=undefined (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Check for closed PR because recreating closed PRs is disabled. (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: findPr(renovate/pypi-cryptography-vulnerability, Update dependency cryptography to v41 [SECURITY], !open) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: prAlreadyExisted=false (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Checking schedule(, null) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: No schedule defined (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Branch needs creating (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Using reuseExistingBranch: false (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Setting current branch to main (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: latest commit (branch="renovate/pypi-cryptography-vulnerability")
{
  "branchName": "main"
  "latestCommitDate": "2024-02-05T14:36:15+09:00"
}

DEBUG: manager.getUpdatedPackageFiles() reuseExistingBranch=false (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Starting search at index 27 (branch="renovate/pypi-cryptography-vulnerability")
{
  "packageFile": "requirements.txt"
  "depName": "cryptography"
}

DEBUG: Found match at index 27 (branch="renovate/pypi-cryptography-vulnerability")
{
  "packageFile": "requirements.txt"
  "depName": "cryptography"
}

DEBUG: Contents updated (branch="renovate/pypi-cryptography-vulnerability")
{
  "packageFile": "requirements.txt"
  "depName": "cryptography"
}

DEBUG: pip_requirements.updateArtifacts(requirements.txt) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: No hashin commands to run - returning (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Updated 1 package files (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: No updated lock files in branch (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: 1 file(s) to commit (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Preparing files for committing to branch renovate/pypi-cryptography-vulnerability (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Setting git author name: renovate[bot] (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Setting git author email: 29139614+renovate[bot]@users.noreply.github.com (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: git commit (branch="renovate/pypi-cryptography-vulnerability")
{
  "deletedFiles": []
  "ignoredFiles": []
  "result": {
    "author": null,
    "branch": "renovate/pypi-cryptography-vulnerability",
    "commit": "8943c36933ef74a47786735d64f234b02dd7c9d7",
    "root": false,
    "summary": {
      "changes": 1,
      "insertions": 1,
      "deletions": 1
    }
  }
}

DEBUG: HEAD https://api.github.com/repos/RikuTatsumiVisasQ/test/git/refs/heads/renovate/pypi-cryptography-vulnerability/ = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=119) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: HEAD https://api.github.com/repos/RikuTatsumiVisasQ/test/git/refs/heads/renovate/pypi-cryptography-vulnerability = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=89) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: resetToCommit(f50ed8b397b7552fce3aeda780fe7e5440dad420) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Fetching branch renovate/pypi-cryptography-vulnerability (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Setting current branch to main (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: latest commit (branch="renovate/pypi-cryptography-vulnerability")
{
  "branchName": "main"
  "latestCommitDate": "2024-02-05T14:36:15+09:00"
}

INFO: Branch created (branch="renovate/pypi-cryptography-vulnerability")
{
  "commitSha": "3b4cbea9c88f51a6b2794389461325b971c6f175"
}

DEBUG: Ensuring PR (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: There are 0 errors and 0 warnings (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: getBranchPr(renovate/pypi-cryptography-vulnerability) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: findPr(renovate/pypi-cryptography-vulnerability, undefined, open) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: findPr(renovate/pypi-cryptography-vulnerability, undefined, closed) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: getPrCache() (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Fetching changelog: https://github.com/pyca/cryptography (39.0.1 -> 41.0.6) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Creating PR (branch="renovate/pypi-cryptography-vulnerability")
{
  "prTitle": "Update dependency cryptography to v41 [SECURITY]"
}

DEBUG: Creating PR (branch="renovate/pypi-cryptography-vulnerability")
{
  "title": "Update dependency cryptography to v41 [SECURITY]"
  "head": "RikuTatsumiVisasQ:renovate/pypi-cryptography-vulnerability"
  "base": "main"
  "draft": false
}

DEBUG: PR created (branch="renovate/pypi-cryptography-vulnerability")
{
  "pr": 5
  "draft": false
}

DEBUG: Adding labels 'security' to #5 (branch="renovate/pypi-cryptography-vulnerability")
INFO: PR created (branch="renovate/pypi-cryptography-vulnerability")
{
  "pr": 5
  "prTitle": "Update dependency cryptography to v41 [SECURITY]"
}

DEBUG: addParticipants(pr=5) (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: setPrCache() (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: Created Pull Request #5 (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: PR is not configured for automerge (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: setBranchCommit() (branch="renovate/pypi-cryptography-vulnerability")
DEBUG: getBranchPr(renovate/pypi-cryptography-vulnerability)
DEBUG: findPr(renovate/pypi-cryptography-vulnerability, undefined, open)
DEBUG: Found PR #5
DEBUG: getPrCache()
DEBUG: ensureDependencyDashboard()
DEBUG: Ensuring Dependency Dashboard
DEBUG: Saving response to cache: https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2 with etag W/"4e7b8d4c3f0a797b639bcda8e3355dfe7ff8233ceb3a2c9e4e8c4e94e88bffa7"
DEBUG: Using cached etag for https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2
DEBUG: Using cached response: https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2 with etag "4e7b8d4c3f0a797b639bcda8e3355dfe7ff8233ceb3a2c9e4e8c4e94e88bffa7" from 2024-02-05T05:36:40.922Z
DEBUG: ensureIssue(Dependency Dashboard)
DEBUG: Saving response to cache: https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2 with etag W/"4e7b8d4c3f0a797b639bcda8e3355dfe7ff8233ceb3a2c9e4e8c4e94e88bffa7"
DEBUG: Patching issue
DEBUG: Issue updated
DEBUG: validateReconfigureBranch()
DEBUG: No reconfigure branch found
DEBUG: Removing any stale branches
DEBUG: config.repoIsOnboarded=true
DEBUG: Branch lists
{
  "branchList": [
    "renovate/pypi-cryptography-vulnerability"
  ]
  "renovateBranches": [
    "renovate/pypi-cryptography-vulnerability"
  ]
}

DEBUG: remainingBranches=
DEBUG: No branches to clean up
DEBUG: Cleaning up Renovate refs: refs/renovate/*
DEBUG: PackageFiles.clear() - Package files deleted
DEBUG: Branch summary
{
  "cacheModified": true
  "baseBranches": [
    {
      "branchName": "main",
      "sha": "f50ed8b397b7552fce3aeda780fe7e5440dad420"
    }
  ]
  "branches": [
    {
      "automerge": false,
      "baseBranch": "main",
      "baseBranchSha": "f50ed8b397b7552fce3aeda780fe7e5440dad420",
      "branchName": "renovate/pypi-cryptography-vulnerability",
      "branchSha": "3b4cbea9c88f51a6b2794389461325b971c6f175",
      "isModified": false,
      "isPristine": true
    }
  ]
  "defaultBranch": "main"
  "inactiveBranches": []
}

DEBUG: branches info extended
{
  "branchesInformation": [
    {
      "branchName": "renovate/pypi-cryptography-vulnerability",
      "prNo": 5,
      "prTitle": "Update dependency cryptography to v41 [SECURITY]",
      "result": "pr-created",
      "upgrades": [
        {
          "datasource": "pypi",
          "depName": "cryptography",
          "displayPending": "",
          "fixedVersion": "39.0.1",
          "currentVersion": "39.0.1",
          "currentValue": "==39.0.1",
          "newValue": "==41.0.6",
          "newVersion": "41.0.6",
          "packageFile": "requirements.txt",
          "updateType": "major",
          "packageName": "cryptography"
        }
      ]
    }
  ]
}

DEBUG: Renovate repository PR statistics
{
  "stats": {
    "total": 3,
    "open": 1,
    "closed": 2,
    "merged": 0
  }
}

DEBUG: Repository result: done, status: onboarded, enabled: true, onboarded: true
DEBUG: Repository timing splits (milliseconds)
{
  "splits": {
    "init": 3183,
    "extract": 1342,
    "lookup": 298,
    "onboarding": 1,
    "update": 4502
  }
  "total": 10672
}

DEBUG: Package cache statistics
{
  "get": {
    "count": 25,
    "totalMs": 39,
    "avgMs": 2,
    "medianMs": 1,
    "maxMs": 7
  }
  "set": {
    "count": 19,
    "totalMs": 79,
    "avgMs": 4,
    "medianMs": 1,
    "maxMs": 18
  }
}

DEBUG: http statistics
{
  "urls": {
    "https://api.github.com/graphql (POST,200)": 4,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/contents/.github/renovate.json (GET,304)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/git/commits (POST,201)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/git/commits/3b4cbea9c88f51a6b2794389461325b971c6f175 (HEAD,200)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/git/refs (POST,201)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/git/refs/heads/renovate/pypi-cryptography-vulnerability (HEAD,404)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/git/refs/heads/renovate/pypi-cryptography-vulnerability/ (HEAD,404)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/git/trees (POST,201)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2 (GET,200)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2 (GET,304)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/2 (PATCH,200)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/issues/5/labels (POST,200)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/pulls (GET,200)": 1,
    "https://api.github.com/repos/RikuTatsumiVisasQ/test/pulls (POST,201)": 1
  }
  "hostStats": {
    "api.github.com": {
      "requestCount": 17,
      "requestAvgMs": 214,
      "queueAvgMs": 0
    }
  }
  "totalRequests": 17
}

DEBUG: Package lookup durations
{
  "pypi": {
    "count": 1,
    "averageMs": 74,
    "totalMs": 74,
    "maximumMs": 74
  }
}

DEBUG: dns cache
{
  "hosts": []
}

INFO: Repository finished
{
  "cloned": true
  "durationMs": 10672
}

DEBUG: Renovate exiting

[not7cd]

Yes, in my opinion, this is a bug on Renovate side. GitHub is using original package names like "Pillow". This bug also reappears in pip-compile manager, as pip-compile command normalizes package names in the output file. I'm also using similar config.

So during name comparison, normalized names are skipped. I would see a fix to that comparison logic for Python packages. But first I need to find it.

[not7cd]

I have started working on a rather heavy-handed fix. #27733
@viceice can you check if you agree with a spirit of this change?

[not7cd]

This has been fixed with #28214. Alerts can be duplicated now. But they are all created. #27733 should mitigate this if its released in v38.

[github-actions[bot]]

Hi there,

Please do not unnecessarily @ mention maintainers like @rarkins or @viceice. Doing so causes annoying notifications and makes it harder to maintain this repository.

For example, never @ mention a maintainer when you are creating a discussion if your desire is to get attention. This is rude behavior, just like shouting out your coffee order in a Starbucks before it's your turn.

It's OK to comment in an issue or discussion after multiple days or weeks. But please, still don't @ mention people. The maintainers try to answer most discussions, but they can't answer all discussions. If you're still not getting an answer, take a look at the information you've given us and see if you can improve it.

Thanks, the Renovate team