fix(worker/repository): add normalized match for pip alertPackageRules

[not7cd]

Changes

Adds additional normalized name in matchPackageName for alerts coming from vulnerability alerts. This should catch dependencies in managers using pep621 standards, poetry, and pip-compile lock files.

Context

Workaround for #27069, may be superseded by #27733.
There is an inconsistency how Renovate handles Python package names. When it comes to vulnerability alerts coming from GitHub dependabot, they are taken as is in their canonical form (ex.: Pillow). If a normalized name (pillow) is used in a file, the update will be ignored and not created.

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

[not7cd]

In rare instances it can result in two separate PRs, but it should be better to create two than none or one that addresses half of the problem.

[gzmarstone]

Anything I can do to help with getting traction on this PR? Would love to see this get released.

[renovate-release]

🎉 This PR is included in version 37.306.1 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 37.306.1

Your semantic-release bot 📦🚀

[gzmarstone]

I am now seeing that the vulnerabilities are being found for Pillow, but the pull request is not being updated with either [security] in the title or the information about the vulnerabilities in the body of the pull request. I am assuming there is another match that needs to have the name normalized for the compare?

[not7cd]

I guess that's good news. Do you have logs or the PR in a public repo @gzmarstone? I suspect that if PR was created before it was matched for vulnerability, it may not be updated. But I'm no expert in that matter.

I would also push more towards name normalization everywhere and not a workaround such as this one.

[gzmarstone]

Its not a publc repo, I was wondering if it would re-create it or not, I had left the vulnerability around so it could be used as a test when this got fixed. Looking at the logs there are no differences in logging between the vulnerabilities that are marked [SECURITY] and those that are not. I tried modifying the config which made it close the existing pull request, then reverted the config and it still did not add [SECURITY]