Fix crashes on Python libraries using multiple manifests

python/lib/dependabot/python/update_checker.rb

@@ -115,6 +115,17 @@ def updated_dependencies_after_full_unlock
         raise NotImplementedError
       end
 
+      def preferred_version_resolvable_with_unlock?
+        # Our requirements file updater doesn't currently support widening
+        # ranges, so avoid updating this dependency if widening ranges has been
+        # required and the dependency is present on a requirements file.
+        # Otherwise, we will crash later on. TODO: Consider what the correct
+        # behavior is in these cases.
+        return false if requirements_update_strategy == :widen_ranges && updating_requirements_file?
+
+        super
+      end
+
       def fetch_lowest_resolvable_security_fix_version
         fix_version = lowest_security_fix_version
         return latest_resolvable_version if fix_version.nil?
@@ -299,6 +310,10 @@ def updating_in_file?
         requirement_files.any? { |f| f.end_with?(".in") }
       end
 
+      def updating_requirements_file?
+        requirement_files.any? { |f| f =~ /\.txt$|\.in$/ }
+      end
+
       def requirement_files
         requirements.map { |r| r.fetch(:file) }
       end

python/spec/dependabot/python/update_checker_spec.rb

@@ -96,6 +96,47 @@
       end
       it { is_expected.to be_falsey }
     end
+
+    context "given a dependency in a poetry-based Python library, that's also in an additional requirements file" do
+      let(:dependency_files) { [pyproject, requirements_file] }
+      let(:pyproject_fixture_name) { "tilde_version.toml" }
+
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: "requests",
+          version: "1.2.3",
+          requirements: [{
+            file: "pyproject.toml",
+            requirement: "^1.0.0",
+            groups: [],
+            source: nil
+          }, {
+            file: "requirements.txt",
+            requirement: "==1.2.8",
+            groups: [],
+            source: nil
+          }],
+          package_manager: "pip"
+        )
+      end
+
+      let(:pypi_url) { "https://pypi.org/simple/requests/" }
+      let(:pypi_response) do
+        fixture("pypi", "pypi_simple_response_requests.html")
+      end
+
+      before do
+        stub_request(:get, "https://pypi.org/pypi/pendulum/json/").
+          to_return(
+            status: 200,
+            body: fixture("pypi", "pypi_response_pendulum.json")
+          )
+      end
+
+      it "does not attempt an update, because updating requirements.txt file does not yet support widening ranges" do
+        expect(subject).to be_falsey
+      end
+    end
   end
 
   describe "#latest_version" do