Add option to limit package hashes by Python version

[mythmon]

I recently started using pyup to manage dependencies for a Django project. It's been going well, except for PRs like this one. You can see that the number of hashes allowed for the package quadrupled, which seems odd.

The reason for this is that the gevent package releases many wheel files for various Python versions and OS combinations. This isn't interesting to me, since I only target a single Python version. To me, including the extra hashes reduces the safety and reliability of the hashing system.

Previously, we used hashin to manage the hashes of our dependencies. It has an option to only include hashes for the given Python version. This made our requirements files smaller and more correct.

It would be nice if pyup could take an optional config value to limit the hashes to a specific Python version or version range.

[jayfk]

That's an interesting problem, indeed.

It looks like PyPi is storing the corresponding Python version and the package type alongside the hash. This should be possible to implement: https://pypi.org/pypi/gevent/json

[mythmon]

In hashin, I found that parsing the filenames was more reliable, unfortunately, than trying to use the data in the API. This was a couple years ago though, so things may have changed. The code that does that parsing is here, if you want to use it for inspiration: https://github.com/peterbe/hashin/blob/master/hashin.py#L293