fix(pipx): filter yanked pypi releases

[risu729]

Summary

• ignore PyPI releases that have no non-yanked files when listing pipx versions
• preserve exact pinned behavior by keeping the filter in fuzzy/latest version listing
• add unit coverage for fully yanked, mixed, empty, and string-yanked PyPI releases

How it works

• For PyPI packages, the pipx backend uses the PyPI JSON API, whose releases map contains each version and the files published for that version.
• Each file can carry yanked metadata. The backend filters out a release only when there are no usable files: either the file list is empty or every file for that release is yanked.
• Mixed releases are kept if at least one file is not yanked, and created_at is computed from non-yanked files so date filtering reflects usable artifacts.
• The JSON latest_stable_version fast path now derives latest from the same filtered version list instead of returning info.version, because info.version can still point at a yanked release.
• The yanked field is deserialized defensively because PyPI-compatible JSON can represent yanked metadata as either a bool or a string reason.

Why this is required

• Yanked PyPI releases remain visible in JSON metadata, but pip avoids them unless the user asks for an exact pinned version. mise should follow that behavior for fuzzy/latest resolution.
• Filtering only during version listing keeps exact pinned installs available while preventing latest or prefix resolution from choosing a yanked release by default.

Tests

• cargo fmt --check
• git diff --check
• cargo test backend::pipx::tests

[greptile-apps]

Greptile Summary

This PR filters out yanked PyPI releases from fuzzy/latest version resolution in the pipx backend, mirroring pip's default behavior. The info.version fast-path is replaced with a computed latest-stable derived from the same yanked-filtered list, and the yanked field is deserialized defensively to handle both bool and string-reason representations found in PyPI-compatible registries.

• Adds versions_from_pypi_package and latest_stable_from_pypi_package helpers that skip releases with no usable (non-yanked) files, and compute created_at only from non-yanked files in mixed releases.
• Replaces Ok(Some(pkg.info.version)) in the JSON fast path with Ok(Self::latest_stable_from_pypi_package(pkg)), returning Ok(None) when all stable versions are yanked so the caller can fall back gracefully.
• Adds four focused unit tests covering fully-yanked, mixed, empty, and string-yanked-reason releases.

Confidence Score: 5/5

Safe to merge — the change is well-scoped to yanked-release filtering and is fully covered by new unit tests.

The logic is straightforward: a filter on file-level yanked flags, a re-derived latest-stable that goes through the same filter, and a defensive custom deserializer. The return type at the latest_stable_version call site is unchanged (Result<Option>), exact pinned installs are unaffected (filtering only happens in the list/latest path), and every edge case in the PR description is exercised by a test.

No files require special attention.

_{Reviews (3): Last reviewed commit: "Merge branch 'main' into fix/pipx-yanked..." | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request refactors the PIPX backend to filter out yanked releases from PyPI by introducing a versions_from_pypi_package method and updating the PypiRelease struct. Feedback indicates that the latest_stable_version logic should also be updated to respect these filters to ensure consistency. Additionally, the yanked field should be handled as either a boolean or a string to comply with PEP 592 and avoid deserialization failures. Finally, a suggestion was made to exclude yanked files when determining the release timestamp.