I like this, but IIUC your approach is not quite right when an upper bound is introduced via METADATA. This occurred, for example, when the recent breaking revision of DataFrames forced them to bound all dependencies. You could handle these cases by getting the line
s from METADATA/$package/versions/$version/requires
file instead of the package’s REQUIRE file.