I like this, but IIUC your approach is not quite right when an upper bound is introduced via METADATA. This occurred, for example, when the recent breaking revision of DataFrames forced them to bound all dependencies. You could handle these cases by getting the lines from METADATA/$package/versions/$version/requires file instead of the package’s REQUIRE file.