All 0.7.x versions have been yanked? about ahash HOT 14 CLOSED

0.7.7 is now published

from ahash.

0.4.8 is also published with a patch.

from ahash.

Yeah backporting the fixes to 0.7 is probably the cleanest way forward. It takes too long for 0.8 to propagate through the indirect dependencies.

from ahash.

I was about to open this issue.

Yanking older versions without making fixed semver-compatible versions available broke a bunch of other crates, preventing cargo update, CI runs...
Considering how ahash is clearly described as "not a cryptographically secure hash", maybe it's not so critical to immediately prevent people using this from building, and maybe posting these to https://rustsec.org/ rather than yanking would be the best way to handle the security vulnerabilities.
Alternately, releasing a fixed 0.x.n semver-compatible versions for each yanked 0.x.y would also fix this issue.

from ahash.

I encourage everyone to not judge whether or not it was a good call but rather discuss how best to help this crate move forward.

from ahash.

Please see here for the reason: https://github.com/tkaitchuck/aHash/wiki/Yanked-versions
I can work on publishing a patch to the 0.7 branch. But the interface changed so little there is a 99% chance that just bumping the version should be enough

from ahash.

Ah, I just saw #163. This seems to be on purpose.

from ahash.

Yea i don't know if Yanking the packages was a good call. Now a significant portion of ecosystem is broken. 🤦‍♂️ This package is 5 levels down one of my dependencies. ouef

from ahash.

#175

from ahash.

I encourage everyone to not judge whether or not it was a good call but rather discuss how best to help this crate move forward.

It is possible to un-yank versions. (And release a rustsec advisory.)

I can work on publishing a patch to the 0.7 branch

As far as I'm concerned I stopped compiling because of a "^0.4.4" requirement at depth 5.

from ahash.

I agree with @CryZe. Given how deeply buried ahash is in the dependency tree, it would be quite a while before they’re all resolved. If 0.7 could be bumped, that would probably end in the quickest resolution.

A somewhat less quick method but one that could also work well is to backport the fix that caused the yanking in the first place to 0.7.x and release a “hotfix”.

from ahash.

@tkaitchuck much thanks! 🌮 🌮 🌮

from ahash.

@tkaitchuck Thank you so much, what a blast and a fast move. Thanks

from ahash.

Thank you very much, @tkaitchuck!

from ahash.