Unpublished releases not reverted

[fake-name]

Basically, I have a project that depends on pyyaml.

PyYAML released version 4.1, which generated a PR in my project. However, the developers subsequently determined that there were issues with their release, and unpublished the release.

This means that the most recent version available is now 3.12, so installs that use my requirements.txt file now fail.

It seems like since pyup is already tracking releases, it should be able to handle the case where a more recent release is unpublished due to security/integrity/bugs/whatnot, and PR the appropriate reversions.

[fake-name]

Ok, the bot is now generating updates to versions that don't exist as well:

https://github.com/fake-name/wlnupdates/pull/183

It's trying to update simplejson to 3.16.1, but the latest version of simplejson on PyPi is 3.16.0.

I don't know if this was a release that got retracted, or if it's using the releases from https://github.com/simplejson/simplejson, but https://github.com/simplejson/simplejson/releases includes 3.16.1, though it's missing on pypi.

[fake-name]

Ok, apparently 3.16.1 was also unpublished.

Pyup really needs to handle the unpublishing of releases.

[Jwomers]

@fake-name @edmorley I am working on a system handle unpublished releases and should have it in production in the next few days. Thanks for your patience here!

[fake-name]

Any motion here? Just hit this when I missed pyup was pinning a reverted release as part of a batch update.

[fake-name]

So...... how are those "next few days" going?

[rafaelpivato]

@fake-name sorry for taking so long to get back to you.

My assumption is that you are probably not suffering from this anymore for such specific packages. Anyway, this is still a valid concern. We must be on top of unpubilshed or removed packages as you said. Unfortunately, that is not a very common and good practice. Project maintainers are supposed to republish a fixed, even if reverted, version when that happens.

Anyway, that does not invalidate your request here.