Open sunshowers opened 4 months ago
It seems like the Cargo docs discourage yanking for security vulnerabilities as disruptive, but IMO there is no reason not to yank a crate for a security vulnerability if there is a SemVer-compatible upgrade. Yanking becomes disruptive when there is no SemVer-compatible upgrade.
Thanks Tony! Do you think you could work with Cargo upstream to clarify the situation?
Yeah, it'd be good to open an issue about syncing this advice with RustSec
It seems to me that the advice here should also be narrowed. Something like:
-4. [Yank] the affected versions of the crate.
+4. [Yank] the affected versions of the crate, if a SemVer-compatible upgrade is available.
But I worry that may not be quite right, because there are probably uncommon circumstances where yanking vulnerable versions should be done even in the absence of a SemVer-compatible upgrade. For example, in a vulnerability where a malicious dependency was accidentally used, usually it can be eliminated without a breaking change, but yanking is probably justified even if it cannot.
Maybe we could provide general advice and a list of special cases to consider.
While trying to resolve RUSTSEC-2024-0020, we found some conflicting information (https://github.com/ardaku/whoami/issues/97#issuecomment-1978981489):
Which one of these recommendations controls?