Closed keehun closed 11 months ago
I was about to open this issue.
Yanking older versions without making fixed semver-compatible versions available broke a bunch of other crates, preventing cargo update
, CI runs...
Considering how ahash
is clearly described as "not a cryptographically secure hash", maybe it's not so critical to immediately prevent people using this from building, and maybe posting these to https://rustsec.org/ rather than yanking would be the best way to handle the security vulnerabilities.
Alternately, releasing a fixed 0.x.n semver-compatible versions for each yanked 0.x.y would also fix this issue.
Ah, I just saw https://github.com/tkaitchuck/aHash/issues/163. This seems to be on purpose.
Yea i don't know if Yanking the packages was a good call. Now a significant portion of ecosystem is broken. 🤦♂️ This package is 5 levels down one of my dependencies. ouef
I encourage everyone to not judge whether or not it was a good call but rather discuss how best to help this crate move forward.
Please see here for the reason: https://github.com/tkaitchuck/aHash/wiki/Yanked-versions I can work on publishing a patch to the 0.7 branch. But the interface changed so little there is a 99% chance that just bumping the version should be enough
Yeah backporting the fixes to 0.7 is probably the cleanest way forward. It takes too long for 0.8 to propagate through the indirect dependencies.
I encourage everyone to not judge whether or not it was a good call but rather discuss how best to help this crate move forward.
It is possible to un-yank versions. (And release a rustsec advisory.)
I can work on publishing a patch to the 0.7 branch
As far as I'm concerned I stopped compiling because of a "^0.4.4" requirement at depth 5.
I agree with @CryZe. Given how deeply buried ahash
is in the dependency tree, it would be quite a while before they’re all resolved. If 0.7 could be bumped, that would probably end in the quickest resolution.
A somewhat less quick method but one that could also work well is to backport the fix that caused the yanking in the first place to 0.7.x and release a “hotfix”.
0.7.7 is now published
@tkaitchuck much thanks! 🌮 🌮 🌮
0.4.8 is also published with a patch.
@tkaitchuck Thank you so much, what a blast and a fast move. Thanks
Thank you very much, @tkaitchuck!
Hi @tkaitchuck,
Thank you for this amazing crate. I (and I am sure many others) really appreciate all the work you (and other contributors) have put into this.
This afternoon, it looks like all 0.7.x versions and <=0.8.3 versions (and maybe more) have been yanked? Was this on purpose? Looking at some of the other issues & recent merges, was only 0.8.4 meant to be yanked?
cbindgen
hasahash 0.7.6
as a sub-dependency (throughindexmap 1.9.3
), so I wonder if many people will notice the yanked crate versions very soon. I've reported this tocbindgen
here and now I'm looking to see if I can maybe getindexmap
updated incbindgen
to help this transition if it was intended.