All 0.7.x versions have been yanked?

[keehun]

Hi @tkaitchuck,

Thank you for this amazing crate. I (and I am sure many others) really appreciate all the work you (and other contributors) have put into this.

This afternoon, it looks like all 0.7.x versions and <=0.8.3 versions (and maybe more) have been yanked? Was this on purpose? Looking at some of the other issues & recent merges, was only 0.8.4 meant to be yanked?

cbindgen has ahash 0.7.6 as a sub-dependency (through indexmap 1.9.3), so I wonder if many people will notice the yanked crate versions very soon. I've reported this to cbindgen here and now I'm looking to see if I can maybe get indexmap updated in cbindgen to help this transition if it was intended.

[Ten0]

I was about to open this issue.

Yanking older versions without making fixed semver-compatible versions available broke a bunch of other crates, preventing cargo update, CI runs...
Considering how ahash is clearly described as "not a cryptographically secure hash", maybe it's not so critical to immediately prevent people using this from building, and maybe posting these to https://rustsec.org/ rather than yanking would be the best way to handle the security vulnerabilities.
Alternately, releasing a fixed 0.x.n semver-compatible versions for each yanked 0.x.y would also fix this issue.

[keehun]

Ah, I just saw #163. This seems to be on purpose.

[partisan-bobryk]

Yea i don't know if Yanking the packages was a good call. Now a significant portion of ecosystem is broken. 🤦‍♂️ This package is 5 levels down one of my dependencies. ouef

[keehun]

I encourage everyone to not judge whether or not it was a good call but rather discuss how best to help this crate move forward.

[tkaitchuck]

Please see here for the reason: https://github.com/tkaitchuck/aHash/wiki/Yanked-versions
I can work on publishing a patch to the 0.7 branch. But the interface changed so little there is a 99% chance that just bumping the version should be enough

[CryZe]

Yeah backporting the fixes to 0.7 is probably the cleanest way forward. It takes too long for 0.8 to propagate through the indirect dependencies.

[Ten0]

I encourage everyone to not judge whether or not it was a good call but rather discuss how best to help this crate move forward.

It is possible to un-yank versions. (And release a rustsec advisory.)

I can work on publishing a patch to the 0.7 branch

As far as I'm concerned I stopped compiling because of a "^0.4.4" requirement at depth 5.

[tkaitchuck]

#175

[keehun]

I agree with @CryZe. Given how deeply buried ahash is in the dependency tree, it would be quite a while before they’re all resolved. If 0.7 could be bumped, that would probably end in the quickest resolution.

A somewhat less quick method but one that could also work well is to backport the fix that caused the yanking in the first place to 0.7.x and release a “hotfix”.

[tkaitchuck]

0.7.7 is now published

[partisan-bobryk]

@tkaitchuck much thanks! 🌮 🌮 🌮

[tkaitchuck]

0.4.8 is also published with a patch.

[dfeyer]

@tkaitchuck Thank you so much, what a blast and a fast move. Thanks

[keehun]

Thank you very much, @tkaitchuck!