-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 0.24.1 #475
Comments
Hm... Documentation for |
Perhaps that is only if pinned to that specific version, as opposed to a semver constraint, I don't honestly know? I might file a PR to the docs repo to clarify that, and in so doing find out from the people who will know 🤔 In my experience I have frequently found yanked crates forcing me to drop everything and patch a version. It's certainly not transparent to downstreams in the way that would imply... Personally I wish crates.io didn't have the functionality, even in the case of CVEs, RUSTSEC is a better way to communicate that without forcing updates on downstreams. For reference here is the failing CI job - https://github.com/apache/arrow-rs/runs/8286264184?check_suite_focus=true |
In your case you should update quick-xml in any case because of using It uses buffered reading and could break is S3 response will contain CDATA elements. |
I think the relevant part of the Cargo documentation is
meaning that only locked versions continue to work, meaning entries in |
Yes, agreed. All I'm asking is that we provide a way that people can update through semver, without needing new releases to be cut. Are you suggesting all downstreams should yank any releases using 0.24.0? Would it not be better to just cut a patch release that fixes the bug and let everyone get the fix for free? |
Because there are no significant changes yet, I thought that updating from 0.24 to 0.25 should not be a problem. It is possible to release a patch release also. Will release soon
Maybe also it is just because last released version of object_store is 0.4.0 and |
This is because the 0.5.0 release is in its acceptance testing phase and has already been cut, this is part of why I would greatly appreciate a patch release
You can confirm this is not the case with a simple test
It wouldn't be, the issue is yanking 0.24 and not providing a semver compatible replacement 😅 I've proposed rust-lang/cargo#11071 to address the documentation, as I agree it is definitely misleading
Thank you ❤️ |
I don't think so. That crate is created locally and of course it is new. If it would be already released... Released 0.24.1 |
Thank you, especially for handling this so quickly 🎉
We can test this using cargo-tarpaulin which depends on 0.23 which has also been yanked
Similarly attempting to install inferno, also fails
You might want to consider releasing a patch version of 0.23 as well... |
doc: clarify implications of `cargo-yank` ### What does this PR try to resolve? I found the documentation for `cargo yank` was not especially clear on the implications of yanking a crate, and I have seen this causing confusion within the community - tafia/quick-xml#475. On a somewhat related note, I have been observing lots more crates getting yanked recently and this is resulting in a fair amount of dependency upgrade busywork. I think/hope part of this is a documentation issue.
doc: clarify implications of `cargo-yank` ### What does this PR try to resolve? I found the documentation for `cargo yank` was not especially clear on the implications of yanking a crate, and I have seen this causing confusion within the community - tafia/quick-xml#475. On a somewhat related note, I have been observing lots more crates getting yanked recently and this is resulting in a fair amount of dependency upgrade busywork. I think/hope part of this is a documentation issue.
It would appear that 0.24.0 has just been yanked, and a new 0.25.0 release cut. Unfortunately this means released crates with a version pin of ^0.24.0 now fail to compile, as 0.25.0 is considered semver incompatible.
Reviewing the changelog for 0.25.0 I don't see anything obvious that would constitute a breaking change, and so I wonder if we might release a 0.24.1 with the change in #471 to avoid ecosystem churn? Nothing in that change appears to be breaking
FYI @Mingun
The text was updated successfully, but these errors were encountered: