Yanked dependency

Question

Yanked dependency

Closed this issue 4 years ago · 4 comments

sd_audit turns up this:

Crate:         pin-project-lite                       
Version:       0.2.4                          
Warning:       yanked                                           
Dependency tree:                                                     
pin-project-lite 0.2.4                                            
├── tracing 0.1.23                            
│   └── hyper 0.14.4                                           
│       └── snare 0.4.1                                                 
├── tokio 1.2.0                                                         
│   ├── snare 0.4.1                                   
│   └── hyper 0.14.4                                         
└── futures-util 0.3.12                                                           
    └── hyper 0.14.4                                     
                                         
error: 1 denied warning found!

Note that snare still builds.

There's no new version of hyper, so I'm not sure if we can fix this immediately?

[Looks like upstream hyper have switched from pin-project-lite to pin-project in master]

Answer 1 · 2021-03-15T16:29:51.000Z

pin-project-lite has 0.2. which hasn't been yanked https://crates.io/crates/pin-project-lite/versions. I'll check everything still works and raise a PR once I've been able to do so.

Answer 2 · 2021-03-15T16:40:08.000Z

Note that you don't directly depend on pin-project-lite, so it's your dependencies that would need to use a new version, not snare. right?

Answer 3 · 2021-03-15T16:41:45.000Z

Unless the dependency requires exactly 0.2.4, cargo will use the most recent compatible version.

Answer 4 · 2021-03-15T16:43:42.000Z

I'm confused. But I'll let this play out. I suspect you need to change an upstream or two...