Clap: Consider yanking Clap 2.9.2

Created on 15 Aug 2020  路  6Comments  路  Source: clap-rs/clap

Hi!

Clap 2.9.2 (and maybe some other versions, I haven't done an investigation) triggers future compatablity warning in this code:

https://github.com/clap-rs/clap/blob/9605ea83aab50113fcd190e9a54adfaae1634072/src/macros.rs#L506

This is an erroneous definition of a macro, because $ident fragment lacks :ident specifier. This has been a deny-by-default lint for some time, and we'd want to hard error it eventually (and most likely rather soon). So, given that this crate might stop to compile eventually, it seems prudent to yank it, to give reverse-dependeices a heads up!

cc https://github.com/rust-lang/rust/pull/75516
cc https://github.com/dzamlo/treeify/pull/2

bug

All 6 comments

Sure. It's hard to tell for sure which versions are affected because not every version has a tag I could checkout, so I just located the earliest bug-free version - which is 2.21.1 - and yanked everything in between. At the end of the day, they are all are just a history; there are more than 10 minor releases after that point.

I didn't spend any time on checking older versions because they're quite ancient and I doubt anyone will ever notice. Anyway, whoever cares is free to contact us and we'll yank them as well.

This has been there since v1.4.0. Do we want to yank all of them? I am not sure why we are giving importance to yanking. What if people prefer an older version of rust?

Also, the usage of clap by versions (atleast from public crates) is here

I don't mind, go ahead if you want to.

1.4.0 was released five years ago. If those people are so dead set, they can just put the desired version in Cargo.lock manually (and it's probably already there). Yanking doesn't remove the crate from crates.io, it just prevents _new_ crates from depending on it.

Also, the usage of clap by versions (atleast from public crates) is here

Just as expected: the ~90% peak at the latest minor version and the _loong_ low tail of older deps. I'd say we don't care. A curious phenomena: local peaks on "terminator versions" (i.e 2.23.3 when the next version is 2.24.x).

Reopening this because as per how the process goes with similar advisories, the versions have to be yanked

So, should I yank from 1.4.0 onwards?

Yanked, God bless dumb python scripts. Why doesn't cargo have the "yank everything from X.X.X to Y.Y.Y" functionality?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kbknapp picture kbknapp  路  30Comments

kbknapp picture kbknapp  路  16Comments

joshtriplett picture joshtriplett  路  41Comments

kbknapp picture kbknapp  路  18Comments

XAMPPRocky picture XAMPPRocky  路  17Comments