From e1c32372c41a806b9c3e7303fb6f193c50cbc115 Mon Sep 17 00:00:00 2001 From: Rafael Schouten Date: Mon, 6 May 2024 19:07:52 +0200 Subject: [PATCH 1/2] update yank section --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4d664ec..e5ae0a3 100644 --- a/README.md +++ b/README.md @@ -198,7 +198,13 @@ Simply releasing a patch for PackageA (v1.1.1) that removes support for v0.4 won It might seem sufficient to just pin the downstream packages to use v1.0.0, but there may be a lot of them to fix, and you can't be certain you're aware of them all. It also does nothing to prevent new compatibility issues from arising in the future. -To fix this, you should still release a patch of PackageA (v1.1.1) that removes support for v0.4 of PackageB, but you should then mark v1.1.0 of PackageA as broken in the registry. +To fix this, you should still release a patch of PackageA (v1.1.1) that removes support for v0.4 of PackageB, and also remove the compatability from +Compat.toml for the package in the general registry. This should require changing two compat bounds - removing the julia version from the package +version that will not work with it, and adding the package version to the julia version it is in fact compatible with. + +In some circumstances (help needed to elaborate here) it may still be necessary to yank a package version, for example where it does not +work on any Julia version at all and a bumping a minor version will not prevent it being loaded by some julia versions. + To do this, simply make a PR to the registry, adding `yanked = true` to the `Version.toml` file under the version causing issues (in this case v1.1.0). This marks the release as broken and prevents it from being used by any package from then on. From 424237ad982a1d76a76967bc39eb988a4fb38a2e Mon Sep 17 00:00:00 2001 From: Rafael Schouten Date: Mon, 6 May 2024 20:40:54 +0200 Subject: [PATCH 2/2] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e5ae0a3..df7b8e3 100644 --- a/README.md +++ b/README.md @@ -202,7 +202,7 @@ To fix this, you should still release a patch of PackageA (v1.1.1) that removes Compat.toml for the package in the general registry. This should require changing two compat bounds - removing the julia version from the package version that will not work with it, and adding the package version to the julia version it is in fact compatible with. -In some circumstances (help needed to elaborate here) it may still be necessary to yank a package version, for example where it does not +In some circumstances it may still be necessary to yank a package version, for example where there is a security vulnerability or malicious code like ` rm -rf ` that needs immediate removal, or when the registered version does not work on any Julia version at all and a bumping a minor version will not prevent it being loaded by some julia versions. To do this, simply make a PR to the registry, adding `yanked = true` to the `Version.toml` file under the version causing issues (in this case v1.1.0).