zip crate version 2.6.1 is yanked

[theoparis]

Gitoxide fails to install due to the zip crate version 2.6.1 being yanked. See zip-rs/zip2#337

Command:

cargo install --git https://github.com/gitoxidelabs/gitoxide gitoxide --no-default-features --features max-pure

Error:

error: failed to compile `gitoxide v0.44.0 (https://github.com/gitoxidelabs/gitoxide#8d30ab12)`, intermediate artifacts can be found at `C:\Users\theo\AppData\Local\Temp\cargo-installvpbBFc`.
To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.

Caused by:
  failed to select a version for the requirement `zip = "^2.6.1"`
    version 2.6.1 is yanked
  location searched: crates.io index
  required by package `gix-archive v0.21.1 (C:\Users\theo\.cargo\git\checkouts\gitoxide-94b9d2a5b81d6ea5\8d30ab1\gix-archive)`
      ... which satisfies path dependency `gix-archive-for-configuration-only` of package `gitoxide-core v0.47.1 (C:\Users\theo\.cargo\git\checkouts\gitoxide-94b9d2a5b81d6ea5\8d30ab1\gitoxide-core)`
      ... which satisfies path dependency `gitoxide-core` of package `gitoxide v0.44.0 (C:\Users\theo\.cargo\git\checkouts\gitoxide-94b9d2a5b81d6ea5\8d30ab1)`

[Byron]

Yeah, it's quite crazy that a crate with 70 million downloads and a lot of dependents can break their entire downstream by yanking all recent versions without providing a semver-compatible alternative.

The snarky comment above falsely assumed that --locked doesn't doesn't work, but it's clear that it does so a common workaround is possible.

#2013 will have the fix so installation from Git will work again.

[EliahKagan]

I've verified that, as one would expect, this bug also affects installation of gitoxide from crates.io:

ek in 🌐 catenary in ~
❯ cargo install gitoxide
    Updating crates.io index
  Downloaded gitoxide v0.44.0
  Downloaded 1 crate (84.4KiB) in 0.21s
  Installing gitoxide v0.44.0
    Updating crates.io index
error: failed to compile `gitoxide v0.44.0`, intermediate artifacts can be found at `/tmp/cargo-installgSjpNt`.
To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.

Caused by:
  failed to select a version for the requirement `zip = "^2.6.1"`
    version 2.6.1 is yanked
  location searched: crates.io index
  required by package `gix-archive v0.21.1`
      ... which satisfies dependency `gix-archive-for-configuration-only = "^0.21.1"` of package `gitoxide-core v0.47.1`
      ... which satisfies dependency `gitoxide-core = "^0.47.1"` of package `gitoxide v0.44.0`

Various other installations that depend on gix-archive with the zip feature will presumably also fail until a new release of gix-archive is made with the dependency version updated.

Therefore, after #2011 is merged, I recommend that a new release of gix-archive be made.

(If for any reason #2011 were to be delayed, then 2c31d30 could be cherry-picked from it. But it looks to me like #2011 might be ready.)

In the mean time, passing --locked is a workaround. For example, where cargo install gitoxide fails, cargo install --locked gitoxide succeeds.

[Byron]

In #2014 the one commit with the zip dependency fix should be merged soon. I am still evaluating if a patch-release is possible at all, and if so I will make it right away.

Special thanks to @EliahKagan for pointing out that --locked is still a possible workaround. My snarky comment above was written under the assumption that, for some reason, that's not the case. It's corrected now.

[EliahKagan]

I've verified that, since the release of gix-archive 0.21.2 and other associated crates (#2014), cargo install gitoxide works again even without --locked.