unable to use old version of s2n-quic

[derust]

Problem:

I want to use an old version of s2n-quic (v1.3.0)
But even I specifying it in Cargo.toml

[package]
name = "hello"
version = "0.1.0"
edition = "2021"

[dependencies]
s2n-quic = { version = "1.3.0"}

But it still resolve to the latest version

# cargo tree
hello v0.1.0 (/root/a/hello)
└── s2n-quic v1.33.0

It can be reproduced in a brand new environment

[camshaft]

I would encourage you to read the docs on dependency resolution: https://doc.rust-lang.org/cargo/reference/resolver.html#semver-compatibility. You need a = if you want to pin to a specific version.

That being said: why are you wanting to use an old version?

[toidiu]

In general we highly recommend our customers to use the latest version of the library. As pointed out above you should be able to select an older version by specifying it using =. Please feel free to reopen this issue if you run into issues.

[derust]

I'd try that already, and I guess found the reason
s2n-quic v1.3.2 dependent on zerocopy 0.6.0 with pinned version

zerocopy = "=0.6.0"

which is yanked
https://crates.io/crates/zerocopy/0.6.0

Since s2n-quic get popular, people will need to maintain old version, update to latest version is not always possible.

So maybe use a less restric version in Cargo.toml is better?
like:

zerocopy = "0.6"

since min version won't break things

[camshaft]

So maybe use a less restric version in Cargo.toml is better?

This was pinned due to zerocopy including a non-standard license in >0.6.1, which was reverted in later versions. I'm not sure why they yanked so many versions, there's not much we can do about that. There's an issue on their end about them being a bit too aggressive with yanking: google/zerocopy#679.

That being said, users of s2n-quic need to stay up-to-date with new releases. Several bug fixes have been merged since v1.3.2 and is not actively receiving any security backports either.