[RFC] "http-types" breakage / additions / rework

hasufell:

I find it quite odd that we’re trying to hold library maintainers hostage because someone else is too lazy to manage their bounds.

I was thinking this too (in my now deleted comment), but @arybczak’s issue would also happen with packages that have proper bounds. It questions the entire concept of versions.

arybczak:

1. A vulnerability is discovered in x, a fix is made, x-2.1 released.

I think this step should be extended:

1. A vulnerability is discovered in x
   • check which versions are affected
   • check which versions are used by a significant amount of people
   • patch the intersection of those two sets