{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiahisk6bdcu4xwzyb5btkzgxk2g5lmdpxj52oeqrtz3tlxvt6sqaq",
    "uri": "at://did:plc:pi6woz4d47bkuws673w2il2r/app.bsky.feed.post/3moo3c22kii42"
  },
  "path": "/t/rfc-http-types-breakage-additions-rework/14286?page=2#post_26",
  "publishedAt": "2026-06-19T17:30:51.000Z",
  "site": "https://discourse.haskell.org",
  "tags": [
    "@jaror"
  ],
  "textContent": "@jaror no, this only takes care of vulnerabilities in `http-types`, not downstream libraries.\n\nHere’s an example:\n\n  1. `x-1.0` depends on `http-types < 1.0`.\n  2. `http-types-1.0` is released, breaking API.\n  3. `x-2.0` is released, requiring `http-types >= 1.0`.\n  4. A vulnerability is discovered in `x`, a fix is made, `x-2.1` released.\n\n\n\nIf you depend on `x` and want to update to 2.1 that fixes the vulnerability, all your other dependencies need to work with `http-types >= 1.0`.\n\nYou’d need to convince the author of an affected downstream library to maintain two versions, one that depends on `http-types < 1.0` and one that depends on `http-types >= 1.0`.",
  "title": "[RFC] \"http-types\" breakage / additions / rework"
}