An Empirical Study of Yanked Releases in the Rust Package Registry

TL;DR

This study analyzes the usage and impact of the yank mechanism in Rust's Cargo registry, revealing its increasing adoption, reasons beyond defect withdrawal, and its propagation effects on package dependencies.

Contribution

It provides the first empirical analysis of release-level deprecation in Cargo, highlighting usage patterns, rationales, and ecosystem-wide effects.

Findings

9.6% of packages have yanked releases

Yanked releases increased from 2014 to 2020

46% of packages adopt yanked releases, affecting dependency resolution

Abstract

Cargo, the software packaging manager of Rust, provides a yank mechanism to support release-level deprecation, which can prevent packages from depending on yanked releases. Most prior studies focused on code-level (i.e., deprecated APIs) and package-level deprecation (i.e., deprecated packages). However, few studies have focused on release-level deprecation. In this study, we investigate how often and how the yank mechanism is used, the rationales behind its usage, and the adoption of yanked releases in the Cargo ecosystem. Our study shows that 9.6% of the packages in Cargo have at least one yanked release, and the proportion of yanked releases kept increasing from 2014 to 2020. Package owners yank releases for other reasons than withdrawing a defective release, such as fixing a release that does not follow semantic versioning or indicating a package is removed or replaced. In addition, we found that 46% of the packages directly adopted at least one yanked release and the yanked releases propagated through the dependency network, which leads to 1.4% of the releases in the ecosystem having unresolved dependencies.