Skip to main content

Aeson 2

A new major version of aeson was released, and it includes the mitigation for the hash collision vulnerability. I only have a little bit of time on the computer today, and I will be AFK again tomorrow, but I decided to at least see what needs to be done to have compatibility with the new release.

I selected bm for testing and constructed a build plan using GHC 8.10.7 with the following Stack configuration:

resolver: lts-18.13

packages:
  - .

extra-deps:
  - aeson-2.0.1.0
  - hashable-1.3.4.1
  - semialign-1.2
  - time-compat-1.9.6.1

The build fails when building the yaml dependency, which has not been updated to work with the new API yet. Somebody has already created a compatibility with aeson-2.0 issue.

Note that yaml attempts to build (and fails) because the package does not specify an upper bound for the aeson dependency. This is unfortunate, as libraries on Hackage really should specify (both lower and upper) dependency bounds!

Speaking of dependency bounds, I have not been very strict about specifying dependency bounds for packages that are not used as libraries and are not on Hackage. As it turns out, I have two such released packages, and the lack of aeson bounds causes the builds to fail when using Cabal. (Stack builds do not fail because the version is fixed in the snapshot.) I added dependency bounds and am currently preparing releases.