Summary
Add a mechanism for pack authors to mark a published version as yanked (should not be installed) or deprecated (superseded, install with warning).
Motivation
Currently publishing is one-way — once a version is merged into the registry, it's permanent. If a pack author discovers a bug, security issue, or misconfiguration in a published version, they have no way to prevent new installations of that version.
Proposed protocol changes
Add optional fields to packs/{name}.json version entries:
{
"version": "1.0.0",
"yanked": true,
"yanked_reason": "Security issue in MCP server configuration",
"files": { ... }
}
- yanked: Resolver skips this version unless explicitly pinned by lockfile
- deprecated: Resolver warns but still allows installation
weave publish --yank <version> creates a PR to set the yanked flag
Summary
Add a mechanism for pack authors to mark a published version as yanked (should not be installed) or deprecated (superseded, install with warning).
Motivation
Currently publishing is one-way — once a version is merged into the registry, it's permanent. If a pack author discovers a bug, security issue, or misconfiguration in a published version, they have no way to prevent new installations of that version.
Proposed protocol changes
Add optional fields to
packs/{name}.jsonversion entries:{ "version": "1.0.0", "yanked": true, "yanked_reason": "Security issue in MCP server configuration", "files": { ... } }weave publish --yank <version>creates a PR to set the yanked flag