Downgrade cargo package when latest version is yanked

[alex]

In a Rust project, I merged a PR from dependabot to upgrade bitflags to 1.0.5. Later, the 1.0.5 release was yanked. I think in this case it'd be appropriate for dependabot to lower the version to 1.0.4, the otherwise latest version. I think this behavior makes sense because if I run cargo update locally, I get a downgrade. You can see this with the following repository: https://github.com/alex/csv-sql

[greysteil]

I'd really love to do this, but it's hard! Dependabot has a bunch of logic that prevents it from accidentally creating downgrade PRs, and that gets in the way here. I'm going to leave this open because this is definitely possible (especially given how the crates.io index works), but I can't look at it straight away.

[snarfed]

Yes! Beyond Rust, this would be useful for all package ecosystems that support yanking. Eg I recently got bit by a hang bug in grpc's pip package, grpc/grpc#31885. They eventually yanked the affected release version, 1.52.0, but dependabot had already upgraded my projects, so I had to debug myself and eventually figure out the affected dependency and what to do about it, grpc/grpc#31885 (comment). Would definitely have been nice if dependabot spared me that!