We hit PyPI's per-project storage limit while trying to publish a CVE fix. I'd already opened a limit increase request (pypi/support#10676) a few days ago, but the queue is long and the security fix couldn't wait. Removing some old releases was the only way to free enough room, and as far as I can tell PyPI deletions can't be undone.

I deleted 0.40.0, 0.41.0, 0.42.0 from PyPI earlier today, and I know that broke some installs. I'm sorry.

Partial release 0.149.13 with the GHSA-qc2x-6f54-m6h9 fix was also removed as it was missing pieces due to the out of space issue on PyPI. A new release, 0.149.16 which has the fix that was originally intended for 0.149.13

0.149.16 has the fixes for GHSA-qc2x-6f54-m6h9 GHSA-9663-mqmp-p9mm GHSA-rfg2-pjw2-56x2 GHSA-phvx-9mgw-67r5 GHSA-9pgc-3ccv-5297

0.40.0, 0.41.0, 0.42.0 were affected by the CVE, so anyone on those versions needed to upgrade anyway. I just really didn't want to force that timing on people without warning.

If you were pinned to either version, please bump to the latest release. If you hit anything weird while upgrading, or if this caused downstream pain I should know about, open an isuse, and I'll do what I can to help.

Sorry again.