clientsession >= 0.9 uses skein == 1.0.* which includes Skein v1.3 up from Skein v1.1. I'm not sure if we should upgrade the clientsession dependency on Yesod 1.1 as well since that will break all current sessions on a stable branch of Yesod. Also, Yesod 1.2's release is already on the horizon. Therefore I didn't update the stable branch.
clientsession >= 0.9
skein == 1.0.*
Use clientsession 0.9.* on Yesod 1.2.
Thanks! I released a new version in the 1.1 branch as well allowing the newer clientsession.
What I don't like about allowing clientsession >= 0.8 is that one may end up with binaries that can't be used together because they were compiled with different versions of clientsession. Things would get funny on a load balancer.
clientsession >= 0.8
I don't think the right way to address that problem is to make it impossible for users to use a newer version of the library if they want to. I think the only correct solution for production deployment is to nail down precise versions of all dependencies. I should really write a blog post on this topic, it's come up a few times.