Thanks for letting me know -- I'll look into making a new release tonight.

@woodruffw Thanks, new release is out https://github.com/str4d/rage/releases/tag/v0.11.1

#95 performs the bump. Once merged and cut, I'll do a GHSA for the current range of releases to encourage people to upgrade.

Sounds good 💪

1.2.3 has been cut and should be live on PyPI shortly. Thanks for bringing this to my attention @gaby! You should get a notification soon about being invited to a draft GHSA (I'll assign you as the reporter so you get credit).

💪 Thanks for the quick fix on this.

1.2.3 should be live now, and you've received an invite to the GHSA. Please give that a quick look and if it LGTY I'll publish it 🙂

1.2.3 should be live now, and you've received an invite to the GHSA. Please give that a quick look and if it LGTY I'll publish it 🙂

Looks good to me, I'd say to add a section like the original cve

An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c).

Thanks to ⬡-49016 for reporting this issue.