Hello fellow Dancers. We've been notified about a potential security issue that affects both Dancer and Dancer2. For releases up to * Dancer v1.3136, or * Dancer2 v0.160001 it was possible to abuse session cookie values so that file-based session stores such as Dancer::Session::YAML or Dancer2::Session::YAML would attempt to read/write from any file on the filesystem with the same extension the file-based store uses, such as '*.yml' for the YAML stores. The issue was reported by Andrew Beverley and fixed in the following releases * Dancer v1.3138 (Yanick Champoux) * Dancer2 v0.160002 (Russell Jenkins) The updated packages are now available from your favorite CPAN mirror. The file-based session stores are intended to be used for prototyping and testing. While we do not recommend using file-based session stores in production, there may be single-machine production environments where they are useful. If you are using any of the file-based session stores in production, we strongly advise you to upgrade. Thanks for your trust, and happy dancing! Sawyer, Yanick & Russell.