bug: improve security of eval'ed of session database data. (hexora) Hexora flagged: eval(res[0]) where res[0] is a stored repr of a dictionary. Change these to safe_eval(s) s=res[0] using: eval(s, {'__builtins__': {}}, {}) to wipe all functions and variable references inside the eval. This may be breakable however it's better than it was. There is one place where a username (set by user) is stored as a value, but the username rules prohibit ' or " from being present. Also a repr("us'er") is properly quoted and safe_eval(repr({'user': 'us\'r'})) is properly round tripped.

--- a/CHANGES.txt	Thu Apr 02 12:26:13 2026 -0400
+++ b/CHANGES.txt	Sun Apr 05 17:44:02 2026 -0400
@@ -68,6 +68,7 @@
 - refactor mime detection/handling in the rest interface. Better
   supports some mime types, ads default mime type for files without a
   mime type (e.g. message contents). Cleaner code. (John Rouillard)
+- run hexora and mitigate/fix some medium sev and above. (John Rouillard)
 
 Features: