We've published a blog post with all of the details of this morning's security bug in Librem Chat and our response. https://puri.sm/posts/underscoring-our-transparency-first-librem-one-bug-report/
@downey As a general rule we only run stable released upstream versions of things. This was a special case because we needed specific functionality.
@kyle In light of this issue do you intend to continue to run master as production or stick to only released upstream dependencies in the future?