The env variables might come form insecure sources.

You're using eval for getting dicts. This is insecure.

This function can also be used to execute arbitrary code objects (such as those created by compile()).

Instead, use https://docs.python.org/2/library/ast.html#ast.literal_eval

hey @szuliq ,

nice notice, I will look into this and update the package, I think.

Cheers,
Valentyn

Done! Version 1.1.0 was shipped to PyPi. Thank you!