I wanted to inform you asap as my favorite compression utility about this recent supply chain attack on xz:
https://en.wikipedia.org/wiki/XZ_Utils#Supply_chain_attack

• I'm not sure whether you integrate xz or its library or make calls to the system wide installed library
• Better inform than not to inform.

Regards, porg

Thanks a lot for the info @porg! Keka currently is using 5.4.5 xz and liblzma versions, so it should not be affected. I’ll wait to update the version until this is fixed, hopefully very soon.

Anyway no system resources use the bundled liblzma in Keka, that is also sandboxed without network capabilities. Let’s see how this evolves.

Will be updating to the latest v5.6.2 in the next revision. Glad the issue did not escalated further.