Mitigating security issues of jsonpickle

[kukgini]

A security guy told me about indy-node vulnerabilities. It's about jsonpickle security issue. And it is classified as critical. GHSA-j66q-qmrc-89rx

However the jsonpickle team defended that it is intended. And they suggested that to be sure to be safe, user of this library should set safe=True in calling jsonpickle.decode()
jsonpickle/jsonpickle#335

It appears that in indy-plenum, jsonpickle.decode() is called without safe parameter. Wouldn't it be better to add it?

[PatStLouis]

@kukgini plenum uses jsonpickle version 3.0.3 which isn't vulnerable. The NVD states that the vulnerability only affects version 1.4.1 and below.