High CVE-2026-21452 via msgpack dependency

[Thunderforge]

The version of msgpack used by this repo is 0.8.11. A denial-of-service vulnerability CVE-2026-21452 exists in versions prior to 0.9.11.

Can the version of msgpack be upgraded to 0.9.11 or later so that this vulnerability is fixed?

┆Issue is synchronized with this Jira Task by Unito

[ttypic]

Hey @Thunderforge,

Thanks a lot for reporting this. We will create a release shortly. I just want to assure you that the vulnerability you mentioned is not really applicable to the Ably SDK, since the SDK only deserializes requests returned from Ably services.