You know, I was all proud of how Class::CGI was nice and easy to use and made untainting a breeze (due to its "once and only once" philosophy), but curiosly, I had never run any tests under taint mode. Today I just did. It blew up, badly. The following snippet illustrates the problem:
use Module::Load::Conditional qw(check_install);
check_install( module => 'Data::Dumper' );
Which blows up with:
Insecure dependency in eval while running with -T switch at
Seems Module::Load::Conditional reads lines in from your modules and evals "VERSION" lines to get the version. This is a showstopper for Class::CGI. Working on a bug report and a fix now. All of the code appears to assume that VERSION information is all on one line, so while that is not always correct, if I use that as my baseline, I can at least hope that I won't make things worse.