Split Amon2::Plugin::Web::CSRFDefender from core distribution.
1. Amon2::Plugin::Web::CSRFDefender was removed from Amon2 core distribution.
Amon2::Plugin::Web::CSRFDefender is no longer default CSRF defender module in Amon2. I suggest to use HTTP::Session2.
If you still use Amon2::Plugin::Web::CSRFDefender, you need to write dependency explicitly in your cpanfile.
2. Latest Amon2::Plugin::Web::CSRFDefender is bit secure.
@mala says Amon2::Util::random_string is bit unsecure for token generation.
I change the default token generation algorithm in Amon2::Plugin::Web::CSRFDefender.
I think it's not a critical security issue. But you can update it.