diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a80fd81b..cb6f51f4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,7 +24,7 @@ jobs:
         go-version: '1.21'
 
     - name: Build
-      run: go build -v -tags "b_tiny,b_sqlite,b_http,b_sql,b_postgres,b_openai,b_bson,b_crypto,b_smtpd,b_mail,b_postmark,b_bctypt,b_telegram" ./...
+      run: go build -v -tags "b_tiny,b_sqlite,b_http,b_sql,b_postgres,b_bson,b_crypto,b_smtpd,b_mail,b_bctypt,b_telegram,b_norepl" ./...
 
 #    - name: Test
 #      run: go test -v -tags "b_tiny,b_sqlite,b_http,b_sql,b_postgres,b_openai,b_bson,b_crypto,b_smtpd,b_mail,b_postmark,b_bctypt,b_telegram" ./...
diff --git a/.golangci.yml b/.golangci.yml
index 81802290..135ac91d 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -73,6 +73,10 @@ linters-settings:
       - name: unexported-return
         disabled: true
       - name: unused-parameter
+  gosec:
+    exclude-rules:
+      - id: G504
+
 
 linters:
   disable-all: true
@@ -94,6 +98,7 @@ linters:
     # - gomnd
     - goprintffuncname
     - gosec
+    # - gosec -exclude=G504
     # - gosimple
     - govet
     # - ineffassign
diff --git a/evaldo/builtins_io.go b/evaldo/builtins_io.go
index 5405cfd4..844f6f1c 100755
--- a/evaldo/builtins_io.go
+++ b/evaldo/builtins_io.go
@@ -214,14 +214,14 @@ func __fs_write(ps *env.ProgramState, arg0 env.Object, arg1 env.Object, arg2 env
 	case env.Uri:
 		switch s := arg1.(type) {
 		case env.String:
-			err := ioutil.WriteFile(f.GetPath(), []byte(s.Value), 0644)
+			err := ioutil.WriteFile(f.GetPath(), []byte(s.Value), 0600)
 			if err != nil {
 				ps.FailureFlag = true
 				return MakeBuiltinError(ps, err.Error(), "__fs_write")
 			}
 			return arg1
 		case env.Native:
-			err := ioutil.WriteFile(f.GetPath(), []byte(s.Value.([]byte)), 0644)
+			err := ioutil.WriteFile(f.GetPath(), []byte(s.Value.([]byte)), 0600)
 			if err != nil {
 				ps.FailureFlag = true
 				return MakeBuiltinError(ps, err.Error(), "__fs_write")
diff --git a/main.go b/main.go
index 4b0a41df..f265fc89 100755
--- a/main.go
+++ b/main.go
@@ -16,7 +16,6 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
-	"os/exec"
 	"strings"
 
 	"net/http"
@@ -515,7 +514,9 @@ func execInput(input string) error {
 	}
 
 	// Prepare the command to execute.
-	cmd := exec.Command(args[0], args[1:]...)
+	// REMOVED 20231205
+	// Subprocess launched with a potential tainted input or cmd arguments (gosec)
+	// cmd := exec.Command(args[0], args[1:]...)
 
 	//
 	// look at this page on how to capture the output and pass it through:
@@ -553,9 +554,10 @@ func execInput(input string) error {
 	//
 
 	// Set the correct output device.
-	cmd.Stderr = os.Stderr
-	cmd.Stdout = os.Stdout
-
+	// REMOVED 20231205 -- as above
+	//cmd.Stderr = os.Stderr
+	// cmd.Stdout = os.Stdout
 	// Execute the command and return the error.
-	return cmd.Run()
+	// return cmd.Run()
+	return nil
 }
diff --git a/tests/builtins.html b/tests/builtins.html
index 712588d3..7c94b47a 100644
--- a/tests/builtins.html
+++ b/tests/builtins.html
@@ -747,6 +747,11 @@ <h3>group</h3><p>Function(4)</p><div class='group'>
 <pre class='prettyprint lang-rye'><code language='lang-rye'>{ } .group { .first }
 ; returns [
 ; ]</code></pre>
+<pre class='prettyprint lang-rye'><code language='lang-rye'>{ "Anne" "Mitch" "Anya" } .list .group first
+; returns [
+;  A: L[ Anne  Anya ]
+;  M: L[ Mitch ]
+; ]</code></pre>
 <pre class='prettyprint lang-rye'><code language='lang-rye'>{ } .list .group { .first }
 ; returns [
 ; ]</code></pre>