None yet (version 2.0.2).
Versions between 1.1.0 and 2.0.1 fail to compile when we turn on Ed25519 compatibility.
Versions 1.0.1 and below use
crypto_memcmp(), which could not be guaranteed to run in constant time in practice, despite the absence of secret-dependent branch in the original source code. The fear of subsequent timing attacks lead to its deprecation. Version 1.1.0 and above use the fixed size
Versions 2.0.1 and below fail to wipe some of their internal buffers.
Versions 1.0.0 and below do not wipe their internal buffers. This can facilitate the exfiltration of data if the computer Monocypher runs on is compromised.