csrf-magic 1.0.2 is a security-fix release, fixing a bug in which IP-based tokens were used even when no secret was specified; this meant that CSRF attacks could be mounted against users with no cookies on the website. Thanks Jakub Vrána for reporting.