The pull request #56 made Encode.pm accept non-shortest form representation which is ill-formed UTF-8. This also introduces a security issue, please see Unicode Technical Report #36, UNICODE SECURITY CONSIDERATIONS 3.1 for a possible exploit. I recommend that this change is reverted and that Encode 2.85 and 2.86 is removed from CPAN mirrors. The impact of any distro including Encode 2.86 or 2.85 could be disastrous and even cause a CVE.