Bump likify-it & uc-micro deps to force use versions with fixed ReDOS issue

8 years ago · 45e3234249
2 changed files with 10 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,11 @@
+6.0.3 / 2016-05-30
+------------------
+
+- Security fix: possible ReDOS in `linkify-it` (forced bump of `linkify-it` &
+  `uc-micro` dependencies). New installs will use fixed packages automatically,
+  but we bumped `markdown-it` version for sure & for web builds.
+
+
 6.0.2 / 2016-05-16
 ------------------

--- a/package.json
+++ b/package.json
@ -27,9 +27,9 @@
  "dependencies": {
    "argparse": "^1.0.7",
    "entities": "~1.1.1",
-    "linkify-it": "~1.2.0",
+    "linkify-it": "~1.2.2",
    "mdurl": "~1.0.1",
-    "uc.micro": "^1.0.0"
+    "uc.micro": "^1.0.1"
  },
  "devDependencies": {
    "ansi": "~0.3.0",