plynchnlm
commented
8 years ago The motivation for this is that the 0.4.3 version depends on ~0.7.0 of google-cdn, which depends on package debug which pulls in a vulnerable version of ms. If a new version is tagged, then it can be referenced with bower and version 1.0.0 of google-cdn will be selected, which won't pull in the vulnerable ms.
zoellner
I see google-cdn was updated (almost a year ago). Could you tag a new version that includes that change? The latest tagged version is 0.4.3 which doesn't have it.