Update CHANGELOG with security updates

[mcbouslog]

Updates CHANGELOG with a few security updates from 2021.

With approval (and merge) of this PR, I'll bump the version to 5.0.3 and publish to npm.

I think the process would be as follows, but good to confirm:

1. pull master, create v5.0.3 (or similar named) branch
2. npm rm -rf node_modules/ && npm ci (with node 14, will change lockfileVersion to 2, prob few other lockfile changes)
3. npm preversion
4. update CHANGELOG to reflect v5.0.3
5. npm version patch
6. npm publish
7. git push
8. git push --tags
9. get v5.0.3 reviewed/merged to master on GitHub

[eatyourgreens]

I could be wrong, but you might be able to push new versions straight to master.

npm version patch|minor|major
npm publish

should build, tag and publish, from memory.

EDIT: master isn't protected, so you can push new versions directly, without a PR.