Use version ranges in dependencies?

[DullReferenceException]

I notice that the dependencies for standard-version are all fixed (no ^ or ~ for example). This makes it impossible to get the version bump in conventional-changelog, which fixes a CVE.

Could the standard-version dependencies be updated to use something like ^ so that upgrades and de-duplication of transitive dependencies is possible? If you object to this approach, could we at least get a new release of standard-version with conventional-changelog version bumped?

[jbottigliero]

We've moved to allow semver ranges on a number of dependencies via #615 – we'll be working to unpin more as we phase our support of NodeJS@8 (#612, #618).

8.0.1 was published ~6 hours ago which includes updates to conventional-changelog (#592).