A minor issue with
SafeERC20.safeApprove was identified and reported independently by @nikeshnazareth (thanks once again!), this release contains the correspondig fix: https://github.com/OpenZeppelin/openzeppelin-solidity/pull/1647.
This bug has been present since v2.0.0. Updating to this latest version is recommended, but no immediate emergency action should be required for production code using affected versions, due to the low severity of the issue.
We’ve also released v2.0.1: this is a backport of the v2.1.3 bugfix release for the 2.0.x line, which features Solidity v0.4.25 support. If you’re still using OpenZeppelin v2.0.0, you can upgrade to this version instead of migrating to v2.1 and Solidity v0.5.
These independent reviews are a great way to keep our code secure and correct: we’ll be making a push for a properly funded bug bounty during these next weeks to continue encouraging them. Stay tuned!