because of CVE-2020-17527 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-17527
Comment From: philwebb
Thanks for the PR, but as mentioned in the pull request template we have a semi-automated process for dependency upgrades that we prefer to use.