Add a note about fixed vulnerability in 1.0.8

gaearon · romaindso · commit 7c8a0e3a7e47 · 2017-07-10T15:27:07.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -165,6 +165,8 @@ or
 yarn add --dev --exact react-scripts@1.0.8
 ```
 
+**If you previously used `HTTPS=true` environment variable in development**, make sure you aren't affected by a now-fixed vulnerability in Webpack by [visiting this page](http://badcert.mike.works/). You can read more about the vulnerability [here](https://medium.com/@mikenorth/webpack-preact-cli-vulnerability-961572624c54).
+
 You may optionally then move `react-scripts` from `devDependencies` to `dependencies` since that’s how we’ll structure newly created projects. It is not necessary though.
 
 If you left the service worker integration enabled and didn’t change how it works, you can replace `src/registerServiceWorker.js` with [this updated version](https://raw.githubusercontent.com/facebookincubator/create-react-app/895c475d3fc218c65dcac9a3ef3f2c0ea746a1ed/packages/react-scripts/template/src/registerServiceWorker.js).
