diff --git a/LICENSE b/LICENSE
index 38320dc..d6b60c3 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 ISC License
 
-Copyright (c) 2017, Nicolai Kamenzky, Ty Abonil, and contributors
+Copyright (c) 2019, Nicolai Kamenzky, Ty Abonil, and contributors
 
 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
diff --git a/README.md b/README.md
index 564d3ef..6339c65 100644
--- a/README.md
+++ b/README.md
@@ -645,6 +645,9 @@ If you want to debug a test you should use `gulp test-without-coverage` to run a
 
 ## Change History
 
+- v4.2.5 (2019-11-03)
+    - Security fix: bumped `request-promise-core` which bumps `lodash` to `^4.17.15`. See [vulnerabilty reports](https://snyk.io/vuln/search?q=lodash&type=npm).
+      *(Thanks to @rishabh-chowdhary for reporting this in pull request [#326](https://github.com/request/promise-core/pull/326).)*
 - v4.2.4 (2019-02-14)
     - Corrected mistakenly set `tough-cookie` version, now `^2.3.3`
       *(Thanks to @evocateur for pointing this out.)*
diff --git a/package.json b/package.json
index 5b7018b..72127b5 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "request-promise",
-  "version": "4.2.4",
+  "version": "4.2.5",
   "description": "The simplified HTTP request client 'request' with Promise support. Powered by Bluebird.",
   "keywords": [
     "xhr",