use terser and clean-css directly

create a sourcemap as well by default

node_modules/ajv/README.md

@@ -11,7 +11,6 @@ The fastest JSON Schema validator for Node.js and browser. Supports draft-04/06/
 [![Greenkeeper badge](https://badges.greenkeeper.io/epoberezkin/ajv.svg)](https://greenkeeper.io/)
 [![Gitter](https://img.shields.io/gitter/room/ajv-validator/ajv.svg)](https://gitter.im/ajv-validator/ajv)
 
-### _Ajv and [related repositories](#related-packages) will be transfered to [ajv-validator](https://github.com/ajv-validator) org_
 
 ## Using version 6
 
@@ -53,7 +52,12 @@ ajv.addMetaSchema(require('ajv/lib/refs/json-schema-draft-04.json'));
   - [Defining custom keywords](#defining-custom-keywords)
   - [Asynchronous schema compilation](#asynchronous-schema-compilation)
   - [Asynchronous validation](#asynchronous-validation)
-  - [Security considerations](#security-considerations)
+- [Security considerations](#security-considerations)
+  - [Security contact](#security-contact)
+  - [Untrusted schemas](#untrusted-schemas)
+  - [Circular references in objects](#circular-references-in-javascript-objects)
+  - [Trusted schemas](#security-risks-of-trusted-schemas)
+  - [ReDoS attack](#redos-attack)
 - Modifying data during validation
   - [Filtering data](#filtering-data)
   - [Assigning defaults](#assigning-defaults)
@@ -65,7 +69,7 @@ ajv.addMetaSchema(require('ajv/lib/refs/json-schema-draft-04.json'));
 - [Plugins](#plugins)
 - [Related packages](#related-packages)
 - [Some packages using Ajv](#some-packages-using-ajv)
-- [Tests, Contributing, History, License](#tests)
+- [Tests, Contributing, History, Support, License](#tests)
 
 
 ## Performance
@@ -227,7 +231,7 @@ JSON Schema specification defines several annotation keywords that describe sche
 - `title` and `description`: information about the data represented by that schema
 - `$comment` (NEW in draft-07): information for developers. With option `$comment` Ajv logs or passes the comment string to the user-supplied function. See [Options](#options).
 - `default`: a default value of the data instance, see [Assigning defaults](#assigning-defaults).
-- `examples` (NEW in draft-07): an array of data instances. Ajv does not check the validity of these instances against the schema.
+- `examples` (NEW in draft-06): an array of data instances. Ajv does not check the validity of these instances against the schema.
 - `readOnly` and `writeOnly` (NEW in draft-07): marks data-instance as read-only or write-only in relation to the source of the data (database, api, etc.).
 - `contentEncoding`: [RFC 2045](https://tools.ietf.org/html/rfc2045#section-6.1 ), e.g., "base64".
 - `contentMediaType`: [RFC 2046](https://tools.ietf.org/html/rfc2046), e.g., "image/png".
@@ -237,7 +241,11 @@ __Please note__:  Ajv does not implement validation of the keywords `examples`,
 
 ## Formats
 
-The following formats are supported for string validation with "format" keyword:
+Ajv implements formats defined by JSON Schema specification and several other formats. It is recommended NOT to use "format" keyword implementations with untrusted data, as they use potentially unsafe regular expressions - see [ReDoS attack](#redos-attack).
+
+__Please note__: if you need to use "format" keyword to validate untrusted data, you MUST assess their suitability and safety for your validation scenarios.
+
+The following formats are implemented for string validation with "format" keyword:
 
 - _date_: full-date according to [RFC3339](http://tools.ietf.org/html/rfc3339#section-5.6).
 - _time_: time with optional time-zone.
@@ -611,6 +619,13 @@ See [Options](#options).
 JSON Schema, if properly used, can replace data sanitisation. It doesn't replace other API security considerations. It also introduces additional security aspects to consider.
 
 
+##### Security contact
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure. Please do NOT report security vulnerabilities via GitHub issues.
+
+
 ##### Untrusted schemas
 
 Ajv treats JSON schemas as trusted as your application code. This security model is based on the most common use case, when the schemas are static and bundled together with the application.
@@ -636,9 +651,9 @@ An attempt to compile such schemas or validate such data would cause stack overf
 
 Some keywords in JSON Schemas can lead to very slow validation for certain data. These keywords include (but may be not limited to):
 
-- `pattern` and `format` for large strings - use `maxLength` to mitigate
+- `pattern` and `format` for large strings - in some cases using `maxLength` can help mitigate it, but certain regular expressions can lead to exponential validation time even with relatively short strings (see [ReDoS attack](#redos-attack)).
+- `patternProperties` for large property names - use `propertyNames` to mitigate, but some regular expressions can have exponential evaluation time as well.
 - `uniqueItems` for large non-scalar arrays - use `maxItems` to mitigate
-- `patternProperties` for large property names - use `propertyNames` to mitigate
 
 __Please note__: The suggestions above to prevent slow validation would only work if you do NOT use `allErrors: true` in production code (using it would continue validation after validation errors).
 
@@ -650,13 +665,29 @@ const isSchemaSecure = ajv.compile(require('ajv/lib/refs/json-schema-secure.json
 const schema1 = {format: 'email'};
 isSchemaSecure(schema1); // false
 
-const schema2 = {format: 'email', maxLength: 256};
+const schema2 = {format: 'email', maxLength: MAX_LENGTH};
 isSchemaSecure(schema2); // true
 ```
 
 __Please note__: following all these recommendation is not a guarantee that validation of untrusted data is safe - it can still lead to some undesirable results.
 
 
+## ReDoS attack
+
+Certain regular expressions can lead to the exponential evaluation time even with relatively short strings.
+
+Please assess the regular expressions you use in the schemas on their vulnerability to this attack - see [safe-regex](https://github.com/substack/safe-regex), for example.
+
+__Please note__: some formats that Ajv implements use [regular expressions](https://github.com/epoberezkin/ajv/blob/master/lib/compile/formats.js) that can be vulnerable to ReDoS attack, so if you use Ajv to validate data from untrusted sources __it is strongly recommended__ to consider the following:
+
+- making assessment of "format" implementations in Ajv.
+- using `format: 'fast'` option that simplifies some of the regular expressions (although it does not guarantee that they are safe).
+- replacing format implementations provided by Ajv with your own implementations of "format" keyword that either uses different regular expressions or another approach to format validation. Please see [addFormat](#api-addformat) method.
+- disabling format validation by ignoring "format" keyword with option `format: false`
+
+Whatever mitigation you choose, please assume all formats provided by Ajv as potentially unsafe and make your own assessment of their suitability for your validation scenarios.
+
+
 ## Filtering data
 
 With [option `removeAdditional`](#options) (added by [andyscott](https://github.com/andyscott)) you can filter data during the validation.
@@ -1339,6 +1370,11 @@ __Please note__: [Changes in version 6.0.0](https://github.com/epoberezkin/ajv/r
 [Version 2.0.0](https://github.com/epoberezkin/ajv/releases/tag/2.0.0).
 
 
+## Open-source software support
+
+Ajv is a part of [Tidelift subscription](https://tidelift.com/subscription/pkg/npm-ajv?utm_source=npm-ajv&utm_medium=referral&utm_campaign=readme) - it provides a centralised support to open-source software users, in addition to the support provided by software maintainers.
+
+
 ## License
 
 [MIT](https://github.com/epoberezkin/ajv/blob/master/LICENSE)