You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: drop CVE IDs from CHANGELOG convention for CVE fixes
CHANGELOG entries for CVE upgrades now read "to address security
vulnerabilities" instead of enumerating CVE IDs. CVE IDs remain in the
PR title and body. Updated the batching rules to match.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: CLAUDE.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -321,15 +321,15 @@ CVEs often arrive in clusters because one package release fixes several at once.
321
321
322
322
-**Sibling PR exists and its branch already pins ≥ `<min-patched-version>`**:
323
323
-`gh pr checkout <number>`
324
-
-**Edit** the existing CHANGELOG line for this PR — append this CVE ID to the comma-separated list. Do not add a new CHANGELOG line.
324
+
-Leave the CHANGELOG line as-is — it does not enumerate CVEs, so no edit is needed. Do not add a new CHANGELOG line.
325
325
-`gh pr edit <number>` to append the CVE ID to the title and body, and add a `Fixes <LINEAR-ID>` line to the PR body alongside any existing `Fixes` lines (this auto-links the Linear issue and Linear will mark it Done when the PR merges).
326
326
- Do not transition the Linear issue manually — leave it for the merge to close.
327
327
-**Do not open a new PR.**
328
328
329
329
-**Sibling PR exists but its pin is too low to cover this CVE**:
330
330
- Check out the branch.
331
331
- Bump the resolution / package version higher to cover both.
332
-
-**Edit** the existing CHANGELOG line — append this CVE and update the version. Update the PR title and body, and add `Fixes <LINEAR-ID>` to the PR body.
332
+
-**Edit** the existing CHANGELOG line — update the version. Update the PR title and body, and add `Fixes <LINEAR-ID>` to the PR body.
333
333
- Do not transition the Linear issue manually — leave it for the merge to close.
334
334
335
335
-**No sibling PR exists**:
@@ -339,10 +339,10 @@ CVEs often arrive in clusters because one package release fixes several at once.
339
339
340
340
### CHANGELOG and PR conventions for CVE fixes
341
341
342
-
- CHANGELOG entry (under `[Unreleased] → Fixed`): `Upgraded \`<pkg>\` to \`^x.y.z\` to address CVE-A, CVE-B, ....[#<PR>]`
343
-
-**One CHANGELOG line per PR**, not per CVE. When the PR addresses multiple CVEs (batched), list all of them comma-separated on a single line.
342
+
- CHANGELOG entry (under `[Unreleased] → Fixed`): `Upgraded \`<pkg>\` to \`^x.y.z\`.[#<PR>]`. Do NOT list CVE IDs in the CHANGELOG.
343
+
-**One CHANGELOG line per PR**, not per CVE. A batched PR addressing multiple CVEs still gets a single line that does not enumerate them.
344
344
- PR title format: `chore: upgrade <pkg> to ^x.y.z to address CVE-A, CVE-B, ...` (list every CVE the PR resolves).
345
-
- Keep entries short. The CVE IDs are enough.
345
+
- Keep entries short. CVE IDs belong in the PR title and body, not the CHANGELOG.
0 commit comments