You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CLAUDE.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -297,15 +297,15 @@ CVEs often arrive in clusters because one package release fixes several at once.
297
297
298
298
-**Sibling PR exists and its branch already pins ≥ `<min-patched-version>`**:
299
299
-`gh pr checkout <number>`
300
-
-Add a CHANGELOG entry for *this*CVE on the same branch (one line per CVE).
300
+
-**Edit** the existing CHANGELOG line for this PR — append this CVE ID to the comma-separated list. Do not add a new CHANGELOG line.
301
301
-`gh pr edit <number>` to append the CVE ID to the title and body, and add a `Fixes <LINEAR-ID>` line to the PR body alongside any existing `Fixes` lines (this auto-links the Linear issue and Linear will mark it Done when the PR merges).
302
302
- Do not transition the Linear issue manually — leave it for the merge to close.
303
303
-**Do not open a new PR.**
304
304
305
305
-**Sibling PR exists but its pin is too low to cover this CVE**:
306
306
- Check out the branch.
307
307
- Bump the resolution / package version higher to cover both.
308
-
-Add a CHANGELOG entry. Update the PR title and body, and add `Fixes <LINEAR-ID>` to the PR body.
308
+
-**Edit** the existing CHANGELOG line — append this CVE and update the version. Update the PR title and body, and add `Fixes <LINEAR-ID>` to the PR body.
309
309
- Do not transition the Linear issue manually — leave it for the merge to close.
310
310
311
311
-**No sibling PR exists**:
@@ -315,10 +315,10 @@ CVEs often arrive in clusters because one package release fixes several at once.
315
315
316
316
### CHANGELOG and PR conventions for CVE fixes
317
317
318
-
- CHANGELOG entry (under `[Unreleased] → Fixed`): `Upgraded \`<pkg>\` to \`^x.y.z\` to address CVE-XXXX-XXXXX. [#<PR>]`
319
-
- One CHANGELOG line per CVE, even when multiple CVEs share a PR.
318
+
- CHANGELOG entry (under `[Unreleased] → Fixed`): `Upgraded \`<pkg>\` to \`^x.y.z\` to address CVE-A, CVE-B, .... [#<PR>]`
319
+
-**One CHANGELOG line per PR**, not per CVE. When the PR addresses multiple CVEs (batched), list all of them comma-separated on a single line.
320
320
- PR title format: `chore: upgrade <pkg> to ^x.y.z to address CVE-A, CVE-B, ...` (list every CVE the PR resolves).
0 commit comments