@@ -5,23 +5,26 @@ All notable changes to this project will be documented in this file.
55The format is based on [ Keep a Changelog] ( https://keepachangelog.com/en/1.1.0/ ) ,
66and this project adheres to [ Semantic Versioning] ( https://semver.org/spec/v2.0.0.html ) .
77
8- ## [ 2.1.0] - unreleased
8+ ## [ 2.1.0] - 2026-06-11
99
1010### Changed
11- - Security severities and CVE numbers are now sourced from the Packagist
12- security-advisories API (the same data ` composer audit ` uses) instead of
13- scraping typo3.org bulletin pages: one bulk request, version-constraint
14- matching per release, and severity labels in lowercase. This also fixes
15- miscounted severities when a release-day announcement listed bulletins
16- of sibling release lines.
17- - The report leads with the fixed vulnerabilities per release (CVE number,
18- right-aligned severity, title, link in aligned columns, with a total in
19- the heading) and lists the fixing changelog commits beneath a ` Fixed by: `
20- label — one commit often fixes several CVEs; typo3.org bulletin URLs are
21- shown only when no advisory data is available.
11+ - Security advisories are matched through Packagist's
12+ security-advisories API (the same data source as ` composer audit ` )
13+ instead of scraping typo3.org bulletin pages. The plugin now does one
14+ cached bulk lookup, matches advisories by Composer version constraints
15+ for each release, and avoids over-counting advisories from sibling
16+ TYPO3 release lines.
17+ - Security sections now lead with fixed vulnerabilities, including CVE
18+ number, severity, title, and link where Packagist has that data,
19+ followed by the changelog entries that fixed them under a ` Fixed by: `
20+ label. When advisory data is missing, typo3.org bulletin links remain
21+ visible.
22+ - Reports now distinguish unavailable Packagist advisory data from
23+ security releases whose CVE/severity details are not yet published, and
24+ mark those releases as ` unrated ` in severity totals.
2225
2326### Removed
24- - typo3.org security-bulletin scraping (` SecurityBulletinFetcher ` ).
27+ - Direct typo3.org security-bulletin scraping (` SecurityBulletinFetcher ` ).
2528
2629## [ 2.0.0] - 2026-06-10
2730
0 commit comments