Skip to content

Commit a28e5bf

Browse files
committed
Prepare 2.1.0 release
1 parent 3017271 commit a28e5bf

1 file changed

Lines changed: 16 additions & 13 deletions

File tree

CHANGELOG.md

Lines changed: 16 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5,23 +5,26 @@ All notable changes to this project will be documented in this file.
55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
66
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
77

8-
## [2.1.0] - unreleased
8+
## [2.1.0] - 2026-06-11
99

1010
### Changed
11-
- Security severities and CVE numbers are now sourced from the Packagist
12-
security-advisories API (the same data `composer audit` uses) instead of
13-
scraping typo3.org bulletin pages: one bulk request, version-constraint
14-
matching per release, and severity labels in lowercase. This also fixes
15-
miscounted severities when a release-day announcement listed bulletins
16-
of sibling release lines.
17-
- The report leads with the fixed vulnerabilities per release (CVE number,
18-
right-aligned severity, title, link in aligned columns, with a total in
19-
the heading) and lists the fixing changelog commits beneath a `Fixed by:`
20-
label — one commit often fixes several CVEs; typo3.org bulletin URLs are
21-
shown only when no advisory data is available.
11+
- Security advisories are matched through Packagist's
12+
security-advisories API (the same data source as `composer audit`)
13+
instead of scraping typo3.org bulletin pages. The plugin now does one
14+
cached bulk lookup, matches advisories by Composer version constraints
15+
for each release, and avoids over-counting advisories from sibling
16+
TYPO3 release lines.
17+
- Security sections now lead with fixed vulnerabilities, including CVE
18+
number, severity, title, and link where Packagist has that data,
19+
followed by the changelog entries that fixed them under a `Fixed by:`
20+
label. When advisory data is missing, typo3.org bulletin links remain
21+
visible.
22+
- Reports now distinguish unavailable Packagist advisory data from
23+
security releases whose CVE/severity details are not yet published, and
24+
mark those releases as `unrated` in severity totals.
2225

2326
### Removed
24-
- typo3.org security-bulletin scraping (`SecurityBulletinFetcher`).
27+
- Direct typo3.org security-bulletin scraping (`SecurityBulletinFetcher`).
2528

2629
## [2.0.0] - 2026-06-10
2730

0 commit comments

Comments
 (0)