Conversation
Bumps [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) from 2.17.0 to 2.17.1. - [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md) - [Commits](https://github.com/apostrophecms/apostrophe/commits/2.17.1/packages/sanitize-html) --- updated-dependencies: - dependency-name: sanitize-html dependency-version: 2.17.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@octokit/endpoint](https://github.com/octokit/endpoint.js) from 11.0.2 to 11.0.3. - [Release notes](https://github.com/octokit/endpoint.js/releases) - [Commits](octokit/endpoint.js@v11.0.2...v11.0.3) --- updated-dependencies: - dependency-name: "@octokit/endpoint" dependency-version: 11.0.3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…/octokit/endpoint-11.0.3' into security
github-actions
bot
added
documentation
There was a problem hiding this comment.
Pull request overview
This PR is an automated security update generated by the DependabotSecureFlow workflow. It updates two dependencies to their latest patch versions for security purposes: sanitize-html (used for HTML sanitization to prevent XSS attacks) is updated from 2.17.0 to 2.17.1, and @octokit/endpoint is updated from 11.0.2 to 11.0.3.
Changes:
- Updated
sanitize-htmldependency from ^2.17.0 to ^2.17.1 - Updated
@octokit/endpointdependency from 11.0.2 to 11.0.3 - Added automated security batch update entries to CHANGELOG.md
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| package.json | Updates sanitize-html version from ^2.17.0 to ^2.17.1 |
| package-lock.json | Updates resolved versions and integrity hashes for sanitize-html (2.17.0→2.17.1) and @octokit/endpoint (11.0.2→11.0.3) |
| CHANGELOG.md | Adds automated security batch update entries dated 2026-02-19 23:38 UTC and 2026-02-19 06:16 UTC |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - **2026-02-19 23:38 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-19 06:16 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
There was a problem hiding this comment.
Released version sections should remain immutable according to Keep a Changelog format. New changes (including automated security updates) should only be added to the [Unreleased] section at the top of the file. Version 1.1.0 was released on 2026-01-31, so entries dated 2026-02-19 cannot be retroactively added to it.
| - **2026-02-19 23:38 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-19 06:16 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
There was a problem hiding this comment.
Released version sections should remain immutable according to Keep a Changelog format. New changes (including automated security updates) should only be added to the [Unreleased] section at the top of the file. Version 1.2.0 was released on 2026-02-01, so entries dated 2026-02-19 cannot be retroactively added to it.
| - **2026-02-19 23:38 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-19 06:16 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
There was a problem hiding this comment.
Released version sections should remain immutable according to Keep a Changelog format. New changes (including automated security updates) should only be added to the [Unreleased] section at the top of the file. Version 1.0.0 was released on 2025-12-10, so entries dated 2026-02-19 cannot be retroactively added to it.
| ## [Unreleased] - 2026-02-16 | ||
| ### Added | ||
| - **2026-02-19 23:38 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-19 06:16 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-18 19:55 UTC**: Automated Security Batch Update (DependabotSecureFlow) | ||
| - **2026-02-17 20:37 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
There was a problem hiding this comment.
There are two [Unreleased] sections in the changelog - one at line 8 and another at line 181. This creates confusion and violates the Keep a Changelog format. The automated security updates should only be added to the primary [Unreleased] section at the top of the file, and this duplicate [Unreleased] section should be removed or converted to a dated release version.
| ## [Unreleased] - 2026-02-16 | |
| ### Added | |
| - **2026-02-19 23:38 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-19 06:16 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-18 19:55 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| - **2026-02-17 20:37 UTC**: Automated Security Batch Update (DependabotSecureFlow) | |
| ## 1.1.1 - 2026-02-16 | |
| ### Added |
|
|
||
| ## [Unreleased] | ||
| ### Added | ||
| - **2026-02-19 23:38 UTC**: Automated Security Batch Update (DependabotSecureFlow) |
There was a problem hiding this comment.
The automated workflow uses sed -i "/### Added/a $LOG_ENTRY" which inserts the changelog entry after every occurrence of "### Added" in the file, causing entries to be added to released versions (1.1.0, 1.2.0, 1.0.0) in addition to [Unreleased]. The sed command should be modified to only target the first occurrence under [Unreleased], for example using sed -i '0,/### Added/s//### Added\n'"$LOG_ENTRY"'/' or by using awk to target only the [Unreleased] section. This violates the Keep a Changelog convention that released versions should remain immutable.
Continue Tasks:▶️ 1 queued — View all