docs(changelog): apply v3.x audit revisions across all 21 release sections#13362
Open
membphis wants to merge 2 commits into
Open
docs(changelog): apply v3.x audit revisions across all 21 release sections#13362membphis wants to merge 2 commits into
membphis wants to merge 2 commits into
Conversation
…tions Follow-up to #13360 and tracked in #13359. This change implements the remaining audit findings for the entire v3.x changelog (3.0.0 through 3.16.0): backfill missing patch sections, expand or rewrite entries to reflect real user impact, mark breaking changes with `:warning:`, and add user-visible PRs that were previously omitted. Highlights: - Backfill 3.2.2 / 3.4.1 / 3.8.1 / 3.9.1 sections that existed on the `release/3.x` branches but were never cherry-picked back to master. Each backfilled section carries the original release-branch text; jwt-auth bypass (#9837) and forward-auth POST header leak (#11184) are now labelled `:warning:` under a `### Security` subsection where applicable. - Replace the 3.2.1 placeholder paragraph with the 5-6 real bugfixes from `release/3.2` (incl. the missing #9309 proxy-rewrite fix). - 3.16.0: add #12961 ai-proxy header forwarding fix; mark #13046 and #13057 `:warning:` and rewrite #13006 / #13066 / #13030 for users. - 3.15.0: mark #12862 (lua-resty-session 4.x AES-256-GCM default forces OIDC re-auth) and #12714 / #12678 `:warning:`; aggregate dep bumps. - 3.14.0: move #12551 X-Forwarded-* trusted-source change from Bugfixes to Change with `:warning:` and the `trusted_addresses` upgrade hint. - 3.13.0 / 3.12.0 / 3.11.0 / 3.10.0 / 3.9.0 / 3.8.0 / 3.7.0 / 3.6.0 / 3.5.0 / 3.4.0 / 3.3.0 / 3.2.0 / 3.1.0 / 3.0.0: add missing user-facing PRs, expand implementation-side wording to user-side, fix dropped rockspec dep bumps, deduplicate entries listed in two subsections, and add `:warning:` flags where the schema/default-value scan flagged silent breaking changes (incl. #11993 ssl_trusted_certificate, #11601 credential resource, #11581 hmac-auth field rename, #10393 OTel span name, #10233 strict schema scope, #11343 config-default.yaml removal, #11312 lyaml stricter parsing, #10469 kafka-logger required_acks=0, #9622 google-cloud-logging client_email, #8660 jwt-auth Vault removed, #8180 upstream type optional). Diff: +240 / -77 lines. Refs #13359.
dosubot
Bot
added
the
size:L
The `ci/check_changelog_prs.ts` script captures only the first `#NNNN` match per line. Four entries from the previous commit listed a related PR (or an external-repo reference like `api7/apisix-nginx-module#108`) before the entry's own PR number, so the check reported the entries' own PRs as missing from CHANGELOG.md. Reorder so that the entry's canonical PR appears first on the line: - 3.15.0 #12678 (apisix-runtime init_worker) - 3.13.0 #12244 (server-info deprecation) - 3.10.0 #11095 (encrypted plugin fields expansion) - 3.8.1 #11174 (forward-auth POST headers)
nic-6443
approved these changes
May 12, 2026
AlinsRan
approved these changes
May 12, 2026
shreemaan-abhishek
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Follow-up to #13360 (typos / heading levels — merged) and tracked in #13359 (full audit). This PR applies the remaining audit findings to every v3.x release section in
CHANGELOG.md:release/3.xbranches but were never cherry-picked back to master.release/3.2.:warning:.### Securitysubsections to patch sections carrying jwt-auth bypass fix: upgrade api7-lua-resty-jwt to 0.2.5 #9837 / forward-auth POST header leak fix: add post request headers only if auth request method is post #11184.Diff: +240 / −77 (net +163), all in
CHANGELOG.md. No code changes.Highlights by impact
lua-resty-session4.1.5 default = AES-256-GCM. Session cookies issued by ≤3.14.x will no longer decode after upgrade; all OIDC users will be forced to re-authenticate.### Security) — these never reached master CHANGELOG users on the 3.x line.trusted_addresses.system— outbound TLS calls (OIDC, loggers) may newly fail handshake; wording expanded.:warning:.access_key→key_id), header consolidation, 4 fields removed — full breaking-change description added.config-default.yamlremoved + lyaml stricter — promoted to:warning:.{method} {route}— tracing dashboards relying on URI-style names break.Verification
All PR numbers added by this change were resolved against the live API to confirm they're real PRs (not issue numbers or typos).
Deliberately out of scope
Process improvements (separate effort)
The audit also recommends 6 release-process gates (rockspec diff gate, patch-CHANGELOG cherry-pick rule, breaking-change schema scan, PR-number cross-check, markdown lint,
### Securityconvention) to keep this pattern from recurring. Those will land separately in.github/workflows/.Refs #13359.
Checklist
pre-commit(no code changes; markdown only)