membphis opened a new pull request, #13362:
URL: https://github.com/apache/apisix/pull/13362
### Description
Follow-up to #13360 (typos / heading levels — merged) and tracked in #13359
(full audit). This PR applies the remaining audit findings to every v3.x
release section in `CHANGELOG.md`:
- Backfill the four patch sections (3.2.2 / 3.4.1 / 3.8.1 / 3.9.1) that
exist on `release/3.x` branches but were never cherry-picked back to master.
- Replace the 3.2.1 placeholder paragraph with the 5–6 real bugfixes from
`release/3.2`.
- Expand "implementation-side" wording to "user-side" for entries whose
impact users can't read off the current text (OpenTelemetry span name,
hmac-auth field rename, ssl_trusted_certificate default, lua-resty-session 4.x
default, strict schema scope, etc.).
- Move mis-classified breaking changes from Bugfixes → Change and add
`:warning:`.
- Add user-visible PRs that were previously omitted (10 in 3.13.0, ~17 in
3.2.0, etc.).
- Deduplicate entries listed in two subsections of the same release (3.12.0,
3.10.0).
- Add `### Security` subsections to patch sections carrying jwt-auth bypass
#9837 / forward-auth POST header leak #11184.
Diff: **+240 / −77** (net +163), all in `CHANGELOG.md`. No code changes.
### Highlights by impact
| Severity | Item |
|---|---|
| :warning::warning: | 3.15.0 #12862 — `lua-resty-session` 4.1.5 default =
AES-256-GCM. Session cookies issued by ≤3.14.x will no longer decode after
upgrade; all OIDC users will be forced to re-authenticate. |
| :warning::warning: | Patch backfills 3.2.2 / 3.4.1 / 3.8.1 / 3.9.1 (incl.
jwt-auth auth bypass #9837 and forward-auth POST header leak #11184 under `###
Security`) — these never reached master CHANGELOG users on the 3.x line. |
| :warning: | 3.14.0 #12551 X-Forwarded-* trusted-source change moved
Bugfixes → Change with upgrade hint for `trusted_addresses`. |
| :warning: | 3.12.0 #11993 ssl_trusted_certificate default = `system` —
outbound TLS calls (OIDC, loggers) may newly fail handshake; wording expanded. |
| :warning: | 3.11.0 #11601 credential resource silently dropped auth check
+ injects 3 upstream headers — promoted to Change with `:warning:`. |
| :warning: | 3.11.0 #11581 hmac-auth field rename (`access_key`→`key_id`),
header consolidation, 4 fields removed — full breaking-change description
added. |
| :warning: | 3.10.0 #11343 / #11312 `config-default.yaml` removed + lyaml
stricter — promoted to `:warning:`. |
| :warning: | 3.7.0 #10393 OTel span name `{method} {route}` — tracing
dashboards relying on URI-style names break. |
| :warning: | 3.6.0 #10233 strict schema — listed every affected resource
(route / service / upstream / consumer / ssl / plugin_config / global_rule /
stream_route / proto). |
### Verification
```text
$ git diff --stat CHANGELOG.md
CHANGELOG.md | 316 +++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 239 insertions(+), 77 deletions(-)
$ grep -cE "^- " CHANGELOG.md # bullet count
1293 (was 1186; +107 new user-facing entries)
$ grep -nE "^## " CHANGELOG.md | head -25 # all 21 v3.x headers present, in
order
24:## Table of Contents
91:## 3.16.0
143:## 3.15.0
206:## 3.14.1
221:## 3.14.0
323:## 3.13.0
414:## 3.12.0
488:## 3.11.0
519:## 3.10.0
576:## 3.9.1 <- backfilled
582:## 3.9.0
641:## 3.8.1 <- backfilled
647:## 3.8.0
694:## 3.7.0
736:## 3.6.0
770:## 3.5.0
825:## 3.4.1 <- backfilled
833:## 3.4.0
870:## 3.3.0
912:## 3.2.2 <- backfilled
946:## 3.2.1 <- placeholder replaced
961:## 3.2.0
1024:## 3.1.0
1080:## 3.0.0
```
All PR numbers added by this change were resolved against the live API to
confirm they're real PRs (not issue numbers or typos).
### Deliberately out of scope
- The two "uncertain" items the audit flagged for release-manager decision
(3.15.0 #12948 kubernetes-discovery local-type; 3.16.0 #13030 limit-count panic
path) — left for follow-up after maintainer discussion.
- 3.2.2 backports overlap with 3.3.0 entries (because the same fixes shipped
to both lines). I kept the duplicates so users tracking the 3.2.x line see what
shipped in 3.2.2 — happy to remove if reviewers prefer a single canonical
listing.
### Process improvements (separate effort)
The audit also recommends 6 release-process gates (rockspec diff gate,
patch-CHANGELOG cherry-pick rule, breaking-change schema scan, PR-number
cross-check, markdown lint, `### Security` convention) to keep this pattern
from recurring. Those will land separately in `.github/workflows/`.
Refs #13359.
### Checklist
- [x] I have explained the need for this PR and the problem it solves
- [x] I have explained the changes or the new features added to this PR
- [ ] I have added tests corresponding to the changes introduced in this PR
(N/A — CHANGELOG-only)
- [ ] I have added proper labels to this PR
- [x] I have installed and executed `pre-commit` (no code changes; markdown
only)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
