Amend CVE note and security guide section wordings

Reword first sentence of dep management and CVE section of
security guide. Also, reword and move gemspec notes above deps.

[ci skip]

11 files changed, 31 insertions, 31 deletions

diff --git a/actioncable/actioncable.gemspec b/actioncable/actioncable.gemspec
index f4af0330d7..31c6fb41f2 100644
--- a/actioncable/actioncable.gemspec
+++ b/actioncable/actioncable.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actioncable"
@@ -28,6 +25,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actioncable/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "actionpack", version
 
   s.add_dependency "nio4r",            "~> 2.0"
diff --git a/actionmailer/actionmailer.gemspec b/actionmailer/actionmailer.gemspec
index efcdcf019a..6f8d6d0699 100644
--- a/actionmailer/actionmailer.gemspec
+++ b/actionmailer/actionmailer.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actionmailer"
@@ -29,6 +26,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionmailer/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "actionpack", version
   s.add_dependency "actionview", version
   s.add_dependency "activejob", version
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec
index 4b9c729955..ec56de18f1 100644
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actionpack"
@@ -29,6 +26,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionpack/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
 
   s.add_dependency "rack",      "~> 2.0"
diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec
index 938d8b4b90..5f1e746421 100644
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actionview"
@@ -29,6 +26,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
 
   s.add_dependency "builder",       "~> 3.1"
diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec
index cc27deb338..cd7ac210ec 100644
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activejob"
@@ -28,6 +25,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activejob/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
   s.add_dependency "globalid", ">= 0.3.6"
 end
diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec
index 22ca37071c..493fca698a 100644
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activemodel"
@@ -28,5 +25,8 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activemodel/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
 end
diff --git a/activerecord/activerecord.gemspec b/activerecord/activerecord.gemspec
index 2c049f21ea..bcdd82052c 100644
--- a/activerecord/activerecord.gemspec
+++ b/activerecord/activerecord.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activerecord"
@@ -31,6 +28,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activerecord/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
   s.add_dependency "activemodel",   version
 end
diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec
index 0b879e270c..2c8816df25 100644
--- a/activestorage/activestorage.gemspec
+++ b/activestorage/activestorage.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activestorage"
@@ -28,6 +25,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "actionpack", version
   s.add_dependency "activerecord", version
 
diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec
index 75b38f3552..448a2eeebb 100644
--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activesupport"
@@ -30,6 +27,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "i18n",       ">= 0.7", "< 2"
   s.add_dependency "tzinfo",     "~> 1.1"
   s.add_dependency "minitest",   "~> 5.1"
diff --git a/guides/source/security.md b/guides/source/security.md
index 66b922ea35..dbec3cdd2d 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1238,7 +1238,7 @@ Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key
 Dependency Management and CVEs
 ------------------------------
 
-Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
 
 Additional Resources
 --------------------
diff --git a/railties/railties.gemspec b/railties/railties.gemspec
index 98155a35e3..4e4a504c97 100644
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "railties"
@@ -33,6 +30,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
   s.add_dependency "actionpack",    version