Merge pull request #34392 from gmcgibbon/gem_security_note_amend

Amend CVE note and security guide section wordings

1 files changed, 3 insertions, 3 deletions

diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec
index 938d8b4b90..5f1e746421 100644
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actionview"
@@ -29,6 +26,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
 
   s.add_dependency "builder",       "~> 3.1"