From e74fdbe00cd0f403d34f2bc83eb09e7a5bc56109 Mon Sep 17 00:00:00 2001
From: Gannon McGibbon <gannon.mcgibbon@gmail.com>
Date: Tue, 6 Nov 2018 18:05:40 -0500
Subject: Amend CVE note and security guide section wordings

Reword first sentence of dep management and CVE section of
security guide. Also, reword and move gemspec notes above deps.

[ci skip]
---
 activesupport/activesupport.gemspec | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'activesupport')

diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec
index 75b38f3552..448a2eeebb 100644
--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@@ -2,9 +2,6 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activesupport"
@@ -30,6 +27,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "i18n",       ">= 0.7", "< 2"
   s.add_dependency "tzinfo",     "~> 1.1"
   s.add_dependency "minitest",   "~> 5.1"
-- 
cgit v1.2.3