You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CLAUDE.md
+44Lines changed: 44 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -271,9 +271,53 @@ When fixing a CVE in a transitive dependency, prefer a real top-level upgrade ov
271
271
}
272
272
```
273
273
274
+
### Branch naming for CVE fixes
275
+
276
+
Use a **package-keyed** branch name, not a CVE-keyed one:
277
+
278
+
```
279
+
cursor/cve/<package>
280
+
```
281
+
282
+
Multiple CVEs against the same package commonly land in one upstream release, so package-keyed branches let sibling work join the same PR (see "Batching CVEs" below). Do not include the CVE ID or a Linear issue ID in the branch name.
283
+
284
+
### Batching CVEs that share a package
285
+
286
+
CVEs often arrive in clusters because one package release fixes several at once. Before opening a new PR, check whether a sibling PR is already addressing the same package.
287
+
288
+
1.**Extract**`<package>` and `<min-patched-version>` from the Linear issue (the Dependabot-sourced body lists both — affected package and fixed version).
289
+
290
+
2.**Look for a sibling PR**:
291
+
292
+
```bash
293
+
gh pr list --state open --search '<package> in:title' --json number,title,headRefName
294
+
```
295
+
296
+
3.**Decide based on the result**:
297
+
298
+
-**Sibling PR exists and its branch already pins ≥ `<min-patched-version>`**:
299
+
-`gh pr checkout <number>`
300
+
- Add a CHANGELOG entry for *this* CVE on the same branch (one line per CVE).
301
+
-`gh pr edit <number>` to append the CVE ID to the title and body, and add a `Fixes <LINEAR-ID>` line to the PR body alongside any existing `Fixes` lines (this auto-links the Linear issue and Linear will mark it Done when the PR merges).
302
+
- Do not transition the Linear issue manually — leave it for the merge to close.
303
+
-**Do not open a new PR.**
304
+
305
+
-**Sibling PR exists but its pin is too low to cover this CVE**:
306
+
- Check out the branch.
307
+
- Bump the resolution / package version higher to cover both.
308
+
- Add a CHANGELOG entry. Update the PR title and body, and add `Fixes <LINEAR-ID>` to the PR body.
309
+
- Do not transition the Linear issue manually — leave it for the merge to close.
310
+
311
+
-**No sibling PR exists**:
312
+
- Create a new `cursor/cve/<package>` branch and open the PR as usual.
313
+
314
+
4.**Post-flight (race-window backstop)**: After opening a new PR, re-run step 2. If a competing PR with a *lower* number appeared while you were working, close yours, push your CHANGELOG entry and Linear link onto the older PR.
315
+
274
316
### CHANGELOG and PR conventions for CVE fixes
275
317
276
318
- CHANGELOG entry (under `[Unreleased] → Fixed`): `Upgraded \`<pkg>\` to \`^x.y.z\` to address CVE-XXXX-XXXXX. [#<PR>]`
319
+
- One CHANGELOG line per CVE, even when multiple CVEs share a PR.
320
+
- PR title format: `chore: upgrade <pkg> to ^x.y.z to address CVE-A, CVE-B, ...` (list every CVE the PR resolves).
0 commit comments