From 9e2a1fb7d8193dfae67ed70a6f531dd4e4b5f0d5 Mon Sep 17 00:00:00 2001
From: Marc-Andre Lafortune <github@marc-andre.ca>
Date: Tue, 30 Jun 2020 02:29:19 -0400
Subject: [PATCH] Make changes more precise [#424]

---
 CHANGES.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGES.md b/CHANGES.md
index 89c026b1..efd74771 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,7 +1,10 @@
 # Changes
 
 ## 2019-12-11 (2.3.0)
- * Fix default of `create_additions` to always be false [CVE-2020-10663]
+ * Fix default of `create_additions` to always be `false` for `JSON(user_input)`
+   and `JSON.parse(user_input, nil)`.
+   Note that `JSON.load` remains with default `true` and is meant for internal
+   serialization of trusted data. [CVE-2020-10663]
  * Fix passing args all #to_json in json/add/*.
  * Fix encoding issues
  * Fix issues of keyword vs positional parameter