docs(CHANGES): Note vulnerability fix

tony · tony · commit 66640aedbcae · 2022-03-12T10:03:28.000-06:00
diff --git a/CHANGES b/CHANGES
@@ -4,6 +4,12 @@
 
 - _Add your latest changes from PRs here_
 
+### Potential command injection via mercurial URLs
+
+- By setting a mercurial URL with an alias it is possible to execute arbitrary shell commands via
+  `.obtain()` or in the case of uncloned destinations, `.update_repo()`. (#306, credit: Alessio
+  Della Libera)
+
 ### Development
 
 - Run pyupgrade formatting (#305)
