During Wikimedia’s Mailman3 migration, we discovered and fixed a security issue that would have disclosed the contents of private list archives during the import process. This post explains the issue, how we discovered it and how it was fixed.
LibUp writes a commit message by mostly analyzing the diff, fixes up some changes, and pushes the commit to Gerrit to pass through CI and be merged. If npm is aware of the CVE ID for the security update, that will be mentioned in the commit message. Each package upgrade is tagged, so if you want to e.g. look for all commits that bumped MediaWiki Codesniffer to v26, it’s a quick search away.