docs(reference): add security notice 15

[buccarel]

Description

When should this change go live?

March 11, 2025

• This is a bug fix, security concern, or something that needs urgent release support. (add bug or support label)
• This is already available but undocumented and should be released within a week. (add available & undocumented label)
• This is on a specific schedule and the assignee will coordinate a release with the DevEx team. (create draft PR and/or add hold label)
• This is part of a scheduled alpha or minor. (add alpha or minor label)
• There is no urgency with this change (add low prio label)

PR Checklist

• My changes are for an upcoming minor release and:
  • are in the /docs directory (version 8.8).
  • are in the /versioned_docs/version-8.7/ directory (version 8.7).
• My changes are for an already released minor and are in a /versioned_docs directory.

• I added a DRI, team, or delegate as a reviewer for technical accuracy and grammar/style:
  • Engineering team review
  • Technical writer review via @camunda/tech-writers unless working with an embedded writer.

[github-actions]

🚫 [vale] _{reported by reviewdog 🐶}
[all.glossary] Inconsistent spelling detected. Use JavaScript instead of Javascript. Review the WCoE glossary - https://confluence.camunda.com/x/b5RZBw .

[akeller]

@buccarel can you please include more context for this security notice? Usually these require immediate review/merge/publish, so I'm surprised to see you've aligned it to an alpha/minor.

[akeller]

Can these both be listed under the same security notice? #5149

[RomanJRW]

They are separate things in separate components. I assume we should have different security notices for these?

[RomanJRW]

Generally no issue, but we need to use the right number and the Javascript spelling issue looks legit

[RomanJRW]

They are separate things in separate components. I assume we should have different security notices for these?

[buccarel]

@buccarel can you please include more context for this security notice? Usually these require immediate review/merge/publish, so I'm surprised to see you've aligned it to an alpha/minor.

@akeller this issue was reported to us right before we did the 8.6.6 release. We could squeeze it in that same release just in time, and we took advantage of the release being already scheduled.

With different circumstances, we would have done an emergency, out-of-schedule rollout

[mesellings]

I've made some rewording suggestions, but I'm not clear about exactly what the past/present tense usage should be here as I don't know enough about this issue to tell quickly. Please use this suggestion as guidance. However, I think the rewording around "The version of Camunda" does need to be applied at least, as I'm not sure currently what's there makes sense?

Cautiously approving to unblock if there is urgency, but I suggest @akeller takes a look as well if there is time?

[mesellings]

Lgtm - approved from a writing/grammar point of view! 👍 🚀