From d73244e97ba9c0e6e6eadbd878ff6d4d5dce3f56 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 21 Nov 2023 09:15:37 +0100
Subject: [PATCH] Changelog note for GHSA-hfgr-h3vc-p6c2

---
 docs/source/changelog.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/source/changelog.md b/docs/source/changelog.md
index 685ce37..0ccb0dc 100644
--- a/docs/source/changelog.md
+++ b/docs/source/changelog.md
@@ -12,8 +12,12 @@ command line for details.
 
 ([full changelog](https://github.com/jupyterhub/dockerspawner/compare/12.1.0...13.0.0))
 
+13.0 Fixes security vulnerability GHSA-hfgr-h3vc-p6c2, which allowed authenticated users to spawn arbitrary images
+unless `DockerSpawner.allowed_images` was specified.
+
 #### API and Breaking Changes
 
+- Add and require `DockerSpawner.allowed_images='*'` to allow any image to be spawned via `user_options`. (GHSA-hfgr-h3vc-p6c2)
 - Remove deprecated, broken hub_ip_connect [#499](https://github.com/jupyterhub/dockerspawner/pull/499) ([@minrk](https://github.com/minrk))
 - Require python 3.8+ and jupyterhub 2.3.1+ [#488](https://github.com/jupyterhub/dockerspawner/pull/488) ([@consideRatio](https://github.com/consideRatio), [@minrk](https://github.com/minrk))