chore(docs): Remove changelog generation instructions

[macalbert]

Pull Request

What does this PR do?

Removes conventional-changelog-cli dependency to fix CVE-2025-59433 (Argument Injection vulnerability in @conventional-changelog/git-client).

Changes:

• Remove conventional-changelog-cli from devDependencies
• Remove changelog and changelog:all npm scripts
• Update release-* scripts to remove automatic changelog generation
• Update documentation to reflect manual changelog management

Related issues

Closes security 15

Type of change

• Feature
• Bugfix (Security vulnerability)
• Refactor
• Documentation
• Other

Checklist

• Tests added/updated (N/A - removing dependency only)
• Docs updated (conventional-commits.md, CHANGELOG.md)
• Lint/format pass

Notes for reviewer

Security Context:

• Vulnerability: CVE-2025-59433 - Argument Injection in @conventional-changelog/git-client@1.0.1
• Severity: Moderate (5.0/10 CVSS)
• Impact on Envilder: LOW - Only used in manual pnpm changelog script, never in production or CI/CD

Breaking Changes:

• Changelog is now manual-only. Developers must update docs/CHANGELOG.md by hand or use GitHub Releases
• pnpm run changelog and pnpm run changelog:all scripts removed
• Release scripts (release-patch, release-minor, release-major) no longer auto-generate changelog entries

Migration Path:

• Use GitHub Releases for automated release notes (recommended)
• Or manually edit docs/CHANGELOG.md following existing format
• Future: Consider migrating to changesets or semantic-release if automated changelog is desired again

Summary by CodeRabbit

Documentation

• Standardized changelog formatting with improved structure and consistency
• Updated release documentation to reflect manual changelog management workflow
• Clarified version bumping guidance with updated instructions for release process

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Summary of Changes

Hello @macalbert, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the project's security posture by eliminating a vulnerable dependency. The change necessitates a shift in how changelogs are managed, moving from an automated system to a manual or GitHub Releases-driven approach, ensuring the project remains secure and maintainable.

Highlights

• Security Vulnerability Fix: Addressed CVE-2025-59433 (Argument Injection vulnerability in @conventional-changelog/git-client) by removing the conventional-changelog-cli dependency.
• Changelog Automation Removal: The project has transitioned from automated changelog generation to a manual process. This involves removing the changelog and changelog:all npm scripts and updating release scripts to no longer auto-generate changelog entries.
• Documentation Updates: Documentation has been updated in docs/CHANGELOG.md and docs/conventional-commits.md to reflect the new manual changelog management process and provide guidance on updating the changelog or using GitHub Releases.
• Dependency Cleanup: Removed conventional-changelog-cli and its associated transitive dependencies from package.json and pnpm-lock.yaml, streamlining the project's dependency tree.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (4)

• biome.json is excluded by none and included by none
• package.json is excluded by none and included by none
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml and included by none
• scripts/README.md is excluded by none and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

These changes update documentation to shift from automated changelog generation to manual changelog updates. Both files undergo formatting adjustments and content restructuring to reflect the new versioning workflow while removing automated changelog tooling references.

Changes

Cohort / File(s)	Summary
Documentation Updates docs/CHANGELOG.md, docs/conventional-commits.md	Formatting consistency improvements (list prefixes standardized to asterisks); "Generate Changelog" section replaced with "Version Bumping" guidance; automated changelog generation commands removed; manual update instructions added with GitHub Releases reference; "Automation" section renamed to "Maintenance"; GitHub Action subfolder entry removed from 0.7.0 section.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: removing changelog generation instructions and the conventional-changelog-cli dependency to address a security vulnerability.
Description check	✅ Passed	The description follows the template structure with all required sections completed: What does this PR do (detailed), Related issues, Type of change, Checklist, and Notes for reviewer with comprehensive security context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request addresses a security vulnerability by removing the conventional-changelog-cli dependency. The changes are well-executed, including removing the dependency from package.json, updating the relevant npm scripts, and adjusting the documentation to reflect the new manual changelog process. The PR description is clear and provides good context. I have a couple of minor suggestions to improve documentation and maintain conventions.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

docs/conventional-commits.md (3)

3-4: Update the introductory statement to reflect manual changelog management.

Line 4 claims the project uses Conventional Commits "for consistent and automated changelog generation," but the note at lines 127-128 states that changelog generation has been removed. This creates a contradiction.

📝 Proposed fix

-This project follows [Conventional Commits](https://www.conventionalcommits.org/) specification for
-consistent and automated changelog generation.
+This project follows [Conventional Commits](https://www.conventionalcommits.org/) specification for
+consistent commit messages and semantic versioning.

---

140-145: Remove or update the outdated comment about auto-updating CHANGELOG.

Line 143's comment # Auto-updates CHANGELOG is inconsistent with the removal of automated changelog generation. The pnpm version command now only bumps the version number.

📝 Proposed fix

 5. **Create release** (when ready):
 
    ```bash
-   pnpm version minor  # Auto-updates CHANGELOG
+   pnpm version minor  # Bumps version; update CHANGELOG manually
    git push --follow-tags
    ```

---

147-154: Remove the outdated benefit claim about automated changelog generation.

Line 149 lists "Automated changelog generation" as a benefit, but this capability has been removed (as noted at lines 127-128). This inconsistency may confuse users about the project's current capabilities.

📝 Proposed fix

 ## Benefits
 
-- ✅ **Automated changelog** generation
 - ✅ **Semantic versioning** automation
 - ✅ **Clear git history** for team and contributors
 - ✅ **Better PRs** with standardized titles
 - ✅ **CI/CD integration** (auto-release based on commits)

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8471e93 and f4f084f.

⛔ Files ignored due to path filters (2)

• package.json is excluded by none and included by none
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml and included by none

📒 Files selected for processing (2)

• docs/CHANGELOG.md
• docs/conventional-commits.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Agent

🔇 Additional comments (3)

docs/conventional-commits.md (1)

118-128: LGTM! Clear documentation of the manual workflow.

The section header change to "Version Bumping" and the added note accurately reflect the removal of automated changelog generation while providing clear alternatives.

docs/CHANGELOG.md (2)

36-46: LGTM! Formatting improvements align with Markdown conventions.

The bullet point style changes from -- to * improve consistency and follow standard Markdown conventions throughout the changelog.

Also applies to: 53-71, 76-81, 86-88, 93-117, 122-123, 126-127, 130-132, 137-154, 159-174, 179-198, 203-206, 211-213, 218-219, 222-227, 232-239, 244-251

---

311-322: LGTM! Clear instructions for manual changelog maintenance.

The section rename from "Automation" to "Maintenance" and the updated instructions accurately reflect the shift to manual changelog management. The GitHub Releases alternative provides a helpful option for users.

[Copilot]

Pull request overview

This PR removes the conventional-changelog-cli dependency to address CVE-2025-59433 (Argument Injection vulnerability in @conventional-changelog/git-client). The change transitions the project from automated changelog generation to manual changelog management.

Changes:

• Removed conventional-changelog-cli from devDependencies and its transitive dependencies from lockfile
• Removed changelog and changelog:all npm scripts
• Updated release scripts (release-patch, release-minor, release-major) to remove automatic changelog generation
• Updated documentation to reflect the switch to manual changelog management with guidance on using GitHub Releases as an alternative

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

File	Description
package.json	Removed conventional-changelog-cli devDependency and changelog-related scripts; simplified release scripts to only bump versions
pnpm-lock.yaml	Clean removal of conventional-changelog-cli and related packages (angular, atom, codemirror, ember, eslint, express, jquery, jshint presets, core, writer, preset-loader) with all transitive dependencies
docs/conventional-commits.md	Updated "Generate Changelog" section to "Version Bumping" with note that changelog generation has been removed; added guidance to manually update CHANGELOG.md or use GitHub Releases
docs/CHANGELOG.md	Updated "Automation" section to "Maintenance" with clear instructions for manual changelog updates; reformatted list markers from hyphens to asterisks for consistency; removed empty lines for cleaner formatting

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported