From e17e0be2d0ad6e9fc940df6271ad45e8ed08a2b3 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 25 Nov 2025 12:29:50 -0500
Subject: [PATCH 1/2] Run new security test.

---
 tests/security/index.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/security/index.js b/tests/security/index.js
index 07e8c3424..5ce5600a1 100644
--- a/tests/security/index.js
+++ b/tests/security/index.js
@@ -1,2 +1,3 @@
 // tests related to security, vulnerability reports, etc
 require('./cve-2025-12816.js');
+require('./ghsa-554w-wpv2-vw27.js');

From bb489b96bd14af6a125c8ec3cf827f01fe34ad92 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 25 Nov 2025 13:38:44 -0500
Subject: [PATCH 2/2] Fix typos.

---
 CHANGELOG.md | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index da4760919..37b67b74e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -50,9 +50,9 @@ Forge ChangeLog
 
 ## 1.3.1 - 2022-03-29
 
-### Fixes
+### Fixed
 - RFC 3447 and RFC 8017 allow for optional `DigestAlgorithm` `NULL` parameters
-  for `sha*` algorithms and require `NULL` paramters for `md2` and `md5`
+  for `sha*` algorithms and require `NULL` parameters for `md2` and `md5`
   algorithms.
 
 ## 1.3.0 - 2022-03-17
@@ -164,11 +164,11 @@ Forge ChangeLog
   and is being removed rather than fixed.
 - **SECURITY**, **BREAKING**: Remove `forge.util.parseUrl()` (and
   `forge.http.parseUrl` alias) and use the [WHATWG URL
-  Standard](https://url.spec.whatwg.org/). `URL` is supported by modern browers
-  and modern Node.js. This change is needed to address URL parsing security
-  issues. If `forge.util.parseUrl()` is used directly or through `forge.xhr` or
-  `forge.http` APIs, and support is needed for environments without `URL`
-  support, then a polyfill must be used.
+  Standard](https://url.spec.whatwg.org/). `URL` is supported by modern
+  browsers and modern Node.js. This change is needed to address URL parsing
+  security issues. If `forge.util.parseUrl()` is used directly or through
+  `forge.xhr` or `forge.http` APIs, and support is needed for environments
+  without `URL` support, then a polyfill must be used.
 - **BREAKING**: Remove `forge.task` API. This API was never used, documented,
   or advertised by the maintainers. If anyone was using this API and wishes to
   continue development it in other project, please let the maintainers know.