security-dox.patch

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c5a977..bd87c24 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,6 +62,51 @@ install it with `--global`. :)
 
 ### v2.14.1 (2015-08-20):
 
+#### SECURITY FIX
+
+There are patches for two information leaks of moderate severity in `[email protected]`:
+
+1. In some cases, npm was leaking sensitive credential information into the
+   child environment when running package and lifecycle scripts. This could
+   lead to packages being published with files (most notably `config.gypi`, a
+   file created by `node-gyp` that is a cache of environmental information
+   regenerated on every run) containing the bearer tokens used to authenticate
+   users to the registry. Users with affected packages have been notified (and
+   the affected tokens invalidated), and now npm has been modified to not
+   upload files that could contain this information, as well as scrubbing the
+   sensitive information out of the environment passed to child scripts.
+2. Per-package `.npmrc` files are used by some maintainers as a way to scope
+   those packages to a specific registry and its credentials. This is a
+   reasonable use case, but by default `.npmrc` was packed into packages,
+   leaking those credentials.  npm will no longer include `.npmrc` when packing
+   tarballs.
+
+If you maintain packages and believe you may be affected by either
+of the above scenarios (especially if you've received a security
+notification from npm recently), please upgrade to `[email protected]` as
+soon as possible. If you believe you may have inadvertently leaked
+your credentials, upgrade to `[email protected]` on the affected machine,
+and run `npm logout` and then `npm login`. Your access tokens will be
+invalidated, which will eliminate any risk posed by tokens inadvertently
+included in published packages. We apologize for the inconvenience this
+causes, as well as the oversight that led to the existence of this issue
+in the first place.
+
+Huge thanks to [@ChALkeR](https://github.com/ChALkeR) for bringing these
+issues to our attention, and for helping us identify affected packages
+and maintainers. Thanks also to the Node.js security working group for
+their coördination with the team in our response to this issue. We
+appreciate everybody's patience and understanding tremendously.
+
+* [`b9474a8`](https://github.com/npm/npm/commit/b9474a843ca55b7c5fac6da33989e8eb39aff8b1)
+  `[email protected]`: Stop publishing build cruft (`config.gypi`) and per-project
+  `.npmrc` files to keep local configuration out of published packages.
+  ([@othiym23](https://github.com/othiym23))
+* [`13c286d`](https://github.com/npm/npm/commit/13c286dbdc3fa8fec4cb79fc4d1ee505c8a41b2e)
+  [#9348](https://github.com/npm/npm/issues/9348) Filter "private"
+  (underscore-prefixed, even when scoped to a registry) configuration values
+  out of child environments. ([@othiym23](https://github.com/othiym23))
+
 #### BETTER WINDOWS INTEGRATION, ONE STEP AT A TIME
 
 * [`e40e71f`](https://github.com/npm/npm/commit/e40e71f2f838a8a42392f44e3eeec04e323ab743)
@@ -87,17 +132,6 @@ install it with `--global`. :)
   test suite and installation process around a third faster.
   ([@isaacs](https://github.com/isaacs))
 
-#### LESS CRUFTY ENVIRONMENTS
-
-* [`b9474a8`](https://github.com/npm/npm/commit/b9474a843ca55b7c5fac6da33989e8eb39aff8b1)
-  `[email protected]`: Stop publishing build cruft (`config.gypi`) and per-project
-  `.npmrc` files to keep local configuration out of published packages.
-  ([@othiym23](https://github.com/othiym23))
-* [`13c286d`](https://github.com/npm/npm/commit/13c286dbdc3fa8fec4cb79fc4d1ee505c8a41b2e)
-  [#9348](https://github.com/npm/npm/issues/9348) Filter "private"
-  (underscore-prefixed, even when scoped to a registry) configuration values
-  out of child environments. ([@othiym23](https://github.com/othiym23))
-
 #### A SINGLE LONELY DEPENDENCY UPGRADE
 
 * [`b343b95`](https://github.com/npm/npm/commit/b343b956ef777e321e4251ddc96ec6d80827d9e2)