Added release notes and document deprecation

radarhere · hugovk · commit f6596d529399 · 2024-04-01T09:12:22.000+03:00
diff --git a/docs/deprecations.rst b/docs/deprecations.rst
@@ -92,6 +92,14 @@ Deprecated                                    Use instead
                                               :py:data:`sys.version_info`, and ``PIL.__version__``
 ============================================  ====================================================
 
+ImageMath eval()
+^^^^^^^^^^^^^^^^
+
+.. deprecated:: 10.3.0
+
+``ImageMath.eval()`` has been deprecated. Use :py:meth:`~PIL.ImageMath.lambda_eval` or
+:py:meth:`~PIL.ImageMath.unsafe_eval` instead.
+
 Removed features
 ----------------
 
diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst
@@ -4,10 +4,15 @@
 Security
 ========
 
-TODO
-^^^^
+ImageMath eval()
+^^^^^^^^^^^^^^^^
 
-TODO
+.. danger::
+  ``ImageMath.eval()`` uses Python's ``eval()`` function to process the expression
+  string, and carries the security risks of doing so. A direct replacement for this is
+  the new :py:meth:`~PIL.ImageMath.unsafe_eval`, but that carries the same risks. It is
+  not recommended to process expressions without considering this.
+  :py:meth:`~PIL.ImageMath.lambda_eval` is a more secure alternative.
 
 :cve:`YYYY-XXXXX`: TODO
 ^^^^^^^^^^^^^^^^^^^^^^^
@@ -58,6 +63,13 @@ Deprecated                                    Use instead
                                               :py:data:`sys.version_info`, and ``PIL.__version__``
 ============================================  ====================================================
 
+ImageMath.eval()
+^^^^^^^^^^^^^^^^
+
+``ImageMath.eval()`` has been deprecated. Use :py:meth:`~PIL.ImageMath.lambda_eval` or
+:py:meth:`~PIL.ImageMath.unsafe_eval` instead. See earlier security notes for more
+information.
+
 API Changes
 ===========
 
