Replace 2.TODO placeholders after core PR merge

daniel-beck · daniel-beck · commit 5701817ca2e1 · 2025-11-25T10:19:51.000+01:00
diff --git a/content/doc/book/security/csp.adoc b/content/doc/book/security/csp.adoc
@@ -6,7 +6,7 @@ ifdef::backend-html5[]
 :toc: left
 endif::[]
 
-This page describes the restrictions that can be applied to the general Jenkins UI since Jenkins 2.TODO.
+This page describes the restrictions that can be applied to the general Jenkins UI since Jenkins 2.539.
 
 == Motivation
 
@@ -17,7 +17,7 @@ Using CSP, the impact of web vulnerabilities like link:/security/vulnerabilities
 NOTE: This page discusses configuration and customization of Content Security Policy for the general Jenkins UI.
 See link:/doc/book/security/configuring-content-security-policy/[Content Security Policy] for documentation on Content Security Policy for user generated files, like files in workspaces, archived artifacts, or file parameters, on controllers not using the link:/redirect/resource-root-url[Resource Root URL] feature.
 
-NOTE: Using Jenkins older than 2.TODO?
+NOTE: Using Jenkins older than 2.539?
 plugin:csp[Content Security Policy Plugin] 1.x provides similar functionality.
 
 // TODO Remove this once LTS with this is in common use.
@@ -34,7 +34,7 @@ See the section link:#identifying[Identifying incompatibilities in your setup] b
 Among the more than 2000 Jenkins plugins distributed by the Jenkins project, many use features that are prohibited by the default CSP rule set.
 As a result, the UI provided by these plugins would break.
 
-To give plugin maintainers time to adapt their plugins, and Jenkins administrators time to migrate away from unmaintained, incompatible plugins, CSP protection is disabled by default as of Jenkins 2.TODO.
+To give plugin maintainers time to adapt their plugins, and Jenkins administrators time to migrate away from unmaintained, incompatible plugins, CSP protection is disabled by default as of Jenkins 2.539.
 
 === Using the UI
 
diff --git a/content/doc/book/security/index.adoc b/content/doc/book/security/index.adoc
@@ -60,7 +60,7 @@ _This is set up securely by default._
 // TODO Confirm that skipping the setup wizard in 2.222 does no longer disable CSRF protection
 
 link:csp[Content Security Policy]::
-Jenkins 2.TODO and newer allows administrators to set up Content Security Policy protection.
+Jenkins 2.539 and newer allows administrators to set up Content Security Policy protection.
 This chapter explains how to set it up, how to customize it, and how to identify potential problems. +
 *This must be configured according to the needs of your environment.*
 // TODO Remove version number once it's been in 1-2 LTS lines
diff --git a/content/doc/developer/security/csp.adoc b/content/doc/developer/security/csp.adoc
@@ -45,14 +45,14 @@ Resources should be hosted by Jenkins.
 
 When running Jenkins, you can use the following techniques to identify broken features and the component that defines them:
 
-=== Built-in CSP protection in Jenkins 2.TODO+
+=== Built-in CSP protection in Jenkins 2.539+
 
-Running Jenkins 2.TODO or newer in development mode (e.g., `mvn hpi:run`) will have Content Security Policy protections enabled by default.
+Running Jenkins 2.539 or newer in development mode (e.g., `mvn hpi:run`) will have Content Security Policy protections enabled by default.
 link:/doc/book/security/csp/[Learn more.]
 
 === Content Security Policy Plugin 1.x
 
-In Jenkins before version 2.TODO, link:https://plugins.jenkins.io/csp/[Content Security Policy Plugin] (1.x) lets you define a Content-Security-Policy that gets applied to the Jenkins web UI.
+In Jenkins before version 2.539, link:https://plugins.jenkins.io/csp/[Content Security Policy Plugin] (1.x) lets you define a Content-Security-Policy that gets applied to the Jenkins web UI.
 It can operate both as enforcing and to only gather reports.
 Both modes can be useful with identifying broken functionality.
 
@@ -199,16 +199,16 @@ Any dynamically determined images (e.g., "avatar" images based on user configura
 
 * Have Jenkins request (and possibly cache) these images, serving them through a local URL.
   Be careful to not allow parameterization of the URL serving this image such that it accepts arbitrary parameter values, resulting in arbitrary URLs being proxied.
-* For compatibility with Content Security Policy in Jenkins 2.TODO and newer, implement `jenkins.security.csp.Contributor` (or `jenkins.security.csp.SimpleContributor` in simple cases).
+* For compatibility with Content Security Policy in Jenkins 2.539 and newer, implement `jenkins.security.csp.Contributor` (or `jenkins.security.csp.SimpleContributor` in simple cases).
   This will allow Jenkins users' browsers to load images from a known safe domain.
   In this case, make sure that only administrators can ultimately configure the domains that images can be loaded from.
   For example, regular Jenkins users should not be able to, e.g., edit their user profile or configure a job in a certain way to allow a domain of their choice.
 
 == Testing
 
-=== In Jenkins 2.TODO and newer
+=== In Jenkins 2.539 and newer
 
-Jenkins 2.TODO and newer supports Content Security Policy out of the box.
+Jenkins 2.539 and newer supports Content Security Policy out of the box.
 See the link:/doc/book/security/csp/[documentation] for information how to set it up.
 
 NOTE: Running Jenkins in development mode will by default enforce Content Security Policy, so plugin maintainers will likely encounter incompatibilities in their own testing.
