CHANGES.md in ruby-jss-3.1.0 vs CHANGES.md in ruby-jss-3.2.0b3

- old
+ new
@@ -13,9 +13,41 @@
 __Please update all installations of ruby-jss to at least v1.6.0.__
 
 Many many thanks to actae0n of Blacksun Hackers Club for reporting this issue and providing examples of how it could be exploited.
 
 --------
+## \[UNRELEASED] 
+
+### Changed
+  - Improved handling of known API bug in Jamf::Scopable::Scope.  
+
+    There is a long-standing bug in working with 'scope' via the Classic API, which can cause data-loss when you have 'Users' and 'User Groups' (known in the api data as `jss_users` and `jss_user_groups`) defined in the targets or exclusions. Thanks to @yanniks on GitHub, I recently learned that the bug only affects a few API objects, namely Policies and PatchPolicies.  
+
+    This release of ruby-jss will properly handle jss_users and jss_user_groups in all scopes where the API can handle them. In Policy and PatchPolicy objects, those values aren't allowed, since the API can't deal with them. If you edit any other aspect of the scope of one of those obects in ruby-jss, you'll get a warning that saving your changes may cause data-loss - deleting any defined Users and User Groups in the targets or exclusions. If the scope really doesn't use any Users or User Groups, you should be OK saving your changes. To prevent the warnings, call `Jamf::Scopable::Scope.do_not_warn_about_policy_scope_bugs` before changing any scopes.  
+
+    For more details, see the discussion in the comments/docs for the Jamf::Scopeable::Scope class in lib/jamf/api/classic/api_objects/scopable/scope.rb or in the [rubydocs page for the Scope class](https://www.rubydoc.info/gems/ruby-jss/Jamf/Scopable/Scope).  
+
+    Many thanks to @yanniks for bringing to my attention that the bug doesn't occur in all scopes.
+
+  - Warn of API bug when using jss_user_groups as scope targets of OSXConfigurationProfiles
+
+    We discovered a new (to us) isolated occurrance of the long-standing XML Array => JSON Hash bug
+    (which can cause data loss). If you have more that one jss_user_groups defined as scope targets
+    of a OSXConfigurationProfile, the API will only return the last of those groups in the JSON data, 
+    and saving changes to the profile via ruby-jss will remove the other groups from the Profile in 
+    Jamf. 
+    
+    This seems to only affect scope targets of OSXConfigurationProfiles - groups used in exclusions
+    seem to be fine, as do other scopable objects that uses jss_user_groups anywhere in their scope.
+
+    When you edit the scope of a scopable object and ruby-jss notices this API bug applies, you'll see a warning that saving changes to the scope may cause data loss. To disable these warnings, call `Jamf::Scopable::Scope.do_not_warn_about_array_hash_scope_bugs` before changing any scopes.  
+
+    For more details, see the discussion in the comments/docs for the Jamf::Scopeable::Scope class in lib/jamf/api/classic/api_objects/scopable/scope.rb or in the [rubydocs page for the Scope class](https://www.rubydoc.info/gems/ruby-jss/Jamf/Scopable/Scope).  
+
+
+### Fixed
+  - Jamf::DeviceEnrollment.device no longer uses String#upcase!, which fails on frozen strings. Instead just use String#casecmp?
+
 ## \[3.1.0] 2023-06-06
 
 ### Added
   - Jamf::Computer.filevault_info and Jamf::Computer#filevault_info can retrieve FileVault info from v1/computer-inventory/filevault and related endpoints
   - Jamf::Computer.recovery_lock_password and Jamf::Computer#recovery_lock_password can retrieve stored recovery lock passwords