From a43a186e02c18ce0c77e837f7a5ff4a6e5287b94 Mon Sep 17 00:00:00 2001
From: Cameron Eagans <me@cweagans.net>
Date: Sat, 1 Jul 2023 01:03:31 -0600
Subject: [PATCH] Add a note saying that PR/MR URLs are not a good idea

---
 docs/usage/defining-patches.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/usage/defining-patches.md b/docs/usage/defining-patches.md
index 79a2441..c30c7b3 100644
--- a/docs/usage/defining-patches.md
+++ b/docs/usage/defining-patches.md
@@ -11,6 +11,12 @@ You can describe patches to the plugin in one of two ways: the compact format or
 In any of the following examples, you can specify a path relative to the root of your project instead of a web address.
 {{< /callout >}}
 
+{{< warning title="Avoid using patches autogenerated by PR/MR URLs" >}}
+The contents of these patches can change by pushing more commits to a pull request or merge request. A malicious user
+could abuse this behavior to cause you to deploy code that you didn't mean to deploy. If you must use a PR/MR as the
+basis for a patch, download the patch, include it in your project, and apply the patch using the local path instead.
+{{< /warning >}}
+
 ### Compact format
 
 ```json