doc: add CVE to security incident item (#2495)

* doc: add CVE to security incident item

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: beckermr

news/2025-04-02-Security-Incident-with-Package-Uploads.md

@@ -1,7 +1,7 @@
-# Security Incident with Package Uploads
+# Security Incident with Package Uploads (CVE-2025-31484)
 
-Yesterday, ``conda-forge`` was notified of a security incident reporting that the ``anaconda.org`` upload token
-for the ``conda-forge`` channel had been accidentally leaked between on or about 2025-02-10 to 2025-04-01. Our
+Yesterday, `conda-forge` was notified of a security incident reporting that the `anaconda.org` upload token
+for the `conda-forge` channel had been accidentally leaked between on or about 2025-02-10 to 2025-04-01. Our
 investigation resulted in the temporary artifact upload shutdown you observed yesterday (2025-04-01). The results
 of our analysis show that, as best as can reasonably be determined, the token was not used by any 3rd party to
 upload malicious artifacts.
@@ -12,37 +12,37 @@ More details below the fold.
 
 ## Report details
 
-In the past few months, ``conda-forge`` has been engaging with an external security audit in collaboration with
+In the past few months, `conda-forge` has been engaging with an external security audit in collaboration with
 the [Open Source Technology Improvement Fund](https://ostif.org/) (OSTIF). The full results of this audit will be
 made public once it is complete per OSTIF responsible disclosure policies.
 
-During this process, OSTIF and their contractor uncovered misconfigured infrastructure which exposed the ``anaconda.org``
-token for the ``conda-forge`` channel to all feedstock maintainers. The token was exposed from on or about 2025-02-10 through
+During this process, OSTIF and their contractor uncovered misconfigured infrastructure which exposed the `anaconda.org`
+token for the `conda-forge` channel to all feedstock maintainers. The token was exposed from on or about 2025-02-10 through
 2025-04-01. See our [GitHub Security Advisory](https://github.com/conda-forge/infrastructure/security/advisories/GHSA-m4h2-49xf-vq72)
 for more details.
 
 We have requested a CVE from GitHub and will amend this announcement once it is issued. Our response to this
 incident is detailed below, but TL;DR, as best as can reasonably be determined, **no packages were compromised
 during this time**.
 
-Thank you for using ``conda-forge``, please [contact us](https://conda-forge.org/community/getting-in-touch/) if you
+Thank you for using `conda-forge`, please [contact us](https://conda-forge.org/community/getting-in-touch/) if you
 have further questions, and please follow our [security process](https://github.com/conda-forge/conda-forge.github.io/blob/main/SECURITY.md)
 for responsible reporting of vulnerabilities.
 
-**Finally, as a reminder, ``conda-forge`` packages are built by strangers on the internet (our wonderful feedstock
+**Finally, as a reminder, `conda-forge` packages are built by strangers on the internet (our wonderful feedstock
 maintainers!) and are not suitable for use cases that require secure software provenance.**
 
 ## Response timeline
 
 The timeline and details of our response to this security incident are as follows:
 
-- 2025-04-01 13:35 UTC: OSTIF and their contractor notified ``conda-forge`` of the leaked token.
-- 2025-04-01 14:00 UTC: The ``conda-forge/core`` team acknowledged receipt of the report and
+- 2025-04-01 13:35 UTC: OSTIF and their contractor notified `conda-forge` of the leaked token.
+- 2025-04-01 14:00 UTC: The `conda-forge/core` team acknowledged receipt of the report and
   started conducting the investigation.
-- 2025-04-01 14:15 UTC: The ``conda-forge/core`` team disabled the token and stopped uploads to ``anaconda.org``.
+- 2025-04-01 14:15 UTC: The `conda-forge/core` team disabled the token and stopped uploads to `anaconda.org`.
 - 2025-04-01 14:20 UTC: We posted an [incident](https://github.com/conda-forge/status/issues/194)
   to our status page reporting that uploads were temporarily paused.
-- 2025-04-01 15:19 UTC: We audited all uploads to the ``conda-forge`` channel, looking for uploads that
+- 2025-04-01 15:19 UTC: We audited all uploads to the `conda-forge` channel, looking for uploads that
   bypassed our upload staging process. We did not find any. This check is not completely robust, but it
   does indicate that nothing was obviously compromised.
 - 2025-04-01 15:53 UTC: We decided to delay disclosure by one day to 2025-04-02 in order to not generate
@@ -51,5 +51,4 @@ The timeline and details of our response to this security incident are as follow
 - 2025-04-01 21:39 UTC: We deployed a fix to our infrastructure.
 - 2025-04-01 22:20 UTC: We then deployed a new token to our infrastructure and restarted uploads.
 - 2025-04-01 23:02 UTC: The status page [incident](https://github.com/conda-forge/status/issues/194) was marked as resolved.
-- 2025-04-02: We published this announcement and the advisory. We requested a CVE from GitHub and will update this
-  notice when we get the number.
+- 2025-04-02: We published this announcement and the advisory. GitHub produced CVE-2025-31484 for us based on our security advisory.