Add a note saying that PR/MR URLs are not a good idea

cweagans · cweagans · commit a43a186e02c1 · 2023-07-01T01:03:31.000-06:00
diff --git a/docs/usage/defining-patches.md b/docs/usage/defining-patches.md
@@ -11,6 +11,12 @@ You can describe patches to the plugin in one of two ways: the compact format or
 In any of the following examples, you can specify a path relative to the root of your project instead of a web address.
 {{< /callout >}}
 
+{{< warning title="Avoid using patches autogenerated by PR/MR URLs" >}}
+The contents of these patches can change by pushing more commits to a pull request or merge request. A malicious user
+could abuse this behavior to cause you to deploy code that you didn't mean to deploy. If you must use a PR/MR as the
+basis for a patch, download the patch, include it in your project, and apply the patch using the local path instead.
+{{< /warning >}}
+
 ### Compact format
 
 ```json
