From 818f4815dd1192cbcdf9f97ec9ea78d36e0e3278 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Wed, 26 Nov 2025 13:34:16 +0100
Subject: [PATCH] JS: Change note

---
 .../change-notes/2025-11-26-response-default-content-type.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 javascript/ql/src/change-notes/2025-11-26-response-default-content-type.md

diff --git a/javascript/ql/src/change-notes/2025-11-26-response-default-content-type.md b/javascript/ql/src/change-notes/2025-11-26-response-default-content-type.md
new file mode 100644
index 00000000000..d7b5116fe1e
--- /dev/null
+++ b/javascript/ql/src/change-notes/2025-11-26-response-default-content-type.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* `new Response(x)` is not longer seen as a reflected XSS sink when no`content-type` header
+  is set, since the content type defaults to `text/plain`.