4 files changed, 46 insertions, 3 deletions

diff --git a/docs/dev/README.md b/docs/dev/README.md
index b91013f13..57162a47d 100644
--- a/docs/dev/README.md
+++ b/docs/dev/README.md
@@ -226,6 +226,9 @@ If the GitHub Actions release fails because of a transient problem like a timeou
 If it fails because of something that needs to be fixed, remove the release tag (if needed), fix the problem, then start over.
 Make sure to remove the new changelog post created when running `cargo xtask release` a second time.
 
+We release "nightly" every night automatically and promote the latest nightly to "stable" manually, every week.
+We don't do "patch" releases, unless something truly egregious comes up.
+
 # Permissions
 
 There are three sets of people with extra permissions:
diff --git a/docs/dev/lsp-extensions.md b/docs/dev/lsp-extensions.md
index 694fafcd5..8a6f9f06e 100644
--- a/docs/dev/lsp-extensions.md
+++ b/docs/dev/lsp-extensions.md
@@ -1,5 +1,5 @@
 <!---
-lsp_ext.rs hash: 4dfa8d7035f4aee7
+lsp_ext.rs hash: e8a7502bd2b2c2f5
 
 If you need to change the above hash to make the test pass, please check if you
 need to adjust this doc as well and ping this  issue:
@@ -595,3 +595,29 @@ interface TestInfo {
     runnable: Runnable;
 }
 ```
+
+## Hover Actions
+
+**Issue:** https://github.com/rust-analyzer/rust-analyzer/issues/6823
+
+This request is sent from client to server to move item under cursor or selection in some direction.
+
+**Method:** `experimental/moveItemUp`
+**Method:** `experimental/moveItemDown`
+
+**Request:** `MoveItemParams`
+
+**Response:** `TextDocumentEdit | null`
+
+```typescript
+export interface MoveItemParams {
+    textDocument: lc.TextDocumentIdentifier,
+    range: lc.Range,
+    direction: Direction
+}
+
+export const enum Direction {
+    Up = "Up",
+    Down = "Down"
+}
+```
diff --git a/docs/user/generated_config.adoc b/docs/user/generated_config.adoc
index c2521289c..871c65add 100644
--- a/docs/user/generated_config.adoc
+++ b/docs/user/generated_config.adoc
@@ -206,10 +206,10 @@ Use markdown syntax for links in hover.
 --
 Whether to show inlay type hints for method chains.
 --
-[[rust-analyzer.inlayHints.maxLength]]rust-analyzer.inlayHints.maxLength (default: `null`)::
+[[rust-analyzer.inlayHints.maxLength]]rust-analyzer.inlayHints.maxLength (default: `25`)::
 +
 --
-Maximum length for inlay hints. Default is unlimited.
+Maximum length for inlay hints. Set to null to have an unlimited length.
 --
 [[rust-analyzer.inlayHints.parameterHints]]rust-analyzer.inlayHints.parameterHints (default: `true`)::
 +
diff --git a/docs/user/manual.adoc b/docs/user/manual.adoc
index dba2197de..8656dd1da 100644
--- a/docs/user/manual.adoc
+++ b/docs/user/manual.adoc
@@ -516,6 +516,20 @@ See https://github.com/rust-analyzer/rust-project.json-example for a small examp
 
 You can set `RA_LOG` environmental variable to `rust_analyzer=info` to inspect how rust-analyzer handles config and project loading.
 
+== Security
+
+At the moment, rust-analyzer assumes that all code is trusted.
+Here is a **non-exhaustive** list of ways to make rust-analyzer execute arbitrary code:
+
+* proc macros and build scripts are executed by default
+* `.cargo/config` can override `rustc` with an arbitrary executable
+* VS Code plugin reads configuration from project directory, and that can be used to override paths to various executables, like `rustfmt` or `rust-analyzer` itself.
+* rust-analyzer's syntax trees library uses a lot of `unsafe` and hasn't been properly audited for memory safety.
+
+rust-analyzer itself doesn't access the network.
+The VS Code plugin doesn't access the network unless the nightly channel is selected in the settings.
+In that case, the plugin uses the GitHub API to check for and download updates.
+
 == Features
 
 include::./generated_features.adoc[]