Merge pull request #6158 from kenjis/fix-docs-changelog-v420

docs: improve changelog v4.2.0

user_guide_src/source/changelogs/v4.2.0.rst

@@ -13,6 +13,7 @@ Highlights
 **********
 
 - Update minimal PHP requirement to 7.4.
+- To make the default configuration more secure, auto-routing has been changed to disabled by default.
 - **OCI8 Driver for Oracle Database** (*contributed by* `ytetsuro <https://github.com/ytetsuro>`_). See `Database`_.
 - **Improved Auto Routing** (opt-in) (*contributed by* `kenjis <https://github.com/kenjis>`_). See `New Improved Auto Routing`_.
 - Query Builder **Subqueries** and **UNION** support (*contributed by* `Andrey Pyzhikov <https://github.com/iRedds>`_). See `Database`_.
@@ -134,11 +135,11 @@ Changes
 *******
 
 - Update minimal PHP requirement to 7.4.
-- The current version of Content Security Policy (CSP) outputs one nonce for script and one for style tags. The previous version outputted one nonce for each tag.
-- The process of sending cookies has been moved to the ``Response`` class. Now the ``Session`` class doesn't send cookies, set them to the Response.
+- To make the default configuration more secure, auto-routing has been changed to disabled by default.
 - Validation. Changed generation of errors when using fields with a wildcard (*). Now the error key contains the full path. See :ref:`validation-getting-all-errors`.
 - ``Validation::getError()`` when using a wildcard will return all found errors matching the mask as a string.
-- To make the default configuration more secure, auto-routing has been changed to disabled by default.
+- The current version of Content Security Policy (CSP) outputs one nonce for script and one for style tags. The previous version outputted one nonce for each tag.
+- The process of sending cookies has been moved to the ``Response`` class. Now the ``Session`` class doesn't send cookies, set them to the Response.
 
 Deprecations
 ************