diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5051002..ca7f2c4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,24 @@
 
 All notable changes to CVE Lite CLI will be documented in this file.
 
+## [1.18.0] - 2026-05-25
+
+### Added
+- Show targeted retry and offline hints for OSV 429 rate-limit and 5xx server error responses.
+- Emit lockfile-refresh fix commands for pnpm (`pnpm update`), yarn (`yarn upgrade`), and bun (`bun update`) when the parent's declared range already covers the fixed transitive dependency version.
+
+### Fixed
+- Added package manager hint to `--fix` command failure errors.
+
+### Changed
+- Workspace-scoped lockfile-refresh commands now generated for pnpm, yarn, and bun when the parent's declared range already covers the safe transitive version; lockfile-refresh targets appear in their own fix-plan sections rather than mixed with direct-fix targets; fix coverage count ("Running these commands should fix X of Y findings") added to both terminal and HTML output; "within current range" label renamed to "lockfile refresh" with context strings rewritten to plainly state the parent already permits the safe child version.
+- Unified excluded directory list for `--usage` source scanning with the shared `EXCLUDED_DIRS` constant.
+- Extracted `formatAdvisoryDbFreshness` and `relativeAge` from `src/index.ts` into `src/utils/time.ts`.
+- Extracted CLI flag validation from `src/index.ts` into `src/cli/validate.ts`.
+- Extracted `formatAdvisorySourceLine` to `src/output/formatters.ts` and `countBySeverity` to `src/utils/severity.ts`.
+- Extracted package.json / workspace reading helpers from `src/index.ts` into `src/utils/package-json.ts`.
+- Extracted `DEFAULT_BATCH_SIZE` and `DEFAULT_SEARCH_DEPTH` magic numbers to named constants in `src/constants.ts`.
+
 ## [1.17.3] - 2026-05-22
 
 ### Fixed
diff --git a/package-lock.json b/package-lock.json
index de179d9..74a0c13 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "cve-lite-cli",
-  "version": "1.17.3",
+  "version": "1.18.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "cve-lite-cli",
-      "version": "1.17.3",
+      "version": "1.18.0",
       "license": "MIT",
       "dependencies": {
         "better-sqlite3": "^12.8.0",
diff --git a/package.json b/package.json
index 193584c..6be882e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cve-lite-cli",
-  "version": "1.17.3",
+  "version": "1.18.0",
   "description": "Developer-friendly CLI for scanning JS/TS projects for dependency vulnerabilities using local lockfiles and OSV",
   "type": "module",
   "bin": {
diff --git a/website/docusaurus.config.ts b/website/docusaurus.config.ts
index 2283666..173f5e0 100644
--- a/website/docusaurus.config.ts
+++ b/website/docusaurus.config.ts
@@ -2,7 +2,7 @@ import {themes as prismThemes} from 'prism-react-renderer';
 import type {Config} from '@docusaurus/types';
 import type * as Preset from '@docusaurus/preset-classic';
 
-const latestVersion = 'v1.17.3';
+const latestVersion = 'v1.18.0';
 
 const config: Config = {
   title: 'CVE Lite CLI',