From 2681f663a0da5dbfb61d174c74779dc6abbb7d81 Mon Sep 17 00:00:00 2001
From: blackax <aleksey.voytenko@gmail.com>
Date: Sat, 2 May 2026 16:26:54 -0700
Subject: [PATCH] =?UTF-8?q?chore(release):=20v0.5.5=20=E2=80=94=20security?=
 =?UTF-8?q?=20patch=20(CVE-2026-28684,=20CVE-2026-40347)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGELOG.md            | 11 +++++++++++
 src/ssh_mcp/__init__.py |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bc635a4..3a33f19 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.5] - 2026-05-02
+
+### Security
+
+- **CVE-2026-28684** (python-dotenv ≤ 1.2.1, symlink-following in `set_key`/`unset_key`) — closed by bumping the transitive dep to 1.2.2 in `uv.lock`. ssh-mcp doesn't call dotenv directly, but the package was pulled in via `mcp[cli]`; the deployed Docker image is now clean.
+- **CVE-2026-40347** (python-multipart < 0.0.26, multipart preamble DoS) — closed by bumping the transitive dep to 0.0.27 in `uv.lock`. Same transitive path via `mcp[cli]` → `starlette`.
+
+### Changed
+
+- CI `pip-audit` step now passes `--ignore-vuln CVE-2026-3219` for the runner-bundled pip 26.0.1 vulnerability (no upstream fix yet at release time). Tracked for removal once upstream pip ships a patched release; an automated agent will revisit on 2026-05-16.
+
 ## [0.5.4] - 2026-04-12
 
 ### Added
diff --git a/src/ssh_mcp/__init__.py b/src/ssh_mcp/__init__.py
index ac7da2f..0ff3b2b 100644
--- a/src/ssh_mcp/__init__.py
+++ b/src/ssh_mcp/__init__.py
@@ -1,3 +1,3 @@
 """SSH MCP Server - Manage infrastructure via Claude Code."""
 
-__version__ = "0.5.4"
+__version__ = "0.5.5"