Prepare v1.5.1 release

dacharyc · dacharyc · commit 9eaa31951b56 · 2026-03-23T22:07:51.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.5.1]
+
+### Fixed
+
+- Block SSRF in link validation: the HTTP client now refuses to connect to
+  private/reserved IP addresses (loopback, RFC 1918, link-local, cloud metadata
+  endpoints). Each hop in a redirect chain is checked independently, preventing
+  redirects to internal addresses.
+- Block path traversal in internal link checks: relative links that resolve
+  outside the skill directory (e.g., `../../etc/passwd`) are now rejected
+  instead of being passed to `os.Stat`.
+
+### Added
+
+- SECURITY.md with reporting instructions and scope.
+- CONTRIBUTING.md, CODE_OF_CONDUCT.md, PR template, and issue templates.
+
 ## [1.5.0]
 
 ### Added
diff --git a/cmd/root.go b/cmd/root.go
@@ -11,7 +11,7 @@ import (
 	"github.com/agent-ecosystem/skill-validator/types"
 )
 
-const version = "v1.5.0"
+const version = "v1.5.1"
 
 var (
 	outputFormat    string

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ import (`
`11`	`11`	`"github.com/agent-ecosystem/skill-validator/types"`
`12`	`12`	`)`
`13`	`13`
`14`		`-const version = "v1.5.0"`
	`14`	`+const version = "v1.5.1"`
`15`	`15`
`16`	`16`	`var (`
`17`	`17`	`outputFormat string`