chore: bump version to 2.0.3, patch security vulnerabilities in vite and lodashHEADmain

1 files changed, 11 insertions, 0 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c9d6fa3..ed0c495 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.3] - 2026-04-18
+### Security
+- Upgraded `vite` dev dependency to `^6.4.2` to address two CVEs:
+  - Arbitrary file read via Vite dev server WebSocket (`fetchModule` bypass of `server.fs` checks).
+  - Path traversal in optimized deps `.map` handling.
+- Added/updated `overrides` for transitive dependencies to address additional CVEs:
+  - `lodash` pinned to `^4.18.0`: code injection via `_.template` imports key names and prototype pollution via array path bypass in `_.unset`/`_.omit`.
+  - `brace-expansion` pinned to `^2.0.3`: zero-step sequence causes process hang and memory exhaustion.
+  - `flatted` pinned to `^3.4.2`: unbounded recursion DoS and prototype pollution in `parse()`.
+  - `picomatch` pinned to `^4.0.4`: method injection via POSIX character classes and ReDoS via extglob quantifiers.
+
 ## [1.1.0] - YYYY-MM-DD
 ### Fixed
 - Corrected signature verification for DigiByte Bech32 addresses (starting with `dgb1...`). Signatures from these addresses were previously unverifiable due to issues in the underlying `digibyte-message` dependency.