From bf1c72c542eb89eae1880875961c1a59681e11ab Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Mon, 22 Jun 2026 12:47:39 +1000
Subject: [PATCH] CHANGELOG updates

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c179b45..e3e6942 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@
  * Perform harvest validation before trying to manifest from it.
  * Stricter validation on FQDN name in multisite mode.
  * Strict check of `$PATH` when running harvest as root, in case it could lead to execution of unsafe binaries during harvest. Override with `--assume-safe-path` for non-interactive or CI purposes.
+ * Stricter validation of the destination dirs that harvest or manifest write to, to prevent writing to a different user-controlled area. Stricter permissions on the output dirs too.
 
 # 0.6.0