Release v0.5.1 (#48)

* test: add regression tests for indirect symlink to /proc/PID/root bypass

These tests validate the security bug where symlinks pointing to
/proc/PID/root bypass protection because the input path doesn't
lexically start with /proc/.

Tests are expected to FAIL until proc-canonicalize is upgraded to v0.0.3+

Related: proc-canonicalize indirect symlink bypass issue

* docs: update CHANGELOG for indirect symlink bypass fix

* chore: bump version to v0.5.1

Author: DK26

CHANGELOG.md

@@ -5,7 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [0.5.1] - 2025-12-11
+
+### Fixed
+
+- **Indirect symlinks to `/proc/PID/root` now correctly preserve namespace boundaries**
+  - Previously, symlinks pointing to `/proc/PID/root` (e.g., `/tmp/container -> /proc/self/root`) would resolve to `/`, bypassing namespace protection
+  - This was because the input path didn't lexically start with `/proc/`, so `proc-canonicalize` delegated to `std::fs::canonicalize`
+  - Upgraded `proc-canonicalize` dependency from 0.0.2 to 0.0.3 which fixes this security bypass
+  - **Security**: Critical fix for container boundary enforcement - prevents attackers from escaping container isolation via indirect symlinks
+
+### Added
+
+- **Regression test suite for indirect `/proc/PID/root` symlink bypass** (`tests/linux_proc_indirect_symlink.rs`)
+  - 10 tests covering: direct symlinks, chained symlinks, suffix paths, attack scenarios, anchored API
+  - Tests validate that namespace boundaries are preserved for indirect symlinks
+  - Covers `/proc/self/root`, `/proc/PID/root`, and `/proc/thread-self/root` variants
+
+### Changed
+
+- **Dependency**: Upgraded `proc-canonicalize` from 0.0.2 to 0.0.3
 
 ## [0.5.0] - 2025-12-10
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "soft-canonicalize"
-version = "0.5.0"
+version = "0.5.1"
 edition = "2021"
 authors = ["David Krasnitsky <dikaveman@gmail.com>"]
 description = "Path canonicalization that works with non-existing paths."
@@ -19,7 +19,7 @@ rust-version = "1.70.0"
 [dependencies]
 # Optional: fixes std::fs::canonicalize for Linux /proc/PID/root magic symlinks.
 # Enabled by default. Disable with `default-features = false` if you need std behavior.
-proc-canonicalize = { version = "0.0.2", optional = true }
+proc-canonicalize = { version = "0.0.3", optional = true }
 
 # Optional dunce dependency for path simplification (Windows-only)
 [target.'cfg(windows)'.dependencies]