v0.60.3

Security fixes

CVE-2026-46673

• a2d48a7 (Mika Cohen)

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.