From ba380a545867f39532512dbcc41474558800ac53 Mon Sep 17 00:00:00 2001
From: dsinghvi <10870189+dsinghvi@users.noreply.github.com>
Date: Mon, 20 Apr 2026 14:17:23 +0000
Subject: [PATCH] update changelogs

---
 .../sdks/generators/python/changelog/2026-04-20.mdx      | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fern/products/sdks/generators/python/changelog/2026-04-20.mdx b/fern/products/sdks/generators/python/changelog/2026-04-20.mdx
index 8bafcbb9b..7e3676cbc 100644
--- a/fern/products/sdks/generators/python/changelog/2026-04-20.mdx
+++ b/fern/products/sdks/generators/python/changelog/2026-04-20.mdx
@@ -1,3 +1,12 @@
+## 5.5.5
+**`(fix):`** Raise the generated `aiohttp` optional-dependency lower bound from
+`>=3.10.0,<4` to `>=3.13.4,<4` and add a `python = ">=3.9"` marker on
+both `aiohttp` and `httpx-aiohttp` so the aiohttp extra is only installed
+on Python 3.9+ while still allowing the SDK itself to support Python 3.8.
+Enforces the patched minimum version for GHSA-c427-h43c-vf67
+(CVE-2026-34525) at the dependency spec level.
+
+
 ## 5.5.4
 **`(fix):`** Clamp the minimum Python version produced by the generator to ^3.10. Python 3.8 reached EOL in Oct 2024 and Python 3.9 in Oct 2025; many popular PyPI packages (e.g. `requests` >=2.33) no longer publish wheels for those versions, which causes dependency resolution to pin older, known-vulnerable releases (GHSA-gc5v-m9x4-r6x2 / CVE-2026-25645). When `pyproject_python_version` specifies a range that allows a version older than 3.10, the generator now logs a warning and emits `python = "^3.10"` in the generated `pyproject.toml`.