Add changelog for v4.13.6

Signed-off-by: Niklas <nscuro@protonmail.com>

docs/_posts/2025-11-17-v4.13.6.md

@@ -0,0 +1,111 @@
+---
+title: v4.13.6
+type: patch
+---
+
+Starting with this release, we're publishing a new container image variant for the
+*apiserver* and *bundled* distributions. The variant is based on [Alpine Linux] and uses
+[jlink] to ship a minimal Java Runtime Environment (JRE). As a result, image size is decreased
+by over 55% (~350MB vs. ~150MB uncompressed), and attack surface is reduced due to fewer
+operating system packages. It uses Java 25 and enables [compact object headers] by default,
+leading to lower memory footprint.
+
+To use the new image variant, append the `-alpine` suffix to the image tag, e.g.:
+
+* `docker.io/dependencytrack/apiserver:latest-alpine`
+* `docker.io/dependencytrack/bundled:4.13.6-alpine`
+
+The previous Debian-based image variant continues to be the default for now,
+but will eventually be discontinued in a future release. Users experiencing
+issues with `alpine` images can safely fall back to non-`alpine` variants.
+
+**Features:**
+
+* Add Alpine-based container variants - [apiserver/#5533]
+* Update Ukrainian translation - [frontend/#1385]
+
+**Fixes:**
+
+* Improve performance of database migration to v4.13.5 - [apiserver/#5419]
+* Ignore stale Lucene index entries - [apiserver/#5428]
+* Fix typo in email notification template - [apiserver/#5434]
+* Fix referential integrity violation during bulk project deletion - [apiserver/#5446]
+* Fix referential integrity violation during team deletion - [apiserver/#5447]
+* Fix NPE in Composer component metadata analyzer - [apiserver/#5519]
+* Fix XML External Entity injection via validation of CycloneDX BOMs in XML format - [apiserver/#5528] / [GHSA-93r8-3g93-w2gq]
+* Fix OSS Index documentation link - [apiserver/#5531]
+* Change `toString()` method of `Project` to use name and version instead of PURL - [apiserver/#5532]
+* Fix broken routing when `BASE_PATH` is configured - [frontend/#1381]
+* Fix policy tag selection dialogue using the wrong REST API endpoint - [frontend/#1382]
+* Fix persistent Cross-Site-Scripting via welcome message - [frontend/#1383] / [GHSA-7xvh-c266-cfr5]
+* Fix redirect loop when authenticated user is lacking permissions - [frontend/#1386]
+
+For a complete list of changes, refer to the respective GitHub milestones:
+
+* [API server milestone 4.13.6](https://github.com/DependencyTrack/dependency-track/milestone/60?closed=1)
+* [Frontend milestone 4.13.6](https://github.com/DependencyTrack/frontend/milestone/45?closed=1)
+
+We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
+
+Special thanks to everyone who contributed code to implement enhancements and fix defects:  
+
+[@ElenaStroebele], [@arjavdongaonkar], [@aurifi], [@ch8matt], [@illenko], [@sahibamittal], [@snieguu], [@stohrendorf]
+
+###### dependency-track-apiserver.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     | 3964cf821761609912487077fa41d513dad37d1a         |
+| SHA-256   | 8f2aa10424403b2b201d0c48b243ea3bbe458761         |
+
+###### dependency-track-bundled.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     | 1048a039391992fc36b23433d8987689baca33e68cc2130254787d1a3d1c66cc         |
+| SHA-256   | ab47deb0c5be2d947d57cf5862fef714023b4ce4d794ac00a855cf7590eb111e         |
+
+###### frontend-dist.zip
+
+| Algorithm | Checksum                                                         |
+|:----------|:-----------------------------------------------------------------|
+| SHA-1     | 525b47c72fb3bdbb675b5c5414319e5f19e43b03                         |
+| SHA-256   | 84440921692e95c88378e1f82738ccea24c2fb038083b42b3f1c98b1f6702a4a |
+
+###### Software Bill of Materials (SBOM)
+
+* API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.13.6/bom.json)
+* Frontend: [bom.json](https://github.com/DependencyTrack/frontend/releases/download/4.13.6/bom.json)
+
+[apiserver/#5419]: https://github.com/DependencyTrack/dependency-track/pull/5419
+[apiserver/#5428]: https://github.com/DependencyTrack/dependency-track/pull/5428
+[apiserver/#5434]: https://github.com/DependencyTrack/dependency-track/pull/5434
+[apiserver/#5446]: https://github.com/DependencyTrack/dependency-track/pull/5446
+[apiserver/#5447]: https://github.com/DependencyTrack/dependency-track/pull/5447
+[apiserver/#5519]: https://github.com/DependencyTrack/dependency-track/pull/5519
+[apiserver/#5528]: https://github.com/DependencyTrack/dependency-track/pull/5528
+[apiserver/#5531]: https://github.com/DependencyTrack/dependency-track/pull/5531
+[apiserver/#5532]: https://github.com/DependencyTrack/dependency-track/pull/5532
+[apiserver/#5533]: https://github.com/DependencyTrack/dependency-track/pull/5533
+
+[frontend/#1381]: https://github.com/DependencyTrack/frontend/pull/1381
+[frontend/#1382]: https://github.com/DependencyTrack/frontend/pull/1382
+[frontend/#1383]: https://github.com/DependencyTrack/frontend/pull/1383
+[frontend/#1385]: https://github.com/DependencyTrack/frontend/pull/1385
+[frontend/#1386]: https://github.com/DependencyTrack/frontend/pull/1386
+
+[GHSA-7xvh-c266-cfr5]: https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5
+[GHSA-93r8-3g93-w2gq]: https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-93r8-3g93-w2gq
+
+[@ElenaStroebele]: https://github.com/ElenaStroebele
+[@arjavdongaonkar]: https://github.com/arjavdongaonkar
+[@aurifi]: https://github.com/aurifi
+[@ch8matt]: https://github.com/ch8matt
+[@illenko]: https://github.com/illenko
+[@sahibamittal]: https://github.com/sahibamittal
+[@snieguu]: https://github.com/snieguu
+[@stohrendorf]: https://github.com/stohrendorf
+
+[Alpine Linux]: https://www.alpinelinux.org/
+[compact object headers]: https://openjdk.org/jeps/519
+[jlink]: https://dev.java/learn/jlink/