diff --git a/CHANGELOG.md b/CHANGELOG.md
index c25f4bb8df..6bf4c2c658 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,9 +13,53 @@
* `[I18n]`: Internationalization. Changes to translations or localizations.
* `[OPTIM]`: Optimization or performance increase.
* `[DOC]`: Documentation changes. No changes to the library's behavior.
+* `[SECURITY]`: A change which fixes a security vulnerability.
## Changes
+### 0.13.0 (March 13, 2020)
+
+**NOTE:** This release contains the fix for [`CVE-2020-5257`][cve-5257], which
+fixes a potential SQL injection on dashboard sorting.
+
+* [SECURITY] Fix Sort order SQL injection.
+* [BUGFIX] [#1561] Fix very narrow nested fields.
+* [BUGFIX] [#1565] Fix unterminated single quote.
+* [UI] [#1537] Provide
tags for doc pages.
+* [BUGFIX] [#1552] Use the correct foreign key when sorting belongs_to
+ associations.
+* [FEATURE] [#1551] More readable warnings.
+* [FEATURE] [#1512] Avoid confusion with class methods and protected/private
+ modifiers.
+* [FEATURE] [#1513] Accessible from templates; avoids having to create new
+ field types.
+* [UI] [#1536] Declare doctype, language and charset.
+* [DOC] [#1540] Add new Date field to docs.
+* [FEATURE] [#1530] Include Date Field.
+* [BUGFIX] [#1522] Align label and data on show page.
+* [FEATURE] [#1521] Expose required fields on form.
+* [DOC] [#1531] Remove project level rubocop.yml.
+* [DOC] [#1534] Move documentation of how to disable some actions on
+ controller.
+* [UI] [#1524] Hide resources without index in the navigation.
+* [DOC] [#1523] Update screenshot.
+* [UI] [#1376] Add a "back" link to the navigation.
+* [DOC] [#1187] Update comment with new namespace.
+* [DOC] [#1514] Rewrite the contributing guide.
+* [BUGFIX] [#1495] Attempt to fix random CI failures.
+* [BUGFIX] [#1507] Remove query from link, to avoid triggering banned params.
+* [DOC] [#1479] Document controller APIs.
+* [COMPAT] [#1475] Allows running specs individually.
+* [UI] [#1484] Double-click to select attribute text.
+* [DOC] Configure GitHub Sponsors.
+* [COMPAT] [#1457] Fix PhantomJS test behaviour on Linux.
+* [BUGFIX] [#920] Remove NameError rescue in page base.
+* [BUGFIX] [#1447] Don't pass raw SQL when changing sort order.
+* [FEATURE] [#1452] Support Sprockets 4.
+* [DOC] [#1426] Add issue templates.
+
+[cve-5257]: https://github.com/thoughtbot/administrate/security/advisories/GHSA-2p5p-m353-833w
+
### 0.12.0 (September 10, 2019)
* [COMPAT] [#1331] Drop active_job from the dependencies.
diff --git a/Gemfile.lock b/Gemfile.lock
index e7af1a0d50..cbf61ca20d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
PATH
remote: .
specs:
- administrate (0.12.0)
+ administrate (0.13.0)
actionpack (>= 4.2)
actionview (>= 4.2)
activerecord (>= 4.2)
@@ -94,7 +94,7 @@ GEM
i18n (>= 1.6, < 2)
faraday (1.0.0)
multipart-post (>= 1.2, < 3)
- ffi (1.11.3)
+ ffi (1.12.2)
formulaic (0.4.1)
activesupport
capybara
diff --git a/lib/administrate/version.rb b/lib/administrate/version.rb
index 8b7ce9d405..0aebdbfd6f 100644
--- a/lib/administrate/version.rb
+++ b/lib/administrate/version.rb
@@ -1,3 +1,3 @@
module Administrate
- VERSION = "0.12.0".freeze
+ VERSION = "0.13.0".freeze
end