diff --git a/CHANGELOG.md b/CHANGELOG.md
index a9859739..f3772715 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+**Changes in Veilid 0.1.9**
+- SECURITY FIX
+  * DESCRIPTION: Decompression was occurring in an unbounded way upon envelope receipt.
+  * IMPACT: Node crashes resulting in downtime. There was no risk of RCE or compromise due to Rust's memory protections and no use of unsafe code near the site of the error.
+  * INDICATIONS: This resulted in an out-of-memory abort on nodes. Issue first identified on the bootstrap servers. 
+  * REMEDIATION: Length check added to decompression on envelopes.
+- Earthfile support for generating a debug executable
+
 **Changes in Veilid 0.1.8**
 - Fix Python Install Instructions
 - Fix to get server version from crate
diff --git a/veilid-core/src/veilid_api/serialize_helpers/compression.rs b/veilid-core/src/veilid_api/serialize_helpers/compression.rs
new file mode 100644
index 00000000..0018da7c
--- /dev/null
+++ b/veilid-core/src/veilid_api/serialize_helpers/compression.rs
@@ -0,0 +1,25 @@
+use super::*;
+use lz4_flex::block;
+
+use crate::apibail_generic;
+
+pub fn compress_prepend_size(input: &[u8]) -> Vec<u8> {
+    block::compress_prepend_size(input)
+}
+
+pub fn decompress_size_prepended(
+    input: &[u8],
+    max_size: Option<usize>,
+) -> VeilidAPIResult<Vec<u8>> {
+    let (uncompressed_size, input) =
+        block::uncompressed_size(input).map_err(VeilidAPIError::generic)?;
+    if let Some(max_size) = max_size {
+        if uncompressed_size > max_size {
+            apibail_generic!(format!(
+                "decompression exceeded maximum size: {} > {}",
+                uncompressed_size, max_size
+            ));
+        }
+    }
+    Ok(block::decompress(input, uncompressed_size).map_err(VeilidAPIError::generic)?)
+}