diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de7e0e3..0687ec8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -56,10 +56,13 @@ jobs:
         run: uv run mypy --config-file mypy.ini --follow-imports=silent
 
       - name: Tests with coverage
-        run: uv run pytest --cov=src --cov-report=term-missing tests/unit
+        run: uv run pytest --cov=src --cov-report=term-missing --cov-fail-under=100 tests/unit
 
       - name: Static security analysis (bandit)
         run: uv run bandit -r src -c pyproject.toml --severity-level high
 
       - name: Dependency CVE audit (pip-audit)
-        run: uv run pip-audit --strict
+        # `--skip-editable` skips the project's own editable install (whose
+        # version may not yet exist on PyPI during a release-prep PR).
+        # pip-audit still exits non-zero on real CVEs in third-party deps.
+        run: uv run pip-audit --skip-editable
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index 053ab55..9af52f2 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -59,10 +59,16 @@ jobs:
       # CVE.  CI runs the same audit on every PR (.github/workflows/ci.yml),
       # but a vulnerability can be disclosed between the last green PR and the
       # release tag — this step closes that window.
+      #
+      # The project is installed editable so pip-audit sees its runtime deps;
+      # `--skip-editable` then skips the project itself (whose new tagged
+      # version isn't on PyPI yet — that's what this workflow is about to do).
+      # pip-audit still exits non-zero on real CVEs in third-party deps.
       - name: Pre-publish dependency CVE audit (pip-audit)
         run: |
           python -m pip install --upgrade pip-audit
-          pip-audit --strict
+          python -m pip install -e .
+          pip-audit --skip-editable
 
       - name: Build distributions
         run: python -m build
diff --git a/Makefile b/Makefile
index 5b54d12..5bbeb07 100644
--- a/Makefile
+++ b/Makefile
@@ -56,7 +56,7 @@ typecheck: mypy
 # PR to catch issues your downstream consumers would otherwise flag.
 security:
 	uv run --group security bandit -r src -c pyproject.toml --severity-level high
-	uv run --group security pip-audit --strict
+	uv run --group security pip-audit --skip-editable
 
 docs-serve:
 	uv run --group docs zensical serve
diff --git a/VERSION b/VERSION
index 9d6c175..964783a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.5.12
+0.5.13
diff --git a/pyproject.toml b/pyproject.toml
index a7fc5d9..51cdc98 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,7 +8,7 @@ license = "MIT"
 license-files = [
     "LICENSE.txt"
 ]
-version = "0.5.12"
+version = "0.5.13"
 description = "Dexalot Python SDK - Core library for Dexalot interaction"
 readme = "README.md"
 requires-python = ">=3.12,<3.15"
diff --git a/src/dexalot_sdk/__init__.py b/src/dexalot_sdk/__init__.py
index 4c2adcf..78660a1 100644
--- a/src/dexalot_sdk/__init__.py
+++ b/src/dexalot_sdk/__init__.py
@@ -12,7 +12,7 @@
     secrets_vault_set,
 )
 
-__version__ = "0.5.12"
+__version__ = "0.5.13"
 
 
 def get_version() -> str:
diff --git a/uv.lock b/uv.lock
index 05f7565..74dd842 100644
--- a/uv.lock
+++ b/uv.lock
@@ -733,7 +733,7 @@ wheels = [
 
 [[package]]
 name = "dexalot-sdk"
-version = "0.5.12"
+version = "0.5.13"
 source = { editable = "." }
 dependencies = [
     { name = "aiohttp" },