diff --git a/CHANGELOG.md b/CHANGELOG.md
index bc0d41f5..e3668e0b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Bumped `io.github.dfa1.zstd` (the `vortex.zstd` FFM bindings, pinned by the BOM) 0.4 → 0.5, which ships smaller jars (native debug symbols stripped). ([6dcdbe94](https://github.com/dfa1/vortex-java/commit/6dcdbe94))
+
 ## [0.10.1] — 2026-06-27
 
 Security hardening of the untrusted-input parse paths: every malformed-file path now surfaces as a `VortexException` instead of an unchecked `Error`, a raw JDK exception, or a resource leak (ADR 0003). Plus a `vortex.zstd` binding bump.
diff --git a/pom.xml b/pom.xml
index 6af709ac..08531c6f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,7 +58,7 @@
 		<maven.compiler.release>25</maven.compiler.release>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<!-- production -->
-		<zstd.version>0.4</zstd.version>
+		<zstd.version>0.5</zstd.version>
 
 
 		<fastcsv.version>4.3.0</fastcsv.version>