chore(release): version packages

packages/core/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @csrf-armor/core
 
+## 1.2.3
+
+### Patch Changes
+
+- [#52](https://github.com/muneebs/csrf-armor/pull/52) [`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43) Thanks [@muneebs](https://github.com/muneebs)! - chore(deps): patch transitive dev dependency security advisories
+
+  Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes.
+
+  Addresses:
+
+  - GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1)
+  - GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1)
+  - GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13)
+
 ## 1.2.2
 
 ### Patch Changes

packages/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/core",
-  "version": "1.2.2",
+  "version": "1.2.3",
   "description": "Framework-agnostic CSRF protection core functionality",
   "type": "module",
   "main": "./dist/index.mjs",

packages/express/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @csrf-armor/express
 
+## 1.2.3
+
+### Patch Changes
+
+- [#52](https://github.com/muneebs/csrf-armor/pull/52) [`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43) Thanks [@muneebs](https://github.com/muneebs)! - chore(deps): patch transitive dev dependency security advisories
+
+  Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes.
+
+  Addresses:
+
+  - GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1)
+  - GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1)
+  - GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13)
+
+- Updated dependencies [[`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43)]:
+  - @csrf-armor/core@1.2.3
+
 ## 1.2.2
 
 ### Patch Changes

packages/express/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/express",
-  "version": "1.2.2",
+  "version": "1.2.3",
   "description": "Express.js adapter for CSRF Armor - Advanced CSRF protection for Express.js applications",
   "type": "module",
   "types": "./dist/index.d.ts",

packages/nextjs/CHANGELOG.md

@@ -1,5 +1,28 @@
 # @csrf-armor/nextjs
 
+## 1.4.3
+
+### Patch Changes
+
+- [#50](https://github.com/muneebs/csrf-armor/pull/50) [`7d4adeb`](https://github.com/muneebs/csrf-armor/commit/7d4adebc94ceb1f01a6af0807b7a5f0c7a92b1f0) Thanks [@muneebs](https://github.com/muneebs)! - fix(client): preserve headers when `csrfFetch` is called with a `Request` object
+
+  `csrfFetch` previously only read headers from the `init` argument, so when it was called with a full `Request` object (e.g. `csrfFetch(new Request(url, { headers }))`), the Request's headers were stripped. It now merges headers from the Request, then the `init` argument, then the CSRF headers (CSRF headers always take precedence), making `csrfFetch` a drop-in replacement for `fetch`.
+
+  Fixes #49
+
+- [#52](https://github.com/muneebs/csrf-armor/pull/52) [`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43) Thanks [@muneebs](https://github.com/muneebs)! - chore(deps): patch transitive dev dependency security advisories
+
+  Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes.
+
+  Addresses:
+
+  - GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1)
+  - GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1)
+  - GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13)
+
+- Updated dependencies [[`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43)]:
+  - @csrf-armor/core@1.2.3
+
 ## 1.4.2
 
 ### Patch Changes

packages/nextjs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/nextjs",
-  "version": "1.4.2",
+  "version": "1.4.3",
   "description": "CSRF protection middleware for Next.js applications",
   "type": "module",
   "main": "./dist/index.js",

packages/nuxt/CHANGELOG.md

@@ -1,5 +1,28 @@
 # @csrf-armor/nuxt
 
+## 1.1.2
+
+### Patch Changes
+
+- [#50](https://github.com/muneebs/csrf-armor/pull/50) [`7d4adeb`](https://github.com/muneebs/csrf-armor/commit/7d4adebc94ceb1f01a6af0807b7a5f0c7a92b1f0) Thanks [@muneebs](https://github.com/muneebs)! - fix(client): preserve headers when `csrfFetch` is called with a `Request` object
+
+  `csrfFetch` previously only read headers from the `init` argument, so when it was called with a full `Request` object (e.g. `csrfFetch(new Request(url, { headers }))`), the Request's headers were stripped. It now merges headers from the Request, then the `init` argument, then the CSRF headers (CSRF headers always take precedence), making `csrfFetch` a drop-in replacement for `fetch`.
+
+  Fixes #49
+
+- [#52](https://github.com/muneebs/csrf-armor/pull/52) [`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43) Thanks [@muneebs](https://github.com/muneebs)! - chore(deps): patch transitive dev dependency security advisories
+
+  Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes.
+
+  Addresses:
+
+  - GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1)
+  - GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1)
+  - GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13)
+
+- Updated dependencies [[`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43)]:
+  - @csrf-armor/core@1.2.3
+
 ## 1.1.1
 
 ### Patch Changes

packages/nuxt/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/nuxt",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "description": "Nuxt module for CSRF protection powered by csrf-armor",
   "type": "module",
   "license": "MIT",