diff --git a/.changeset/critical-security-fixes.md b/.changeset/critical-security-fixes.md
deleted file mode 100644
index c899560..0000000
--- a/.changeset/critical-security-fixes.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-"@csrf-armor/core": patch
-"@csrf-armor/express": patch
-"@csrf-armor/nextjs": patch
----
-
-## SECURITY FIXES: Critical timing attack vulnerabilities and dependency updates
-
-This release addresses critical security vulnerabilities and updates all vulnerable dependencies.
-
-## Critical Security Fixes
-
-### Timing Attack Vulnerabilities (CRITICAL)
-Fixed three timing attack vulnerabilities in CSRF token validation that could allow attackers to reconstruct valid tokens through timing analysis:
-
-- **validateDoubleSubmit** (validation.ts:104): Replaced non-constant-time string comparison with `timingSafeEqual()`
-- **validateSignedDoubleSubmit cookie check** (validation.ts:142): Fixed cookie integrity comparison to use constant-time equality
-- **validateSignedDoubleSubmit token matching** (validation.ts:147): Fixed token comparison to prevent timing side-channel attacks
-
-These vulnerabilities could have allowed attackers to bypass CSRF protection entirely by analyzing response timing patterns. All token comparisons now use cryptographically constant-time operations.
-
-### Weak Secret Generation (HIGH)
-Fixed default secret generation (constants.ts:146) that produced weak comma-separated decimal strings instead of proper base64-encoded secrets. Now uses `generateSecureSecret()` for high-entropy, properly-encoded secrets.
-
-## Dependency Security Updates
-
-All vulnerable dependencies have been updated to patched versions:
-
-- **qs** (CVE-2025-15284): Updated to >=6.14.1 via pnpm override - fixes DoS vulnerability via memory exhaustion
-- **diff** (CVE-2026-24001): Updated to 8.0.3 via tsdown 0.20.1 - fixes denial of service vulnerability
-- **js-yaml**: Updated via @changesets/cli 2.29.8 - resolves YAML parsing vulnerabilities
-- **next** (npm advisories: 1112593, 1112638, 1112649): Updated to 16.1.6 - fixes multiple security vulnerabilities including CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864
-
-## Other Updates
-
-- Updated `@biomejs/biome` to 2.3.13
-- Updated `@types/node` to 20.0.0 (fixes peer dependency warnings)
-- Updated vitest and related packages to 4.0.18
-- Updated typescript to 5.9.3
-- Updated jsdom to 27.4.0
-- Updated package exports to match new tsdown output format (.mjs files)
-
-## Security Impact
-
-- ✅ Zero critical vulnerabilities remaining
-- ✅ Zero high-severity vulnerabilities remaining
-- ✅ No remaining known CVEs after upgrade (verified via pnpm audit)
-- ✅ All 66 tests passing across all packages
-
-**Upgrade Priority: CRITICAL** - All users should upgrade immediately to address timing attack vulnerabilities.
\ No newline at end of file
diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md
index 9360a12..357b785 100644
--- a/packages/core/CHANGELOG.md
+++ b/packages/core/CHANGELOG.md
@@ -1,5 +1,56 @@
 # @csrf-armor/core
 
+## 1.2.1
+
+### Patch Changes
+
+- [#36](https://github.com/muneebs/csrf-armor/pull/36) [`6b591f6`](https://github.com/muneebs/csrf-armor/commit/6b591f629a90a38614b82705b266952503b598fb) Thanks [@muneebs](https://github.com/muneebs)! - ## SECURITY FIXES: Critical timing attack vulnerabilities and dependency updates
+
+  This release addresses critical security vulnerabilities and updates all vulnerable dependencies.
+
+  ## Critical Security Fixes
+
+  ### Timing Attack Vulnerabilities (CRITICAL)
+
+  Fixed three timing attack vulnerabilities in CSRF token validation that could allow attackers to reconstruct valid tokens through timing analysis:
+
+  - **validateDoubleSubmit** (validation.ts:104): Replaced non-constant-time string comparison with `timingSafeEqual()`
+  - **validateSignedDoubleSubmit cookie check** (validation.ts:142): Fixed cookie integrity comparison to use constant-time equality
+  - **validateSignedDoubleSubmit token matching** (validation.ts:147): Fixed token comparison to prevent timing side-channel attacks
+
+  These vulnerabilities could have allowed attackers to bypass CSRF protection entirely by analyzing response timing patterns. All token comparisons now use cryptographically constant-time operations.
+
+  ### Weak Secret Generation (HIGH)
+
+  Fixed default secret generation (constants.ts:146) that produced weak comma-separated decimal strings instead of proper base64-encoded secrets. Now uses `generateSecureSecret()` for high-entropy, properly-encoded secrets.
+
+  ## Dependency Security Updates
+
+  All vulnerable dependencies have been updated to patched versions:
+
+  - **qs** (CVE-2025-15284): Updated to >=6.14.1 via pnpm override - fixes DoS vulnerability via memory exhaustion
+  - **diff** (CVE-2026-24001): Updated to 8.0.3 via tsdown 0.20.1 - fixes denial of service vulnerability
+  - **js-yaml**: Updated via @changesets/cli 2.29.8 - resolves YAML parsing vulnerabilities
+  - **next** (npm advisories: 1112593, 1112638, 1112649): Updated to 16.1.6 - fixes multiple security vulnerabilities including CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864
+
+  ## Other Updates
+
+  - Updated `@biomejs/biome` to 2.3.13
+  - Updated `@types/node` to 20.0.0 (fixes peer dependency warnings)
+  - Updated vitest and related packages to 4.0.18
+  - Updated typescript to 5.9.3
+  - Updated jsdom to 27.4.0
+  - Updated package exports to match new tsdown output format (.mjs files)
+
+  ## Security Impact
+
+  - ✅ Zero critical vulnerabilities remaining
+  - ✅ Zero high-severity vulnerabilities remaining
+  - ✅ No remaining known CVEs after upgrade (verified via pnpm audit)
+  - ✅ All 66 tests passing across all packages
+
+  **Upgrade Priority: CRITICAL** - All users should upgrade immediately to address timing attack vulnerabilities.
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/core/package.json b/packages/core/package.json
index 666530d..393b131 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/core",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Framework-agnostic CSRF protection core functionality",
   "type": "module",
   "main": "./dist/index.mjs",
diff --git a/packages/express/CHANGELOG.md b/packages/express/CHANGELOG.md
index 955725c..f800016 100644
--- a/packages/express/CHANGELOG.md
+++ b/packages/express/CHANGELOG.md
@@ -1,5 +1,59 @@
 # @csrf-armor/express
 
+## 1.2.1
+
+### Patch Changes
+
+- [#36](https://github.com/muneebs/csrf-armor/pull/36) [`6b591f6`](https://github.com/muneebs/csrf-armor/commit/6b591f629a90a38614b82705b266952503b598fb) Thanks [@muneebs](https://github.com/muneebs)! - ## SECURITY FIXES: Critical timing attack vulnerabilities and dependency updates
+
+  This release addresses critical security vulnerabilities and updates all vulnerable dependencies.
+
+  ## Critical Security Fixes
+
+  ### Timing Attack Vulnerabilities (CRITICAL)
+
+  Fixed three timing attack vulnerabilities in CSRF token validation that could allow attackers to reconstruct valid tokens through timing analysis:
+
+  - **validateDoubleSubmit** (validation.ts:104): Replaced non-constant-time string comparison with `timingSafeEqual()`
+  - **validateSignedDoubleSubmit cookie check** (validation.ts:142): Fixed cookie integrity comparison to use constant-time equality
+  - **validateSignedDoubleSubmit token matching** (validation.ts:147): Fixed token comparison to prevent timing side-channel attacks
+
+  These vulnerabilities could have allowed attackers to bypass CSRF protection entirely by analyzing response timing patterns. All token comparisons now use cryptographically constant-time operations.
+
+  ### Weak Secret Generation (HIGH)
+
+  Fixed default secret generation (constants.ts:146) that produced weak comma-separated decimal strings instead of proper base64-encoded secrets. Now uses `generateSecureSecret()` for high-entropy, properly-encoded secrets.
+
+  ## Dependency Security Updates
+
+  All vulnerable dependencies have been updated to patched versions:
+
+  - **qs** (CVE-2025-15284): Updated to >=6.14.1 via pnpm override - fixes DoS vulnerability via memory exhaustion
+  - **diff** (CVE-2026-24001): Updated to 8.0.3 via tsdown 0.20.1 - fixes denial of service vulnerability
+  - **js-yaml**: Updated via @changesets/cli 2.29.8 - resolves YAML parsing vulnerabilities
+  - **next** (npm advisories: 1112593, 1112638, 1112649): Updated to 16.1.6 - fixes multiple security vulnerabilities including CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864
+
+  ## Other Updates
+
+  - Updated `@biomejs/biome` to 2.3.13
+  - Updated `@types/node` to 20.0.0 (fixes peer dependency warnings)
+  - Updated vitest and related packages to 4.0.18
+  - Updated typescript to 5.9.3
+  - Updated jsdom to 27.4.0
+  - Updated package exports to match new tsdown output format (.mjs files)
+
+  ## Security Impact
+
+  - ✅ Zero critical vulnerabilities remaining
+  - ✅ Zero high-severity vulnerabilities remaining
+  - ✅ No remaining known CVEs after upgrade (verified via pnpm audit)
+  - ✅ All 66 tests passing across all packages
+
+  **Upgrade Priority: CRITICAL** - All users should upgrade immediately to address timing attack vulnerabilities.
+
+- Updated dependencies [[`6b591f6`](https://github.com/muneebs/csrf-armor/commit/6b591f629a90a38614b82705b266952503b598fb)]:
+  - @csrf-armor/core@1.2.1
+
 ## 1.2.0
 
 ### Minor Changes
diff --git a/packages/express/package.json b/packages/express/package.json
index 32e9476..b57fa7f 100644
--- a/packages/express/package.json
+++ b/packages/express/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/express",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Express.js adapter for CSRF Armor - Advanced CSRF protection for Express.js applications",
   "type": "module",
   "main": "./dist/index.js",
diff --git a/packages/nextjs/CHANGELOG.md b/packages/nextjs/CHANGELOG.md
index 769bc30..734403f 100644
--- a/packages/nextjs/CHANGELOG.md
+++ b/packages/nextjs/CHANGELOG.md
@@ -1,5 +1,59 @@
 # @csrf-armor/nextjs
 
+## 1.4.1
+
+### Patch Changes
+
+- [#36](https://github.com/muneebs/csrf-armor/pull/36) [`6b591f6`](https://github.com/muneebs/csrf-armor/commit/6b591f629a90a38614b82705b266952503b598fb) Thanks [@muneebs](https://github.com/muneebs)! - ## SECURITY FIXES: Critical timing attack vulnerabilities and dependency updates
+
+  This release addresses critical security vulnerabilities and updates all vulnerable dependencies.
+
+  ## Critical Security Fixes
+
+  ### Timing Attack Vulnerabilities (CRITICAL)
+
+  Fixed three timing attack vulnerabilities in CSRF token validation that could allow attackers to reconstruct valid tokens through timing analysis:
+
+  - **validateDoubleSubmit** (validation.ts:104): Replaced non-constant-time string comparison with `timingSafeEqual()`
+  - **validateSignedDoubleSubmit cookie check** (validation.ts:142): Fixed cookie integrity comparison to use constant-time equality
+  - **validateSignedDoubleSubmit token matching** (validation.ts:147): Fixed token comparison to prevent timing side-channel attacks
+
+  These vulnerabilities could have allowed attackers to bypass CSRF protection entirely by analyzing response timing patterns. All token comparisons now use cryptographically constant-time operations.
+
+  ### Weak Secret Generation (HIGH)
+
+  Fixed default secret generation (constants.ts:146) that produced weak comma-separated decimal strings instead of proper base64-encoded secrets. Now uses `generateSecureSecret()` for high-entropy, properly-encoded secrets.
+
+  ## Dependency Security Updates
+
+  All vulnerable dependencies have been updated to patched versions:
+
+  - **qs** (CVE-2025-15284): Updated to >=6.14.1 via pnpm override - fixes DoS vulnerability via memory exhaustion
+  - **diff** (CVE-2026-24001): Updated to 8.0.3 via tsdown 0.20.1 - fixes denial of service vulnerability
+  - **js-yaml**: Updated via @changesets/cli 2.29.8 - resolves YAML parsing vulnerabilities
+  - **next** (npm advisories: 1112593, 1112638, 1112649): Updated to 16.1.6 - fixes multiple security vulnerabilities including CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864
+
+  ## Other Updates
+
+  - Updated `@biomejs/biome` to 2.3.13
+  - Updated `@types/node` to 20.0.0 (fixes peer dependency warnings)
+  - Updated vitest and related packages to 4.0.18
+  - Updated typescript to 5.9.3
+  - Updated jsdom to 27.4.0
+  - Updated package exports to match new tsdown output format (.mjs files)
+
+  ## Security Impact
+
+  - ✅ Zero critical vulnerabilities remaining
+  - ✅ Zero high-severity vulnerabilities remaining
+  - ✅ No remaining known CVEs after upgrade (verified via pnpm audit)
+  - ✅ All 66 tests passing across all packages
+
+  **Upgrade Priority: CRITICAL** - All users should upgrade immediately to address timing attack vulnerabilities.
+
+- Updated dependencies [[`6b591f6`](https://github.com/muneebs/csrf-armor/commit/6b591f629a90a38614b82705b266952503b598fb)]:
+  - @csrf-armor/core@1.2.1
+
 ## 1.4.0
 
 ### Minor Changes
diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json
index 1e40879..5fd693a 100644
--- a/packages/nextjs/package.json
+++ b/packages/nextjs/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/nextjs",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "description": "CSRF protection middleware for Next.js applications",
   "type": "module",
   "main": "./dist/index.js",