Release version v3.33.4

• 7bf0e73: Fix extra mark tokens after inline atom nodes during Markdown serialization
• 7bf0e73: Fix adjacent marks of the same type with different attributes being merged during Markdown serialization
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @tiptap/core@3.23.5
  • @tiptap/pm@3.23.5

• 7bf0e73: Fix $pos() returning correct node for non-text atom nodes instead of doc node
• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• @tiptap/pm@3.23.5

• 7bf0e73: Respect explicit immediatelyRender: true in client-side Next.js. Previously, when running under Next.js (window.next present), the immediatelyRender option was forced to false even when the user explicitly passed true, breaking client-only Next.js apps that rely on the editor existing on the first render. The hook now only forces false when actual SSR is detected (typeof window === 'undefined'), or when running under Next.js with no explicit value.
• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @tiptap/core@3.23.5
  • @tiptap/pm@3.23.5

• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @tiptap/core@3.23.5
  • @tiptap/pm@3.23.5

• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @tiptap/core@3.23.5
  • @tiptap/pm@3.23.5

• 7bf0e73: Fix missing forwarding of getReferencedVirtualElement in DragHandle React component
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @tiptap/react@3.23.5
  • @tiptap/extension-drag-handle@3.23.5
  • @tiptap/pm@3.23.5

This release includes fixes for the following security issues:

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

• fix(route): preserve the base path of the mounted route() app by @usualoma in https://github.com/honojs/hono/pull/4942
• fix(jsx): widen jsx and jsxFn children to Child[] by @ashunar0 in https://github.com/honojs/hono/pull/4947

• @ashunar0 made their first contribution in https://github.com/honojs/hono/pull/4947

Full Changelog: https://github.com/honojs/hono/compare/v4.12.19...v4.12.20

• twoslash: Forward tsModule to createTwoslasher  -  by @arthurfiorette in https://github.com/shikijs/shiki/issues/1271 (be89a)

• harden polyfill installation (#6579) (a84e2f3) - by @longlho

• react-intl: set FormattedListParts displayName (#6580) (93bd7f4) - by @longlho

• harden polyfill installation (#6579) (a84e2f3) - by @longlho

• harden polyfill installation (#6579) (a84e2f3) - by @longlho

• harden polyfill installation (#6579) (a84e2f3) - by @longlho