diff --git a/.github/releases/v1.x/v1.14.1.md b/.github/releases/v1.x/v1.14.1.md
new file mode 100644
index 00000000..5358d677
--- /dev/null
+++ b/.github/releases/v1.x/v1.14.1.md
@@ -0,0 +1,61 @@
+This release patches two security advisories and continues the performance work from v1.14.0 with a persistent token-count cache, plus expanded Dart parsing and Nix support. Updating to 1.14.1 is recommended for all users.
+
+## Security 🔒
+
+### Argument Injection via `--remote-branch` (GHSA-9mm9-rqhj-j5mx)
+
+A crafted `--remote-branch` value could be passed to `git` as an option rather than a ref, enabling argument injection (CWE-88, High). Repomix now validates refs and inserts `--end-of-options` before the ref in `git fetch` and `git checkout`, so a branch value can never be interpreted as a git option.
+
+Special thanks to @kakashi-kx (Abhijith S) for the responsible disclosure! 🎉
+
+### MCP `attach_packed_output` Secret-Scan Bypass (GHSA-hwpp-h97w-2h3j)
+
+The MCP `attach_packed_output` flow could register an arbitrary local file and read it back through `read_repomix_output` / `grep_repomix_output` without the secret scan that `file_system_read_file` applies (CWE-200, Moderate). Those tools now run the same secret scan on attach-sourced files before returning content, closing the bypass.
+
+Special thanks to @dodge1218 for the responsible disclosure! 🎉
+
+## Improvements ⚡
+
+### Expanded Dart Code Parsing (#1515)
+
+The Dart Tree-sitter query now captures mixins, typedefs, getters, setters, and factory constructors. Compressed output (`--compress`) for Dart files now preserves more of the file's structure.
+
+### Content-Addressed Token-Count Disk Cache (#1562, #1580)
+
+Token counts are now cached on disk, keyed by content hash. Re-packing a repository reuses counts for unchanged files instead of re-tokenizing them, and the eager metrics warm-up is skipped when the cache is already populated — speeding up repeated runs on the same repository.
+
+### Faster Binary Detection (#1542)
+
+Repomix now attempts a UTF-8 decode before the binary-file check, avoiding a pathological slow path in the protobuf detector on certain inputs.
+
+### Node.js Support Update (#1556)
+
+Node.js 20 is no longer supported and Node.js 26 is now supported. Repomix requires Node.js 22 or later.
+
+### Available on nixpkgs
+
+Repomix is available in [nixpkgs](https://search.nixos.org/packages?query=repomix), so Nix users can install it directly:
+
+```bash
+nix-shell -p repomix
+```
+
+## Development 🛠️
+
+### Nix Flake with Development Shell (#1525)
+
+Added a `flake.nix` providing a development shell (Node.js 24 + Git) for contributors using Nix:
+
+```bash
+nix develop
+```
+
+## How to Update
+
+```bash
+npm update -g repomix
+```
+
+---
+
+As always, if you have any issues or suggestions, please let us know on GitHub issues or our [Discord community](https://discord.gg/wNYzTwZFku).