This is an important security release. We recommend upgrading immediately.
Would have been better as a minor or patch level release but the change actually requires a major release because it has the potential to break the way that users are interacting with query parameters. As such this is a major release.
The main change here is that query params are now all stripped of html and then any html entities are converted before the events for routes are triggered. So you will now be interacting with sanitized query params.
This new behavior can be turned off with the config.security.unsafeQuery flag being set to true. This should only be done if you are correctly handling this or the query params aren't used in a way that would allow for exploitation.