v4.12.29
- fix(client): merge function headers with per-request headers by @yusukebe in https://github.com/honojs/hono/pull/5092
- chore: fix no-op tsc in test script by @yusukebe in https://github.com/honojs/hono/pull/5093
- fix(lambda-edge): resolve the handler with the value passed to the callback by @yusukebe in https://github.com/honojs/hono/pull/5094
- docs(language): add JSDoc @example to languageDetector by @codebybilal18 in https://github.com/honojs/hono/pull/5081
- test(workerd): add
compatibilityDateby @yusukebe in https://github.com/honojs/hono/pull/5100 - fix(lambda-edge): base64 encode content-encoded response bodies by @yusukebe in https://github.com/honojs/hono/pull/5099
- fix(aws-lambda): treat any non-identity content-encoding as binary by @yusukebe in https://github.com/honojs/hono/pull/5101
- fix(types): strip extra properties from array types in JSONParsed by @Arman-Luthra in https://github.com/honojs/hono/pull/5103
- fix(trie-router): match empty wildcard remainder after regexp param by @usualoma in https://github.com/honojs/hono/pull/5102
- fix(etag): treat If-None-Match:
*as a match by @yusukebe in https://github.com/honojs/hono/pull/5084
- @codebybilal18 made their first contribution in https://github.com/honojs/hono/pull/5081
- @Arman-Luthra made their first contribution in https://github.com/honojs/hono/pull/5103
Full Changelog: https://github.com/honojs/hono/compare/v4.12.28...v4.12.29
v4.12.28
- fix(serve-static): treat empty string content as found by @yusukebe in https://github.com/honojs/hono/pull/5062
- docs(MIGRATION): fix req.raw.headers reference (property, not method) by @EduardF1 in https://github.com/honojs/hono/pull/5047
- chore: don't publish
*.tsbuildinfoby @yusukebe in https://github.com/honojs/hono/pull/5066 - fix(utils/body,validator): normalize Content-Type media type for case-insensitive matching by @yusukebe in https://github.com/honojs/hono/pull/5067
- fix: avoid circular dependency between body.ts and request.ts by @usualoma in https://github.com/honojs/hono/pull/5071
- fix(bun): report the requested subprotocol on WSContext.protocol by @greymoth-jp in https://github.com/honojs/hono/pull/5059
- chore: bump
devDependenciesby @yusukebe in https://github.com/honojs/hono/pull/5085 - fix(aws-lambda): detect V2 events by request context, not rawPath alone by @VihaanAgarwal in https://github.com/honojs/hono/pull/5033
- docs(context-storage): fix JSDoc by @yusukebe in https://github.com/honojs/hono/pull/5086
- @EduardF1 made their first contribution in https://github.com/honojs/hono/pull/5047
- @greymoth-jp made their first contribution in https://github.com/honojs/hono/pull/5059
- @VihaanAgarwal made their first contribution in https://github.com/honojs/hono/pull/5033
Full Changelog: https://github.com/honojs/hono/compare/v4.12.27...v4.12.28
v4.12.27
This release includes fixes for the following security issues:
Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj
Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59
Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc
Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.
v4.12.26
- fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @yusukebe in https://github.com/honojs/hono/pull/5013
- ci: publish to npm from CI with OIDC trusted publishing by @yusukebe in https://github.com/honojs/hono/pull/5028
- chore: remove unused devcontainer and gitpod configs by @yusukebe in https://github.com/honojs/hono/pull/5029
- chore: replace arg and glob with Bun native APIs in build script by @yusukebe in https://github.com/honojs/hono/pull/5030
Full Changelog: https://github.com/honojs/hono/compare/v4.12.25...v4.12.26
v4.12.25
This release includes fixes for the following security issues:
Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc
Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2
Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44
AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice
Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf
Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p
v4.12.24
- docs(contribution): simplifyAI Usage Policy by @yusukebe in https://github.com/honojs/hono/pull/4972
- chore: remove @types/glob by @rtritto in https://github.com/honojs/hono/pull/4978
- fix(bearer-auth): mention verifyToken in missing-options error message by @tan7vir in https://github.com/honojs/hono/pull/4987
- refactor(language): Test/improve tests on languages middleware by @iNeoO in https://github.com/honojs/hono/pull/4980
- fix(utils/ipaddr): expand "::" to eight zero groups by @youcefzemmar in https://github.com/honojs/hono/pull/4973
- fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @Mohammad-Faiz-Cloud-Engineer in https://github.com/honojs/hono/pull/4982
- refactor(timing): Test/add test for middleware timing by @iNeoO in https://github.com/honojs/hono/pull/4991
- fix(utils/ipaddr): render the unspecified address binary as "::" by @sarathfrancis90 in https://github.com/honojs/hono/pull/4998
Full Changelog: https://github.com/honojs/hono/compare/v4.12.23...v4.12.24
v4.12.23
- fix(serve-static): normalize all backslashes in file paths, not just the first in https://github.com/honojs/hono/pull/4962
- feat(context): export the Context class publicly by @BlankParticle in https://github.com/honojs/hono/pull/4543
- docs(contribution): add AI Usage Policy by @yusukebe in https://github.com/honojs/hono/pull/4970
- feat(compress): add contentTypeFilter option and
COMPRESSIBLE_CONTENT_TYPE_REGEXre-export by @na-trium-144 in https://github.com/honojs/hono/pull/4961 - fix(utils/ipaddr): do not compress a single 0 group to
::by @yusukebe in https://github.com/honojs/hono/pull/4971
Full Changelog: https://github.com/honojs/hono/compare/v4.12.22...v4.12.23
v4.12.22
- chore: update vitest to v4 and cleanups by @BlankParticle in https://github.com/honojs/hono/pull/4952
- fix(mime): specify charset parameter per MIME type instead of mechanical detection by @renatograsso10 in https://github.com/honojs/hono/pull/4912
- fix(compress): respect Accept-Encoding when encoding option is set by @LeSingh1 in https://github.com/honojs/hono/pull/4951
- fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @ATOM00blue in https://github.com/honojs/hono/pull/4955
- feat: add msgpack as a compressible content type by @na-trium-144 in https://github.com/honojs/hono/pull/4957
- @renatograsso10 made their first contribution in https://github.com/honojs/hono/pull/4912
- @LeSingh1 made their first contribution in https://github.com/honojs/hono/pull/4951
- @ATOM00blue made their first contribution in https://github.com/honojs/hono/pull/4955
- @na-trium-144 made their first contribution in https://github.com/honojs/hono/pull/4957
Full Changelog: https://github.com/honojs/hono/compare/v4.12.21...v4.12.22
v4.12.21
This release includes fixes for the following security issues:
app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3
Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5
Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x
Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474
Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.
v4.12.20
- fix(route): preserve the base path of the mounted route() app by @usualoma in https://github.com/honojs/hono/pull/4942
- fix(jsx): widen jsx and jsxFn children to Child[] by @ashunar0 in https://github.com/honojs/hono/pull/4947
- @ashunar0 made their first contribution in https://github.com/honojs/hono/pull/4947
Full Changelog: https://github.com/honojs/hono/compare/v4.12.19...v4.12.20