• fix(validator): fix incomplete types and wrong tests by @EdamAme-x in https://github.com/honojs/hono/pull/4521
• refactor(types): delete type NotSpecified and StrictVerifyOptions by @ysknsid25 in https://github.com/honojs/hono/pull/4525
• fix: add JSX type for hono/jsx/dom by @ssssota in https://github.com/honojs/hono/pull/4534
• fix(adapter/bun): fix TypeError: null is not an object (#4429) by @brenc in https://github.com/honojs/hono/pull/4538
• chore: add config version to bun.lock by @yusukebe in https://github.com/honojs/hono/pull/4548

• @ysknsid25 made their first contribution in https://github.com/honojs/hono/pull/4525
• @brenc made their first contribution in https://github.com/honojs/hono/pull/4538

Full Changelog: https://github.com/honojs/hono/compare/v4.10.6...v4.10.7

The following options are deprecated and will be removed in a future version:

• noAuthenticationHeaderMessage => use noAuthenticationHeader.message
• invalidAuthenticationHeaderMessage => use invalidAuthenticationHeader.message
• invalidTokenMessage => use invalidToken.message

• feat(aws-lambda): handle AWS Lattice events by @anho in https://github.com/honojs/hono/pull/4451
• feat(secure-headers): support CSP TrustedTypePolicy by @RosApr in https://github.com/honojs/hono/pull/4500
• feat: Improve auth middlewares by @MathurAditya724 in https://github.com/honojs/hono/pull/4485

• @anho made their first contribution in https://github.com/honojs/hono/pull/4451

Full Changelog: https://github.com/honojs/hono/compare/v4.10.5...v4.10.6

• docs(CONTRIBUTING): use bun instead of yarn in local development setup by @taichi-1 in https://github.com/honojs/hono/pull/4503
• docs: grammar issue by @WuMingDao in https://github.com/honojs/hono/pull/4508
• fix(utils/url): make _getQueryParam search behind question mark by @tuzi3040 in https://github.com/honojs/hono/pull/4507
• fix(jsx): self-close wrapped empty tags by @jakelee8 in https://github.com/honojs/hono/pull/4511
• chore: improve private field removal by @BlankParticle in https://github.com/honojs/hono/pull/4513
• fix(middleware/cache): skip caching when Vary: * is present by @pHo9UBenaA in https://github.com/honojs/hono/pull/4504

• @taichi-1 made their first contribution in https://github.com/honojs/hono/pull/4503
• @WuMingDao made their first contribution in https://github.com/honojs/hono/pull/4508
• @tuzi3040 made their first contribution in https://github.com/honojs/hono/pull/4507
• @jakelee8 made their first contribution in https://github.com/honojs/hono/pull/4511
• @pHo9UBenaA made their first contribution in https://github.com/honojs/hono/pull/4504

Full Changelog: https://github.com/honojs/hono/compare/v4.10.4...v4.10.5

• chore: add a monochrome logo image by @yusukebe in https://github.com/honojs/hono/pull/4487
• chore: fix the monochrome logo by @yusukebe in https://github.com/honojs/hono/pull/4488
• fix(secure-headers): proposed features typo spelling mistake by @RosApr in https://github.com/honojs/hono/pull/4494
• fix(types): preserve handler response typing in createHandlers by @s-junio in https://github.com/honojs/hono/pull/4492

• @RosApr made their first contribution in https://github.com/honojs/hono/pull/4494
• @s-junio made their first contribution in https://github.com/honojs/hono/pull/4492

Full Changelog: https://github.com/honojs/hono/compare/v4.10.3...v4.10.4

A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.

• fix(aws-lambda): serve microsoft office files as binary in lambda handler by @matthiasfeist in https://github.com/honojs/hono/pull/4469
• fix(request-id): validation accepts = by @ryuapp in https://github.com/honojs/hono/pull/4478
• refactor(jwt): reduce the size of the code generated by minification by @usualoma in https://github.com/honojs/hono/pull/4480

• @matthiasfeist made their first contribution in https://github.com/honojs/hono/pull/4469

Full Changelog: https://github.com/honojs/hono/compare/v4.10.2...v4.10.3

If you are using JWT middleware, please read the following and consider applying the configuration.

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret',
    verification: {
      // Require this API to only accept tokens with aud = 'service-a'
      aud: 'service-a',
    },
  })
)

• tests: Fix test case of handlers without a path by @IAmSSH in https://github.com/honojs/hono/pull/4472

• @IAmSSH made their first contribution in https://github.com/honojs/hono/pull/4472

Full Changelog: https://github.com/honojs/hono/compare/v4.10.1...v4.10.2

• fix(types): cannot .use non-return mw from createMiddleware by @NamesMT in https://github.com/honojs/hono/pull/4465

Full Changelog: https://github.com/honojs/hono/compare/v4.10.0...v4.10.1

Hono v4.10.0 is now available!

This release brings improved TypeScript support and new utilities.

The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients.

Imagine the following app:

import { Hono } from 'hono'

const app = new Hono()

const routes = app.get(
  '/',
  (c) => {
    return c.json({ errorMessage: 'Error!' }, 500)
  },
  (c) => {
    return c.json({ message: 'Success!' }, 200)
  }
)

The client with RPC:

import { hc } from 'hono/client'

const client = hc<typeof routes>('/')

const res = await client.index.$get()

if (res.status === 500) {
}

if (res.status === 200) {
}

Previously, it couldn't infer the responses from middleware, so a type error was thrown.

Now the responses are correctly typed.

This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true.

Thank you for the great work @slawekkolodziej!

The new cloneRawRequest utility allows you to clone the raw Request object after it has been consumed by validators or middleware.

import { cloneRawRequest } from 'hono/request'

app.post('/api', async (c) => {
  const body = await c.req.json()

  // Clone the consumed request
  const clonedRequest = cloneRawRequest(c.req)
  await externalLibrary.process(clonedRequest)
})

Thanks @kamaal111!

• feat(types): passing middleware types https://github.com/honojs/hono/pull/4393
• feat(ssg): add default plugin that defines the recommended behavior https://github.com/honojs/hono/pull/4394
• feat(request): add cloneRawRequest utility for request cloning https://github.com/honojs/hono/pull/4382

• feat(types): passing middleware types by @slawekkolodziej in https://github.com/honojs/hono/pull/4393
• feat(ssg): add default plugin that defines the recommended behavior by @3w36zj6 in https://github.com/honojs/hono/pull/4394
• feat(request): add cloneRawRequest utility for request cloning by @kamaal111 in https://github.com/honojs/hono/pull/4382
• fix(proxy): Correct hop-by-hop header handling per RFC 9110 by @sugar-cat7 in https://github.com/honojs/hono/pull/4459

• @slawekkolodziej made their first contribution in https://github.com/honojs/hono/pull/4393
• @kamaal111 made their first contribution in https://github.com/honojs/hono/pull/4382

Full Changelog: https://github.com/honojs/hono/compare/v4.9.12...v4.10.0

• refactor: internal structure of PreparedRegExpRouter for optimization and added tests by @usualoma in https://github.com/honojs/hono/pull/4456
• refactor: use protected methods instead of computed properties to allow tree shaking by @usualoma in https://github.com/honojs/hono/pull/4458

Full Changelog: https://github.com/honojs/hono/compare/v4.9.11...v4.9.12

• fix(types): fix 4.9.8 regression by @aadito123 in https://github.com/honojs/hono/pull/4448
• feat(reg-exp-router): Introduced PreparedRegExpRouter by @usualoma in https://github.com/honojs/hono/pull/1796

• @aadito123 made their first contribution in https://github.com/honojs/hono/pull/4448

Full Changelog: https://github.com/honojs/hono/compare/v4.9.10...v4.9.11