Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

• https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4
• https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4

• test(utils/jwt): add missing algorithm types in jwa.test.ts by @flathill404 in https://github.com/honojs/hono/pull/4607
• chore: bump @hono/eslint-config and enable curly rule by @yusukebe in https://github.com/honojs/hono/pull/4620
• docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @Itsnotaka in https://github.com/honojs/hono/pull/4618
• test: support alg option for JWT middleware by @yusukebe in https://github.com/honojs/hono/pull/4624

• @flathill404 made their first contribution in https://github.com/honojs/hono/pull/4607
• @Itsnotaka made their first contribution in https://github.com/honojs/hono/pull/4618

Full Changelog: https://github.com/honojs/hono/compare/v4.11.3...v4.11.4

• fix(types): fix middleware union type merging in MergeMiddlewareResponse by @yusukebe in https://github.com/honojs/hono/pull/4602

Full Changelog: https://github.com/honojs/hono/compare/v4.11.2...v4.11.3

• docs: improve grammar in contributing documentation by @Ishiezz in https://github.com/honojs/hono/pull/4581
• fix(validator): preserve literal union types in input type inference by @yusukebe in https://github.com/honojs/hono/pull/4583
• chore: bump typescript-go preview for accurate benchmarking by @sushichan044 in https://github.com/honojs/hono/pull/4586
• refactor(hono-base): add type annotations by @yusukebe in https://github.com/honojs/hono/pull/4591
• refactor(client): refactor HonoURL types by @yusukebe in https://github.com/honojs/hono/pull/4592
• perf(types): reduce Simplify in ToSchema by @yusukebe in https://github.com/honojs/hono/pull/4597
• perf(types): optimize MergeMiddlewareResponse type by @yusukebe in https://github.com/honojs/hono/pull/4598

• @Ishiezz made their first contribution in https://github.com/honojs/hono/pull/4581

Full Changelog: https://github.com/honojs/hono/compare/v4.11.1...v4.11.2

• fix(types): fix app.on method array type inference by @kosei28 in https://github.com/honojs/hono/pull/4578

Full Changelog: https://github.com/honojs/hono/compare/v4.11.0...v4.11.1

Hono v4.11.0 is now available!

This release includes new features for the Hono client, middleware improvements, and an important type system fix.

We've fixed a bug in the type system for middleware. Previously, app did not have the correct type with pathless handlers:

const app = new Hono()
  .use(async (c, next) => {
    await next()
  })
  .get('/a', async (c, next) => {
    await next()
  })
  .get((c) => {
    return c.text('Hello')
  })

// app's type was incorrect

This has now been fixed.

Thanks @kosei28!

You can now pass the base URL as the second type parameter to hc to get more precise URL types:

const client = hc<typeof app, 'http://localhost:8787'>(
  'http://localhost:8787/'
)

const url = client.api.posts.$url()
// url is TypedURL with precise type information
// including protocol, host, and path

This is useful when you want to use the URL as a type-safe key for libraries like SWR.

Thanks @miyaji255!

You can now customize the NotFoundResponse type using module augmentation. This allows c.notFound() to return a typed response:

import { Hono, TypedResponse } from 'hono'

declare module 'hono' {
  interface NotFoundResponse
    extends Response,
      TypedResponse<{ error: string }, 404, 'json'> {}
}

const app = new Hono()
  .get('/posts/:id', async (c) => {
    const post = await getPost(c.req.param('id'))
    if (!post) {
      return c.notFound()
    }
    return c.json({ post }, 200)
  })
  .notFound((c) => c.json({ error: 'not found' }, 404))

Now the client can correctly infer the 404 response type.

Thanks @miyaji255!

The new tryGetContext() helper in the Context Storage middleware returns undefined instead of throwing an error when the context is not available:

import { tryGetContext } from 'hono/context-storage'

const context = tryGetContext<Env>()
if (context) {
  // Context is available
  console.log(context.var.message)
}

Thanks @AyushCoder9!

You can now customize how query parameters are serialized using the buildSearchParams option:

const client = hc<AppType>('http://localhost', {
  buildSearchParams: (query) => {
    const searchParams = new URLSearchParams()
    for (const [k, v] of Object.entries(query)) {
      if (v === undefined) continue
      if (Array.isArray(v)) {
        v.forEach((item) => searchParams.append(`${k}[]`, item))
      } else {
        searchParams.set(k, v)
      }
    }
    return searchParams
  },
})

Thanks @bolasblack!

• feat(types): make Hono client's $url return the exact URL type https://github.com/honojs/hono/pull/4502
• feat(types): enhance NotFoundHandler to support custom NotFoundResponse type https://github.com/honojs/hono/pull/4518
• feat(timing): add wrapTime to simplify usage https://github.com/honojs/hono/pull/4519
• feat(pretty-json): support force option https://github.com/honojs/hono/pull/4531
• feat(client): add buildSearchParams option to customize query serialization https://github.com/honojs/hono/pull/4535
• feat(context-storage): add optional tryGetContext helper https://github.com/honojs/hono/pull/4539
• feat(secure-headers): add CSP report-to and report-uri directive support https://github.com/honojs/hono/pull/4555
• fix(types): replace schema-based path tracking with CurrentPath parameter https://github.com/honojs/hono/pull/4552

• chore: update esbuild to version 0.27.1 by @kosei28 in https://github.com/honojs/hono/pull/4571
• fix(hono/jsx): display blank when children is nullish by @techfish-11 in https://github.com/honojs/hono/pull/4573
• feat(types): make Hono client's $url return the exact URL type by @miyaji255 in https://github.com/honojs/hono/pull/4502
• feat(types): enhance NotFoundHandler to support custom NotFoundResponse type by @miyaji255 in https://github.com/honojs/hono/pull/4518
• feat(timing): add wrapTime to simplify usage by @PassiDel in https://github.com/honojs/hono/pull/4519
• feat(pretty-json): support force option by @missinglink in https://github.com/honojs/hono/pull/4531
• feat(context-storage): Add optional tryGetContext helper to context-storage middleware by @AyushCoder9 in https://github.com/honojs/hono/pull/4539
• feat(client): add buildSearchParams option to customize query serialization by @bolasblack in https://github.com/honojs/hono/pull/4535
• feat(secure-headers): Add CSP report-to and report-uri directive support by @cruzz77 in https://github.com/honojs/hono/pull/4555
• fix(types): replace schema-based path tracking with CurrentPath parameter by @kosei28 in https://github.com/honojs/hono/pull/4552
• Next by @yusukebe in https://github.com/honojs/hono/pull/4574

• @missinglink made their first contribution in https://github.com/honojs/hono/pull/4531
• @bolasblack made their first contribution in https://github.com/honojs/hono/pull/4535
• @cruzz77 made their first contribution in https://github.com/honojs/hono/pull/4555

Full Changelog: https://github.com/honojs/hono/compare/v4.10.8...v4.11.0

• chore: bump linter and formatter by @ryuapp in https://github.com/honojs/hono/pull/4568
• chore: bump github actions by @ryuapp in https://github.com/honojs/hono/pull/4569
• fix(linear-router): incorrect path matching by @cromery in https://github.com/honojs/hono/pull/4567
• docs(cookie): update outdated RFC links by @AyushCoder9 in https://github.com/honojs/hono/pull/4557
• feat(csrf): Support async IsAllowedOriginHandler by @baseballyama in https://github.com/honojs/hono/pull/4558
• feat(csrf): Support async IsAllowedSecFetchSiteHandler by @baseballyama in https://github.com/honojs/hono/pull/4559

• @cromery made their first contribution in https://github.com/honojs/hono/pull/4567
• @AyushCoder9 made their first contribution in https://github.com/honojs/hono/pull/4557
• @baseballyama made their first contribution in https://github.com/honojs/hono/pull/4558

Full Changelog: https://github.com/honojs/hono/compare/v4.10.7...v4.10.8

• fix(validator): fix incomplete types and wrong tests by @EdamAme-x in https://github.com/honojs/hono/pull/4521
• refactor(types): delete type NotSpecified and StrictVerifyOptions by @ysknsid25 in https://github.com/honojs/hono/pull/4525
• fix: add JSX type for hono/jsx/dom by @ssssota in https://github.com/honojs/hono/pull/4534
• fix(adapter/bun): fix TypeError: null is not an object (#4429) by @brenc in https://github.com/honojs/hono/pull/4538
• chore: add config version to bun.lock by @yusukebe in https://github.com/honojs/hono/pull/4548

• @ysknsid25 made their first contribution in https://github.com/honojs/hono/pull/4525
• @brenc made their first contribution in https://github.com/honojs/hono/pull/4538

Full Changelog: https://github.com/honojs/hono/compare/v4.10.6...v4.10.7

The following options are deprecated and will be removed in a future version:

• noAuthenticationHeaderMessage => use noAuthenticationHeader.message
• invalidAuthenticationHeaderMessage => use invalidAuthenticationHeader.message
• invalidTokenMessage => use invalidToken.message

• feat(aws-lambda): handle AWS Lattice events by @anho in https://github.com/honojs/hono/pull/4451
• feat(secure-headers): support CSP TrustedTypePolicy by @RosApr in https://github.com/honojs/hono/pull/4500
• feat: Improve auth middlewares by @MathurAditya724 in https://github.com/honojs/hono/pull/4485

• @anho made their first contribution in https://github.com/honojs/hono/pull/4451

Full Changelog: https://github.com/honojs/hono/compare/v4.10.5...v4.10.6

• docs(CONTRIBUTING): use bun instead of yarn in local development setup by @taichi-1 in https://github.com/honojs/hono/pull/4503
• docs: grammar issue by @WuMingDao in https://github.com/honojs/hono/pull/4508
• fix(utils/url): make _getQueryParam search behind question mark by @tuzi3040 in https://github.com/honojs/hono/pull/4507
• fix(jsx): self-close wrapped empty tags by @jakelee8 in https://github.com/honojs/hono/pull/4511
• chore: improve private field removal by @BlankParticle in https://github.com/honojs/hono/pull/4513
• fix(middleware/cache): skip caching when Vary: * is present by @pHo9UBenaA in https://github.com/honojs/hono/pull/4504

• @taichi-1 made their first contribution in https://github.com/honojs/hono/pull/4503
• @WuMingDao made their first contribution in https://github.com/honojs/hono/pull/4508
• @tuzi3040 made their first contribution in https://github.com/honojs/hono/pull/4507
• @jakelee8 made their first contribution in https://github.com/honojs/hono/pull/4511
• @pHo9UBenaA made their first contribution in https://github.com/honojs/hono/pull/4504

Full Changelog: https://github.com/honojs/hono/compare/v4.10.4...v4.10.5

• chore: add a monochrome logo image by @yusukebe in https://github.com/honojs/hono/pull/4487
• chore: fix the monochrome logo by @yusukebe in https://github.com/honojs/hono/pull/4488
• fix(secure-headers): proposed features typo spelling mistake by @RosApr in https://github.com/honojs/hono/pull/4494
• fix(types): preserve handler response typing in createHandlers by @s-junio in https://github.com/honojs/hono/pull/4492

• @RosApr made their first contribution in https://github.com/honojs/hono/pull/4494
• @s-junio made their first contribution in https://github.com/honojs/hono/pull/4492

Full Changelog: https://github.com/honojs/hono/compare/v4.10.3...v4.10.4