• fix(serve-static): normalize all backslashes in file paths, not just the first in https://github.com/honojs/hono/pull/4962
• feat(context): export the Context class publicly by @BlankParticle in https://github.com/honojs/hono/pull/4543
• docs(contribution): add AI Usage Policy by @yusukebe in https://github.com/honojs/hono/pull/4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @na-trium-144 in https://github.com/honojs/hono/pull/4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @yusukebe in https://github.com/honojs/hono/pull/4971

Full Changelog: https://github.com/honojs/hono/compare/v4.12.22...v4.12.23

• chore: update vitest to v4 and cleanups by @BlankParticle in https://github.com/honojs/hono/pull/4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @renatograsso10 in https://github.com/honojs/hono/pull/4912
• fix(compress): respect Accept-Encoding when encoding option is set by @LeSingh1 in https://github.com/honojs/hono/pull/4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @ATOM00blue in https://github.com/honojs/hono/pull/4955
• feat: add msgpack as a compressible content type by @na-trium-144 in https://github.com/honojs/hono/pull/4957

• @renatograsso10 made their first contribution in https://github.com/honojs/hono/pull/4912
• @LeSingh1 made their first contribution in https://github.com/honojs/hono/pull/4951
• @ATOM00blue made their first contribution in https://github.com/honojs/hono/pull/4955
• @na-trium-144 made their first contribution in https://github.com/honojs/hono/pull/4957

Full Changelog: https://github.com/honojs/hono/compare/v4.12.21...v4.12.22

This release includes fixes for the following security issues:

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

• fix(route): preserve the base path of the mounted route() app by @usualoma in https://github.com/honojs/hono/pull/4942
• fix(jsx): widen jsx and jsxFn children to Child[] by @ashunar0 in https://github.com/honojs/hono/pull/4947

• @ashunar0 made their first contribution in https://github.com/honojs/hono/pull/4947

Full Changelog: https://github.com/honojs/hono/compare/v4.12.19...v4.12.20

• ci: pin GitHub Actions to SHAs by @yusukebe in https://github.com/honojs/hono/pull/4932
• fix(serveStatic): make options parameter optional in all adapters by @mixelburg in https://github.com/honojs/hono/pull/4934
• fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in https://github.com/honojs/hono/pull/4922
• feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in https://github.com/honojs/hono/pull/4913
• feat(cache): key cache entries by configured vary headers by @usualoma in https://github.com/honojs/hono/pull/4915
• feat(request): add bytes() by @yusukebe in https://github.com/honojs/hono/pull/4921
• fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @yusukebe in https://github.com/honojs/hono/pull/4940

• @justinnais made their first contribution in https://github.com/honojs/hono/pull/4913

Full Changelog: https://github.com/honojs/hono/compare/v4.12.18...v4.12.19

This release includes fixes for the following security issues:

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

• fix(jsx): normalize SVG attributes on the root element by @kfly8 in https://github.com/honojs/hono/pull/4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in https://github.com/honojs/hono/pull/4899
• fix(cors): make origin optional in CORSOptions by @truffle-dev in https://github.com/honojs/hono/pull/4905
• fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in https://github.com/honojs/hono/pull/4906

• @kfly8 made their first contribution in https://github.com/honojs/hono/pull/4893
• @truffle-dev made their first contribution in https://github.com/honojs/hono/pull/4905

Full Changelog: https://github.com/honojs/hono/compare/v4.12.16...v4.12.17

This release includes fixes for the following security issues:

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

• fix(jwt): support single-line PEM keys by @hiendv in https://github.com/honojs/hono/pull/4889

• @hiendv made their first contribution in https://github.com/honojs/hono/pull/4889

Full Changelog: https://github.com/honojs/hono/compare/v4.12.14...v4.12.15

This release includes fixes for the following security issues:

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe