This release includes fixes for the following security issues:

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

• feat(css): add classNameSlug option to createCssContext by @flow-pie in https://github.com/honojs/hono/pull/4834

• @flow-pie made their first contribution in https://github.com/honojs/hono/pull/4834

Full Changelog: https://github.com/honojs/hono/compare/v4.12.10...v4.12.11

• test(router): fix Simple capturing group test by @yusukebe in https://github.com/honojs/hono/pull/4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @Abhi3975 in https://github.com/honojs/hono/pull/4843
• fix(jsx/dom): apply select value after children are rendered by @usualoma in https://github.com/honojs/hono/pull/4847
• fix(compress): convert strong ETag to weak ETag when compressing by @usualoma in https://github.com/honojs/hono/pull/4848
• docs(ip-restriction): add clear JSDoc examples and param types by @VISHNU7KASIREDDY in https://github.com/honojs/hono/pull/4851

• @Abhi3975 made their first contribution in https://github.com/honojs/hono/pull/4843
• @VISHNU7KASIREDDY made their first contribution in https://github.com/honojs/hono/pull/4851

Full Changelog: https://github.com/honojs/hono/compare/v4.12.9...v4.12.10

• fix(request): remove parseBody from bodyCache to prevent TypeError by @yusukebe in https://github.com/honojs/hono/pull/4807
• feat(client): add PickResponseByStatusCode type by @yusukebe in https://github.com/honojs/hono/pull/4791
• fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @yuintei in https://github.com/honojs/hono/pull/4810
• fix(service-worker): make fire() fallback behavior consistent with handle() by @yusukebe in https://github.com/honojs/hono/pull/4821
• fix(cors): reflect request origin when credentials is true with wildcard by @ctonneslan in https://github.com/honojs/hono/pull/4813

• @yuintei made their first contribution in https://github.com/honojs/hono/pull/4810
• @ctonneslan made their first contribution in https://github.com/honojs/hono/pull/4813

Full Changelog: https://github.com/honojs/hono/compare/v4.12.8...v4.12.9

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @TheEssem in https://github.com/honojs/hono/pull/4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @otoneko1102 in https://github.com/honojs/hono/pull/4750

• @TheEssem made their first contribution in https://github.com/honojs/hono/pull/4800

Full Changelog: https://github.com/honojs/hono/compare/v4.12.7...v4.12.8

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: https://github.com/honojs/hono/compare/v4.12.6...v4.12.7

• fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in https://github.com/honojs/hono/pull/4758
• fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in https://github.com/honojs/hono/pull/4792
• chore(builld): tsconfig project references by @BarryThePenguin in https://github.com/honojs/hono/pull/4797
• chore: add tsconfig.spec.json by @yusukebe in https://github.com/honojs/hono/pull/4798
• feat(jsx-renderer): support function-based options by @3w36zj6 in https://github.com/honojs/hono/pull/4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in https://github.com/honojs/hono/pull/4782

• @t0waxx made their first contribution in https://github.com/honojs/hono/pull/4782

Full Changelog: https://github.com/honojs/hono/compare/v4.12.5...v4.12.6

• fix(request): return string | undefined from param() when path type is any by @andrewdamelio in https://github.com/honojs/hono/pull/4723
• fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in https://github.com/honojs/hono/pull/4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in https://github.com/honojs/hono/pull/4770
• chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in https://github.com/honojs/hono/pull/4781

• @andrewdamelio made their first contribution in https://github.com/honojs/hono/pull/4723
• @otoneko1102 made their first contribution in https://github.com/honojs/hono/pull/4752
• @gaearon made their first contribution in https://github.com/honojs/hono/pull/4770

Full Changelog: https://github.com/honojs/hono/compare/v4.12.4...v4.12.5

This release includes fixes for the following security issues:

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

• fix(client): preserve route schema in ApplyGlobalResponse by @agumy in https://github.com/honojs/hono/pull/4777
• fix(utils/url): specify the return type of tryDecodeURI by @yusukebe in https://github.com/honojs/hono/pull/4779

• @agumy made their first contribution in https://github.com/honojs/hono/pull/4777

Full Changelog: https://github.com/honojs/hono/compare/v4.12.3...v4.12.4

• fix(validator): prevent type diff bug in form data parsing by @EdamAme-x in https://github.com/honojs/hono/pull/4753
• fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @EdamAme-x in https://github.com/honojs/hono/pull/4754
• fix(jwt): fix JwtVariables for ContextVariableMap by @yusukebe in https://github.com/honojs/hono/pull/4764
• fix(types): remove DOM type dependencies from ClientResponse and request method by @YevheniiKotyrlo in https://github.com/honojs/hono/pull/4768
• fix(types): correct middleware types by @hmnd in https://github.com/honojs/hono/pull/4774
• fix(jwt): prevent memory leak by avoiding mutation of options object by @EdamAme-x in https://github.com/honojs/hono/pull/4759

• @YevheniiKotyrlo made their first contribution in https://github.com/honojs/hono/pull/4768
• @hmnd made their first contribution in https://github.com/honojs/hono/pull/4774

Full Changelog: https://github.com/honojs/hono/compare/v4.12.2...v4.12.3