Releases: honojs/hono
v4.12.23
What's Changed
- fix(serve-static): normalize all backslashes in file paths, not just the first in #4962
- feat(context): export the Context class publicly by @BlankParticle in #4543
- docs(contribution): add AI Usage Policy by @yusukebe in #4970
- feat(compress): add contentTypeFilter option and
COMPRESSIBLE_CONTENT_TYPE_REGEXre-export by @na-trium-144 in #4961 - fix(utils/ipaddr): do not compress a single 0 group to
::by @yusukebe in #4971
Full Changelog: v4.12.22...v4.12.23
Contributors
Assets 2
v4.12.22
What's Changed
- chore: update vitest to v4 and cleanups by @BlankParticle in #4952
- fix(mime): specify charset parameter per MIME type instead of mechanical detection by @renatograsso10 in #4912
- fix(compress): respect Accept-Encoding when encoding option is set by @LeSingh1 in #4951
- fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @ATOM00blue in #4955
- feat: add msgpack as a compressible content type by @na-trium-144 in #4957
New Contributors
- @renatograsso10 made their first contribution in #4912
- @LeSingh1 made their first contribution in #4951
- @ATOM00blue made their first contribution in #4955
- @na-trium-144 made their first contribution in #4957
Full Changelog: v4.12.21...v4.12.22
Contributors
Assets 2
v4.12.21
Security fixes
This release includes fixes for the following security issues:
app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3
IP Restriction bypasses static deny rules for non-canonical IPv6
Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address β such as compressed forms or hex-notation IPv4-mapped addresses β could bypass static deny rules. GHSA-xrhx-7g5j-rcj5
Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x
JWT middleware accepts any Authorization scheme, not only Bearer
Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474
Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.
v4.12.20
Contributors
Assets 2
v4.12.19
What's Changed
- ci: pin GitHub Actions to SHAs by @yusukebe in #4932
- fix(serveStatic): make options parameter optional in all adapters by @mixelburg in #4934
- fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in #4922
- feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in #4913
- feat(cache): key cache entries by configured vary headers by @usualoma in #4915
- feat(request): add
bytes()by @yusukebe in #4921 - fix(stream): upgrade
@hono/node-serverto v2 and fix abort handling by @yusukebe in #4940
New Contributors
- @justinnais made their first contribution in #4913
Full Changelog: v4.12.18...v4.12.19
Contributors
Assets 2
v4.12.18
Security fixes
This release includes fixes for the following security issues:
Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm
CSS Declaration Injection via Style Object Values in JSX SSR
Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p
Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36
Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.
v4.12.17
What's Changed
- fix(jsx): normalize SVG attributes on the root element by @kfly8 in #4893
- fix(ssg): add
atom+xmlandrss+xmltodefaultExtensionMapby @yuintei in #4899 - fix(cors): make origin optional in CORSOptions by @truffle-dev in #4905
- fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in #4906
New Contributors
- @kfly8 made their first contribution in #4893
- @truffle-dev made their first contribution in #4905
Full Changelog: v4.12.16...v4.12.17
Contributors
Assets 2
v4.12.16
Security fixes
This release includes fixes for the following security issues:
Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432
bodyLimit() can be bypassed for chunked / unknown-length requests
Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v
v4.12.15
Contributors
Assets 2
v4.12.14
Security fixes
This release includes fixes for the following security issues:
Improper handling of JSX attribute names in hono/jsx SSR
Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375