Releases: honojs/hono
v4.12.27
Security fixes
This release includes fixes for the following security issues:
hono/jsx does not isolate context per request
Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj
Server-Side XSS via JSX escaping bypass in cx()
Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59
API Gateway v1 adapter can drop a repeated request header value
Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc
Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.
v4.12.26
What's Changed
- fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @yusukebe in #5013
- ci: publish to npm from CI with OIDC trusted publishing by @yusukebe in #5028
- chore: remove unused devcontainer and gitpod configs by @yusukebe in #5029
- chore: replace arg and glob with Bun native APIs in build script by @yusukebe in #5030
Full Changelog: v4.12.25...v4.12.26
Contributors
Assets 2
v4.12.25
Security fixes
This release includes fixes for the following security issues:
CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard
Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc
Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length
Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2
Path traversal in serve-static on Windows via encoded backslash (%5C)
Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44
AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice
Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf
Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p
v4.12.24
What's Changed
- docs(contribution): simplifyAI Usage Policy by @yusukebe in #4972
- chore: remove @types/glob by @rtritto in #4978
- fix(bearer-auth): mention verifyToken in missing-options error message by @tan7vir in #4987
- refactor(language): Test/improve tests on languages middleware by @iNeoO in #4980
- fix(utils/ipaddr): expand "::" to eight zero groups by @youcefzemmar in #4973
- fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @Mohammad-Faiz-Cloud-Engineer in #4982
- refactor(timing): Test/add test for middleware timing by @iNeoO in #4991
- fix(utils/ipaddr): render the unspecified address binary as "::" by @sarathfrancis90 in #4998
Full Changelog: v4.12.23...v4.12.24
Contributors
Assets 2
v4.12.23
What's Changed
- fix(serve-static): normalize all backslashes in file paths, not just the first in #4962
- feat(context): export the Context class publicly by @BlankParticle in #4543
- docs(contribution): add AI Usage Policy by @yusukebe in #4970
- feat(compress): add contentTypeFilter option and
COMPRESSIBLE_CONTENT_TYPE_REGEXre-export by @na-trium-144 in #4961 - fix(utils/ipaddr): do not compress a single 0 group to
::by @yusukebe in #4971
Full Changelog: v4.12.22...v4.12.23
Contributors
Assets 2
v4.12.22
What's Changed
- chore: update vitest to v4 and cleanups by @BlankParticle in #4952
- fix(mime): specify charset parameter per MIME type instead of mechanical detection by @renatograsso10 in #4912
- fix(compress): respect Accept-Encoding when encoding option is set by @LeSingh1 in #4951
- fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @ATOM00blue in #4955
- feat: add msgpack as a compressible content type by @na-trium-144 in #4957
New Contributors
- @renatograsso10 made their first contribution in #4912
- @LeSingh1 made their first contribution in #4951
- @ATOM00blue made their first contribution in #4955
- @na-trium-144 made their first contribution in #4957
Full Changelog: v4.12.21...v4.12.22
Contributors
Assets 2
v4.12.21
Security fixes
This release includes fixes for the following security issues:
app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3
IP Restriction bypasses static deny rules for non-canonical IPv6
Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5
Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x
JWT middleware accepts any Authorization scheme, not only Bearer
Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474
Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.
v4.12.20
Contributors
Assets 2
v4.12.19
What's Changed
- ci: pin GitHub Actions to SHAs by @yusukebe in #4932
- fix(serveStatic): make options parameter optional in all adapters by @mixelburg in #4934
- fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in #4922
- feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in #4913
- feat(cache): key cache entries by configured vary headers by @usualoma in #4915
- feat(request): add
bytes()by @yusukebe in #4921 - fix(stream): upgrade
@hono/node-serverto v2 and fix abort handling by @yusukebe in #4940
New Contributors
- @justinnais made their first contribution in #4913
Full Changelog: v4.12.18...v4.12.19
Contributors
Assets 2
v4.12.18
Security fixes
This release includes fixes for the following security issues:
Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm
CSS Declaration Injection via Style Object Values in JSX SSR
Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p
Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36
Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.