Skip to content

Releases: honojs/hono

v4.11.7

27 Jan 09:54
@yusukebe yusukebe
v4.11.7
f7d272a

Choose a tag to compare

View all tags
v4.11.7

Security Release

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

Components

IP Restriction Middleware

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Cache Middleware

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Serve Static Middleware (Cloudflare Workers adapter)

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

hono/jsx ErrorBoundary

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Recommendation

Users are encouraged to upgrade to this release, especially if they:

  • Use IP Restriction Middleware
  • Use Cache Middleware on Deno, Bun, or Node.js
  • Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
  • Render untrusted data inside ErrorBoundary components

Security Advisories & CVEs

Full Changelog: v4.11.6...v4.11.7

Loading

v4.11.6

26 Jan 14:47
@yusukebe yusukebe
v4.11.6
7343487

Choose a tag to compare

View all tags
v4.11.6

What's Changed

  • refactor: use unique symbol for more accurate typing. by @usualoma in #4651
  • docs: align CODE_OF_CONDUCT.md wording with Contributor Covenant by @sano-suguru in #4630
  • fix(sse): handle \r and \r\n line endings in writeSSE by @AprilNEA in #4644
  • feat(bun): export getBunServer by @artemtam in #4626

New Contributors

Full Changelog: v4.11.5...v4.11.6

Contributors

usualoma, artemtam, and 2 other contributors
Loading

v4.11.5

22 Jan 01:10
@yusukebe yusukebe
v4.11.5
bcc81b1

Choose a tag to compare

View all tags
v4.11.5

What's Changed

  • fix(client): exclude $all from ClientRequest type by @paveg in #4611
  • refactor(jwks): mark allowedAlgorithms, so the user can pass a `const… by @nikeee in #4641
  • feat(jwt): export AlgorithmTypes by @yusukebe in #4642

New Contributors

Full Changelog: v4.11.4...v4.11.5

Contributors

yusukebe, nikeee, and paveg
Loading

v4.11.4

13 Jan 02:21
@yusukebe yusukebe
v4.11.4
28452f0

Choose a tag to compare

View all tags
v4.11.4

Security

Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

JWT middleware

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

JWK/JWKS middleware

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

What's Changed

  • test(utils/jwt): add missing algorithm types in jwa.test.ts by @flathill404 in #4607
  • chore: bump @hono/eslint-config and enable curly rule by @yusukebe in #4620
  • docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @Itsnotaka in #4618
  • test: support alg option for JWT middleware by @yusukebe in #4624

New Contributors

Full Changelog: v4.11.3...v4.11.4

Contributors

yusukebe, flathill404, and Itsnotaka
Loading

v4.11.3

26 Dec 09:33
@yusukebe yusukebe
v4.11.3
7997740

Choose a tag to compare

View all tags
v4.11.3

What's Changed

  • fix(types): fix middleware union type merging in MergeMiddlewareResponse by @yusukebe in #4602

Full Changelog: v4.11.2...v4.11.3

Contributors

yusukebe
Loading

v4.11.2

25 Dec 10:41
@yusukebe yusukebe
v4.11.2
6ca01ec

Choose a tag to compare

View all tags
v4.11.2

What's Changed

  • docs: improve grammar in contributing documentation by @Ishiezz in #4581
  • fix(validator): preserve literal union types in input type inference by @yusukebe in #4583
  • chore: bump typescript-go preview for accurate benchmarking by @sushichan044 in #4586
  • refactor(hono-base): add type annotations by @yusukebe in #4591
  • refactor(client): refactor HonoURL types by @yusukebe in #4592
  • perf(types): reduce Simplify in ToSchema by @yusukebe in #4597
  • perf(types): optimize MergeMiddlewareResponse type by @yusukebe in #4598

New Contributors

Full Changelog: v4.11.1...v4.11.2

Contributors

yusukebe, sushichan044, and Ishiezz
Loading

v4.11.1

14 Dec 22:14
@yusukebe yusukebe
v4.11.1
1fbe45b

Choose a tag to compare

View all tags
v4.11.1

What's Changed

  • fix(types): fix app.on method array type inference by @kosei28 in #4578

Full Changelog: v4.11.0...v4.11.1

Contributors

kosei28
Loading

v4.11.0

13 Dec 09:31
@yusukebe yusukebe
v4.11.0
fe278e9

Choose a tag to compare

View all tags
v4.11.0

Release Notes

Hono v4.11.0 is now available!

This release includes new features for the Hono client, middleware improvements, and an important type system fix.

Type System Fix for Middleware

We've fixed a bug in the type system for middleware. Previously, app did not have the correct type with pathless handlers:

const app = new Hono()
  .use(async (c, next) => {
    await next()
  })
  .get('/a', async (c, next) => {
    await next()
  })
  .get((c) => {
    return c.text('Hello')
  })

// app's type was incorrect

This has now been fixed.

Thanks @kosei28!

Typed URL for Hono Client

You can now pass the base URL as the second type parameter to hc to get more precise URL types:

const client = hc<typeof app, 'http://localhost:8787'>(
  'http://localhost:8787/'
)

const url = client.api.posts.$url()
// url is TypedURL with precise type information
// including protocol, host, and path

This is useful when you want to use the URL as a type-safe key for libraries like SWR.

Thanks @miyaji255!

Custom NotFoundResponse Type

You can now customize the NotFoundResponse type using module augmentation. This allows c.notFound() to return a typed response:

import { Hono, TypedResponse } from 'hono'

declare module 'hono' {
  interface NotFoundResponse
    extends Response,
      TypedResponse<{ error: string }, 404, 'json'> {}
}

const app = new Hono()
  .get('/posts/:id', async (c) => {
    const post = await getPost(c.req.param('id'))
    if (!post) {
      return c.notFound()
    }
    return c.json({ post }, 200)
  })
  .notFound((c) => c.json({ error: 'not found' }, 404))

Now the client can correctly infer the 404 response type.

Thanks @miyaji255!

tryGetContext Helper

The new tryGetContext() helper in the Context Storage middleware returns undefined instead of throwing an error when the context is not available:

import { tryGetContext } from 'hono/context-storage'

const context = tryGetContext<Env>()
if (context) {
  // Context is available
  console.log(context.var.message)
}

Thanks @AyushCoder9!

Custom Query Serializer

You can now customize how query parameters are serialized using the buildSearchParams option:

const client = hc<AppType>('http://localhost', {
  buildSearchParams: (query) => {
    const searchParams = new URLSearchParams()
    for (const [k, v] of Object.entries(query)) {
      if (v === undefined) continue
      if (Array.isArray(v)) {
        v.forEach((item) => searchParams.append(`${k}[]`, item))
      } else {
        searchParams.set(k, v)
      }
    }
    return searchParams
  },
})

Thanks @bolasblack!

New features

  • feat(types): make Hono client's $url return the exact URL type #4502
  • feat(types): enhance NotFoundHandler to support custom NotFoundResponse type #4518
  • feat(timing): add wrapTime to simplify usage #4519
  • feat(pretty-json): support force option #4531
  • feat(client): add buildSearchParams option to customize query serialization #4535
  • feat(context-storage): add optional tryGetContext helper #4539
  • feat(secure-headers): add CSP report-to and report-uri directive support #4555
  • fix(types): replace schema-based path tracking with CurrentPath parameter #4552

All changes

  • chore: update esbuild to version 0.27.1 by @kosei28 in #4571
  • fix(hono/jsx): display blank when children is nullish by @techfish-11 in #4573
  • feat(types): make Hono client's $url return the exact URL type by @miyaji255 in #4502
  • feat(types): enhance NotFoundHandler to support custom NotFoundResponse type by @miyaji255 in #4518
  • feat(timing): add wrapTime to simplify usage by @PassiDel in #4519
  • feat(pretty-json): support force option by @missinglink in #4531
  • feat(context-storage): Add optional tryGetContext helper to context-storage middleware by @AyushCoder9 in #4539
  • feat(client): add buildSearchParams option to customize query serialization by @bolasblack in #4535
  • feat(secure-headers): Add CSP report-to and report-uri directive support by @cruzz77 in #4555
  • fix(types): replace schema-based path tracking with CurrentPath parameter by @kosei28 in #4552
  • Next by @yusukebe in #4574

New Contributors

Full Changelog: v4.10.8...v4.11.0

Contributors

yusukebe, bolasblack, and 7 other contributors
Loading

v4.10.8

09 Dec 08:26
@yusukebe yusukebe
v4.10.8
57f2146

Choose a tag to compare

View all tags
v4.10.8

What's Changed

New Contributors

Full Changelog: v4.10.7...v4.10.8

Contributors

baseballyama, cromery, and 2 other contributors
Loading

v4.10.7

26 Nov 11:40
@yusukebe yusukebe
v4.10.7
b06005a

Choose a tag to compare

View all tags
v4.10.7

What's Changed

New Contributors

Full Changelog: v4.10.6...v4.10.7

Contributors

yusukebe, brenc, and 3 other contributors
Loading