MobiusReactor/TicTacToeV2

Fork 0

Update dependency hono to v4.11.7 [SECURITY] #35

Open

renovate-bot wants to merge 1 commit from renovate/npm-hono-vulnerability into main

renovate-bot commented

2026-02-21 19:03:30 +00:00

Collaborator

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	`4.8.4` → `4.11.7`

Hono's flaw in URL path parsing could cause path confusion

CVE-2025-58362 / GHSA-9hp6-4448-45g2

More information

Details

Summary

A flaw in the getPath utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks).

Details

The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction.

Most standards-compliant runtimes and reverse proxies reject such malformed requests with a 400 Bad Request, so the impact depends on the application and environment.

Impact

If proxy ACLs are used to protect sensitive endpoints such as /admin, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be High (CVSS 7.5); otherwise it may be Medium (CVSS 5.3).

Resolution

The implementation has been updated to correctly locate the first slash after "://", preventing such path confusion.

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono has Body Limit Middleware Bypass

CVE-2025-59139 / GHSA-92vj-g62v-jqhh

More information

Details

Summary

A flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.

Details

The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included. According to the HTTP specification, Content-Length must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit.

Most standards-compliant runtimes and reverse proxies may reject such malformed requests with 400 Bad Request, so the practical impact depends on the runtime and deployment environment.

Impact

If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests.

Resolution

The implementation has been updated to align with the HTTP specification, ensuring that Transfer-Encoding takes precedence over Content-Length. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono Improper Authorization vulnerability

CVE-2025-62610 / GHSA-m732-5p4w-x69g

More information

Details

Improper Authorization in Hono (JWT Audience Validation)

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

Recommended secure configuration

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret',
    verification: {
      // Require this API to only accept tokens with aud = 'service-a'
      aud: 'service-a',
    },
  })
)

Below is the original description by the reporter. For security reasons, it does not include PoC reproduction steps, as the vulnerability can be clearly understood from the technical description.

The original description by the reporter

Summary

Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim.

Note: This problem likely exists in the JWK/JWKS-based middleware as well (e.g., jwk / verifyWithJwks)

Details

The middleware’s verifyOptions enumerate only iss, nbf, iat, and exp; there is no aud option. The same omission appears in the JWT Helper’s “Payload Validation” list. Developers relying on the middleware for complete standards-aligned validation therefore won’t check audience by default.
Standards requirement: RFC 7519 §4.1.3 states that each principal intended to process the JWT MUST identify itself with a value in the aud claim; if it does not, the JWT MUST be rejected (when aud is present). Lack of a first-class aud check increases the risk that tokens issued for Service B are accepted by Service A.
Real-world effect: In deployments with a single IdP/JWKS and shared keys across multiple services, a token minted for one audience can be mistakenly accepted by another audience unless developers implement a custom audience check.
- For example, with Google Identity (OIDC), iss is always https://accounts.google.com (shared across apps), but aud differs per application because it is that app’s OAuth client ID; therefore, an attacker can host a separate service that supports “Sign in with Google,” obtain a valid ID token (JWT) for the victim user, and—if your API does not verify aud—use that token to access your API with the victim’s privileges.

Impact

Type: Authentication/authorization weakness via token mix-up (confused-deputy).

Who is impacted: Any Hono user who:

shares an issuer/keys across multiple services (common with a single IdP/JWKS)
distinguishes tokens by intended recipient using aud.

What can happen:

Cross-service access: A token for Service B may be accepted by Service A.
Boundary erosion: ID tokens and access tokens, or separate API audiences, can be inadvertently intermixed.
- This may causes unauthorized invocation of sensitive endpoints.

Recommended remediation:

Add verifyOptions.aud (string | string[] | RegExp) to the middleware and enforce RFC 7519 semantics: In verify method, if aud is present and does not match with specified audiences, reject.
Ensure equivalent aud handling exists in the JWK/JWKS flow (jwk middleware / verifyWithJwks) so users of external IdPs can enforce audience consistently.

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono vulnerable to Vary Header Injection leading to potential CORS Bypass

GHSA-q7jf-gf43-6x6p

More information

Details

Summary

A flaw in the CORS middleware allowed request Vary headers to be reflected into the response, enabling attacker-controlled Vary values and potentially affecting cache behavior.

Details

The middleware previously copied the Vary header from the request when origin was not set to "*". Since Vary is a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling.

Most environments will see impact only when shared caches or proxies rely on the Vary header. The practical effect varies by configuration.

Impact

May cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations.

Resolution

Update to the latest patched release. The CORS middleware has been corrected to handle Vary exclusively as a response header.

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass

CVE-2026-22817 / GHSA-f67f-6cw9-8mq4

More information

Details

Summary

A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.

Details

When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s alg field if present, but otherwise fell back to the alg value provided in the unverified JWT header.

Because the alg field in a JWK is optional and often omitted in real-world JWKS configurations, this behavior could allow an attacker to control the algorithm used for verification. In some environments, this may lead to authentication or authorization
bypass through crafted tokens.

The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used for authorization decisions.

Impact

In affected configurations, an attacker may be able to forge JWTs with attacker-controlled claims, potentially resulting in authentication or authorization bypass.

Applications that do not use the JWK/JWKS middleware, do not rely on JWT-based authentication, or explicitly restrict allowed algorithms are not affected.

Resolution

Update to the latest patched release.

Breaking change:

As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values.

Applications upgrading must update their configuration accordingly.

Before (vulnerable configuration)

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    // alg was optional
  })
)

After (patched configuration)

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)

CVE-2026-22818 / GHSA-3vhc-576x-3qv4

More information

Details

Summary

A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.

Details

When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s alg field if present. If the JWK did not specify an algorithm, the middleware fell back to using the alg value provided in the unverified JWT header.

Because the alg field in a JWK is optional and commonly omitted in real-world JWKS configurations, this behavior could allow an attacker to influence which algorithm is used for verification. In some environments, this may result in authentication or authorization bypass through crafted JWTs.

The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used to make authorization decisions.

Impact

In affected configurations, an attacker may be able to forge JWTs with attacker-controlled claims, potentially leading to authentication or authorization bypass.

Applications that do not use the JWK/JWKS middleware, do not rely on JWT-based authentication, or explicitly restrict allowed algorithms are not affected.

Resolution

Update to the latest patched release.

Breaking change:

The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values.

Instead, callers must explicitly specify which asymmetric algorithms are permitted, and only tokens signed with those algorithms will be accepted. This prevents JWT algorithm confusion by ensuring that algorithm selection is fully controlled by application
configuration.

As part of this fix, the alg option is now required when using the JWK/JWKS middleware, and symmetric (HS*) algorithms are no longer accepted in this context.

Before (vulnerable configuration)

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    // alg was optional
  })
)

After (patched configuration)

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required: explicit asymmetric algorithm allowlist
  })
)

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception

CVE-2026-24472 / GHSA-6wqw-2p9w-4vw4

More information

Details

Summary

Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as Cache-Control: private or Cache-Control: no-store, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users.

Details

The vulnerability exists in the cache decision logic of Cache Middleware. When determining whether a response should be cached, the middleware does not take HTTP cache control semantics into account and may cache responses that are explicitly marked as private by the application. While some runtimes, such as Cloudflare Workers, enforce cache control restrictions at the platform level, other runtimes including Deno, Bun, and Node.js rely on the middleware’s behavior. As a result, applications running on these runtimes may unintentionally cache sensitive responses.

Impact

This issue can lead to Web Cache Deception and information disclosure. If an authenticated user accesses an endpoint that returns user-specific or sensitive data and the response is cached despite being marked as private, subsequent unauthenticated requests may receive the cached response. This may result in the exposure of personally identifiable information or session-related data. The impact is limited to applications that use the hono/cache middleware and rely on it to correctly honor HTTP cache control directives.

Affected Components

Cache Middleware

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

CVE-2026-24398 / GHSA-r354-f388-2fhh

More information

Details

Summary

IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4_REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.

Details

The vulnerability exists in two components:

Permissive regex pattern: The IPV4_REGEX (/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/) accepts octet values greater than 255 (e.g., 999).
Unsafe binary conversion: The convertIPv4ToBinary function does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation.

For example, the IP address 1.2.2.355 is accepted and converts to the same binary value as 1.2.3.99:

355 = 256 + 99 = 0x163
After bit-shifting: (1 << 24) + (2 << 16) + (2 << 8) + 355 = 0x01020363 = 1.2.3.99

Impact

An attacker can bypass IP-based restrictions by crafting malformed IP addresses:

Blocklist bypass: If 1.2.3.0/24 is blocked, an attacker can use 1.2.2.355 (or similar) to bypass the restriction.
Allowlist bypass: Requests from unauthorized IP ranges may be incorrectly permitted.

This is exploitable when the application relies on client-provided IP addresses (e.g., X-Forwarded-For header) for access control decisions.

Affected Components

IP Restriction Middleware
src/utils/ipaddr.ts: IPV4_REGEX, convertIPv4ToBinary, distinctRemoteAddr

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono vulnerable to XSS through ErrorBoundary component

CVE-2026-24771 / GHSA-9r54-q6cx-xmh5

More information

Details

Summary

A Cross-Site Scripting (XSS) vulnerability exists in the ErrorBoundary component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser.

Details

The issue is in the ErrorBoundary component (src/jsx/components.ts). ErrorBoundary previously forced certain rendered output paths to be treated as raw HTML, bypassing the library's default escaping behavior. This could result in unescaped rendering when developers pass user-controlled strings directly as children, or when fallbackRender returns user-controlled strings (for example, reflecting error messages that contain attacker input).

This vulnerability is only exploitable when an application renders untrusted user input within ErrorBoundary without appropriate escaping or sanitization.

Impact

Successful exploitation may allow attackers to execute arbitrary JavaScript in the victim’s browser (reflected XSS). Depending on the application context, this can lead to actions such as session compromise, data exfiltration, or performing unauthorized actions as the victim.

Affected Components

hono/jsx: ErrorBoundary component

Severity

CVSS Score: Unknown
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

CVE-2026-24473 / GHSA-w332-q679-j88p

More information

Details

Summary

Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys.

Details

The vulnerability exists in the serve-static middleware used with the Cloudflare Workers adapter. When serving static assets, the middleware does not sufficiently validate or restrict user-supplied paths before resolving them against the Workers asset storage.

As a result, an attacker may craft requests that access arbitrary keys beyond the intended static asset scope. This issue only affects applications running on Cloudflare Workers that use Serve static Middleware with user-controllable request paths.

Impact

This vulnerability may lead to information disclosure by allowing unauthorized access to internal assets or data stored in the Workers environment. The exposed data is limited to readable asset keys and does not allow modification of stored data or execution of arbitrary code.

The impact is limited to applications that use Serve static Middleware in the Cloudflare Workers adapter and rely on it to safely handle untrusted request paths.

Affected Components

Serve static Middleware (Cloudflare Workers adapter)

Severity

CVSS Score: Unknown
Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

honojs/hono (hono)

`v4.11.7`

Compare Source

Security Release

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

Components

IP Restriction Middleware

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Cache Middleware

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Serve Static Middleware (Cloudflare Workers adapter)

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

hono/jsx `ErrorBoundary`

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Recommendation

Users are encouraged to upgrade to this release, especially if they:

Use IP Restriction Middleware
Use Cache Middleware on Deno, Bun, or Node.js
Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
Render untrusted data inside ErrorBoundary components

Security Advisories & CVEs

IP Restriction Middleware – IPv4 address validation bypass
- Advisory: https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh
- CVE: CVE-2026-24398
Cache Middleware ignores Cache-Control: private
- Advisory: https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4
- CVE: CVE-2026-24472
Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read
- Advisory: https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p
- CVE: CVE-2026-24473
hono/jsx ErrorBoundary – Cross-Site Scripting (XSS)
- Advisory: https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
- CVE: Pending

Full Changelog: https://github.com/honojs/hono/compare/v4.11.6...v4.11.7

`v4.11.6`

Compare Source

What's Changed

refactor: use unique symbol for more accurate typing. by @usualoma in #4651
docs: align CODE_OF_CONDUCT.md wording with Contributor Covenant by @sano-suguru in #4630
fix(sse): handle \r and \r\n line endings in writeSSE by @AprilNEA in #4644
feat(bun): export getBunServer by @artemtam in #4626

New Contributors

@sano-suguru made their first contribution in #4630
@AprilNEA made their first contribution in #4644
@artemtam made their first contribution in #4626

Full Changelog: https://github.com/honojs/hono/compare/v4.11.5...v4.11.6

`v4.11.5`

Compare Source

What's Changed

fix(client): exclude $all from ClientRequest type by @paveg in #4611
refactor(jwks): mark allowedAlgorithms, so the user can pass a `const… by @nikeee in #4641
feat(jwt): export AlgorithmTypes by @yusukebe in #4642

New Contributors

@paveg made their first contribution in #4611
@nikeee made their first contribution in #4641

Full Changelog: https://github.com/honojs/hono/compare/v4.11.4...v4.11.5

`v4.11.4`

Compare Source

Security

Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

JWT middleware

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

JWK/JWKS middleware

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

What's Changed

test(utils/jwt): add missing algorithm types in jwa.test.ts by @flathill404 in #4607
chore: bump @hono/eslint-config and enable curly rule by @yusukebe in #4620
docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @Itsnotaka in #4618
test: support alg option for JWT middleware by @yusukebe in #4624

New Contributors

@flathill404 made their first contribution in #4607
@Itsnotaka made their first contribution in #4618

Full Changelog: https://github.com/honojs/hono/compare/v4.11.3...v4.11.4

`v4.11.3`

Compare Source

What's Changed

fix(types): fix middleware union type merging in MergeMiddlewareResponse by @yusukebe in #4602

Full Changelog: https://github.com/honojs/hono/compare/v4.11.2...v4.11.3

`v4.11.2`

Compare Source

What's Changed

docs: improve grammar in contributing documentation by @Ishiezz in #4581
fix(validator): preserve literal union types in input type inference by @yusukebe in #4583
chore: bump typescript-go preview for accurate benchmarking by @sushichan044 in #4586
refactor(hono-base): add type annotations by @yusukebe in #4591
refactor(client): refactor HonoURL types by @yusukebe in #4592
perf(types): reduce Simplify in ToSchema by @yusukebe in #4597
perf(types): optimize MergeMiddlewareResponse type by @yusukebe in #4598

New Contributors

@Ishiezz made their first contribution in #4581

Full Changelog: https://github.com/honojs/hono/compare/v4.11.1...v4.11.2

`v4.11.1`

Compare Source

What's Changed

fix(types): fix app.on method array type inference by @kosei28 in #4578

Full Changelog: https://github.com/honojs/hono/compare/v4.11.0...v4.11.1

`v4.11.0`

Compare Source

Release Notes

Hono v4.11.0 is now available!

This release includes new features for the Hono client, middleware improvements, and an important type system fix.

Type System Fix for Middleware

We've fixed a bug in the type system for middleware. Previously, app did not have the correct type with pathless handlers:

const app = new Hono()
  .use(async (c, next) => {
    await next()
  })
  .get('/a', async (c, next) => {
    await next()
  })
  .get((c) => {
    return c.text('Hello')
  })

// app's type was incorrect

This has now been fixed.

Thanks @kosei28!

Typed URL for Hono Client

You can now pass the base URL as the second type parameter to hc to get more precise URL types:

const client = hc<typeof app, 'http://localhost:8787'>(
  'http://localhost:8787/'
)

const url = client.api.posts.$url()
// url is TypedURL with precise type information
// including protocol, host, and path

This is useful when you want to use the URL as a type-safe key for libraries like SWR.

Thanks @miyaji255!

Custom NotFoundResponse Type

You can now customize the NotFoundResponse type using module augmentation. This allows c.notFound() to return a typed response:

import { Hono, TypedResponse } from 'hono'

declare module 'hono' {
  interface NotFoundResponse
    extends Response,
      TypedResponse<{ error: string }, 404, 'json'> {}
}

const app = new Hono()
  .get('/posts/:id', async (c) => {
    const post = await getPost(c.req.param('id'))
    if (!post) {
      return c.notFound()
    }
    return c.json({ post }, 200)
  })
  .notFound((c) => c.json({ error: 'not found' }, 404))

Now the client can correctly infer the 404 response type.

Thanks @miyaji255!

tryGetContext Helper

The new tryGetContext() helper in the Context Storage middleware returns undefined instead of throwing an error when the context is not available:

import { tryGetContext } from 'hono/context-storage'

const context = tryGetContext<Env>()
if (context) {
  // Context is available
  console.log(context.var.message)
}

Thanks @AyushCoder9!

Custom Query Serializer

You can now customize how query parameters are serialized using the buildSearchParams option:

const client = hc<AppType>('http://localhost', {
  buildSearchParams: (query) => {
    const searchParams = new URLSearchParams()
    for (const [k, v] of Object.entries(query)) {
      if (v === undefined) continue
      if (Array.isArray(v)) {
        v.forEach((item) => searchParams.append(`${k}[]`, item))
      } else {
        searchParams.set(k, v)
      }
    }
    return searchParams
  },
})

Thanks @bolasblack!

New features

feat(types): make Hono client's $url return the exact URL type #4502
feat(types): enhance NotFoundHandler to support custom NotFoundResponse type #4518
feat(timing): add wrapTime to simplify usage #4519
feat(pretty-json): support force option #4531
feat(client): add buildSearchParams option to customize query serialization #4535
feat(context-storage): add optional tryGetContext helper #4539
feat(secure-headers): add CSP report-to and report-uri directive support #4555
fix(types): replace schema-based path tracking with CurrentPath parameter #4552

All changes

chore: update esbuild to version 0.27.1 by @kosei28 in #4571
fix(hono/jsx): display blank when children is nullish by @techfish-11 in #4573
feat(types): make Hono client's $url return the exact URL type by @miyaji255 in #4502
feat(types): enhance NotFoundHandler to support custom NotFoundResponse type by @miyaji255 in #4518
feat(timing): add wrapTime to simplify usage by @PassiDel in #4519
feat(pretty-json): support force option by @missinglink in #4531
feat(context-storage): Add optional tryGetContext helper to context-storage middleware by @AyushCoder9 in #4539
feat(client): add buildSearchParams option to customize query serialization by @bolasblack in #4535
feat(secure-headers): Add CSP report-to and report-uri directive support by @cruzz77 in #4555
fix(types): replace schema-based path tracking with CurrentPath parameter by @kosei28 in #4552
Next by @yusukebe in #4574

New Contributors

@missinglink made their first contribution in #4531
@bolasblack made their first contribution in #4535
@cruzz77 made their first contribution in #4555

Full Changelog: https://github.com/honojs/hono/compare/v4.10.8...v4.11.0

`v4.10.8`

Compare Source

What's Changed

chore: bump linter and formatter by @ryuapp in #4568
chore: bump github actions by @ryuapp in #4569
fix(linear-router): incorrect path matching by @cromery in #4567
docs(cookie): update outdated RFC links by @AyushCoder9 in #4557
feat(csrf): Support async IsAllowedOriginHandler by @baseballyama in #4558
feat(csrf): Support async IsAllowedSecFetchSiteHandler by @baseballyama in #4559

New Contributors

@cromery made their first contribution in #4567
@AyushCoder9 made their first contribution in #4557
@baseballyama made their first contribution in #4558

Full Changelog: https://github.com/honojs/hono/compare/v4.10.7...v4.10.8

`v4.10.7`

Compare Source

What's Changed

fix(validator): fix incomplete types and wrong tests by @EdamAme-x in #4521
refactor(types): delete type NotSpecified and StrictVerifyOptions by @ysknsid25 in #4525
fix: add JSX type for hono/jsx/dom by @ssssota in #4534
fix(adapter/bun): fix TypeError: null is not an object (#4429) by @brenc in #4538
chore: add config version to bun.lock by @yusukebe in #4548

New Contributors

@ysknsid25 made their first contribution in #4525
@brenc made their first contribution in #4538

Full Changelog: https://github.com/honojs/hono/compare/v4.10.6...v4.10.7

`v4.10.6`

Compare Source

Deperecated

bearer-auth options

The following options are deprecated and will be removed in a future version:

noAuthenticationHeaderMessage => use noAuthenticationHeader.message
invalidAuthenticationHeaderMessage => use invalidAuthenticationHeader.message
invalidTokenMessage => use invalidToken.message

What's Changed

feat(aws-lambda): handle AWS Lattice events by @anho in #4451
feat(secure-headers): support CSP TrustedTypePolicy by @RosApr in #4500
feat: Improve auth middlewares by @MathurAditya724 in #4485

New Contributors

@anho made their first contribution in #4451

Full Changelog: https://github.com/honojs/hono/compare/v4.10.5...v4.10.6

`v4.10.5`

Compare Source

What's Changed

docs(CONTRIBUTING): use bun instead of yarn in local development setup by @taichi-1 in #4503
docs: grammar issue by @WuMingDao in #4508
fix(utils/url): make _getQueryParam search behind question mark by @tuzi3040 in #4507
fix(jsx): self-close wrapped empty tags by @jakelee8 in #4511
chore: improve private field removal by @BlankParticle in #4513
fix(middleware/cache): skip caching when Vary: * is present by @pHo9UBenaA in #4504

New Contributors

@taichi-1 made their first contribution in #4503
@WuMingDao made their first contribution in #4508
@tuzi3040 made their first contribution in #4507
@jakelee8 made their first contribution in #4511
@pHo9UBenaA made their first contribution in #4504

Full Changelog: https://github.com/honojs/hono/compare/v4.10.4...v4.10.5

`v4.10.4`

Compare Source

What's Changed

chore: add a monochrome logo image by @yusukebe in #4487
chore: fix the monochrome logo by @yusukebe in #4488
fix(secure-headers): proposed features typo spelling mistake by @RosApr in #4494
fix(types): preserve handler response typing in createHandlers by @s-junio in #4492

New Contributors

@RosApr made their first contribution in #4494
@s-junio made their first contribution in #4492

Full Changelog: https://github.com/honojs/hono/compare/v4.10.3...v4.10.4

`v4.10.3`

Compare Source

Securiy Fix

A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.

What's Changed

fix(aws-lambda): serve microsoft office files as binary in lambda handler by @matthiasfeist in #4469
fix(request-id): validation accepts = by @ryuapp in #4478
refactor(jwt): reduce the size of the code generated by minification by @usualoma in #4480

New Contributors

@matthiasfeist made their first contribution in #4469

Full Changelog: https://github.com/honojs/hono/compare/v4.10.2...v4.10.3

`v4.10.2`

Compare Source

Security hardening improvement

If you are using JWT middleware, please read the following and consider applying the configuration.

Improper Authorization in Hono (JWT Audience Validation)

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

Recommended secure configuration

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret',
    verification: {
      // Require this API to only accept tokens with aud = 'service-a'
      aud: 'service-a',
    },
  })
)

What's Changed

tests: Fix test case of handlers without a path by @IAmSSH in #4472

New Contributors

@IAmSSH made their first contribution in #4472

Full Changelog: https://github.com/honojs/hono/compare/v4.10.1...v4.10.2

`v4.10.1`

Compare Source

What's Changed

fix(types): cannot .use non-return mw from createMiddleware by @NamesMT in #4465

Full Changelog: https://github.com/honojs/hono/compare/v4.10.0...v4.10.1

`v4.10.0`

Compare Source

Release Notes

Hono v4.10.0 is now available!

This release brings improved TypeScript support and new utilities.

The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients.

Middleware Type Improvements

Imagine the following app:

import { Hono } from 'hono'

const app = new Hono()

const routes = app.get(
  '/',
  (c) => {
    return c.json({ errorMessage: 'Error!' }, 500)
  },
  (c) => {
    return c.json({ message: 'Success!' }, 200)
  }
)

The client with RPC:

import { hc } from 'hono/client'

const client = hc<typeof routes>('/')

const res = await client.index.$get()

if (res.status === 500) {
}

if (res.status === 200) {
}

Previously, it couldn't infer the responses from middleware, so a type error was thrown.

Now the responses are correctly typed.

This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true.

Thank you for the great work @slawekkolodziej!

cloneRawRequest Utility

The new cloneRawRequest utility allows you to clone the raw Request object after it has been consumed by validators or middleware.

import { cloneRawRequest } from 'hono/request'

app.post('/api', async (c) => {
  const body = await c.req.json()

  // Clone the consumed request
  const clonedRequest = cloneRawRequest(c.req)
  await externalLibrary.process(clonedRequest)
})

Thanks @kamaal111!

New features

feat(types): passing middleware types #4393
feat(ssg): add default plugin that defines the recommended behavior #4394
feat(request): add cloneRawRequest utility for request cloning #4382

All changes

feat(types): passing middleware types by @slawekkolodziej in #4393
feat(ssg): add default plugin that defines the recommended behavior by @3w36zj6 in #4394
feat(request): add cloneRawRequest utility for request cloning by @kamaal111 in #4382
fix(proxy): Correct hop-by-hop header handling per RFC 9110 by @sugar-cat7 in #4459

New Contributors

@slawekkolodziej made their first contribution in #4393
@kamaal111 made their first contribution in #4382

Full Changelog: https://github.com/honojs/hono/compare/v4.9.12...v4.10.0

`v4.9.12`

Compare Source

What's Changed

refactor: internal structure of PreparedRegExpRouter for optimization and added tests by @usualoma in #4456
refactor: use protected methods instead of computed properties to allow tree shaking by @usualoma in #4458

Full Changelog: https://github.com/honojs/hono/compare/v4.9.11...v4.9.12

`v4.9.11`

Compare Source

What's Changed

fix(types): fix 4.9.8 regression by @aadito123 in #4448
feat(reg-exp-router): Introduced PreparedRegExpRouter by @usualoma in #1796

New Contributors

@aadito123 made their first contribution in #4448

Full Changelog: https://github.com/honojs/hono/compare/v4.9.10...v4.9.11

`v4.9.10`

Compare Source

What's Changed

fix(context): Fix #4427 type regression by removing non-public export by @aantthony in #4433
fix(aws-lambda): sanitize non-ASCII header values to prevent ByteString errors by @yusukebe in #4437

Full Changelog: https://github.com/honojs/hono/compare/v4.9.9...v4.9.10

`v4.9.9`

Compare Source

What's Changed

fix(service-worker): Update service-worker fire() to accept generic variants of Hono app instance by @harmony7 in #4420
fix(service-worker): correct generics for handle by @yusukebe in #4421
feat(helper/route): enable to get route path at specific index by @usualoma in #4423

New Contributors

@harmony7 made their first contribution in #4420

Full Changelog: https://github.com/honojs/hono/compare/v4.9.8...v4.9.9

`v4.9.8`

Compare Source

What's Changed

fix(types): JSONParsed infer unknown values by @BarryThePenguin in #4405
refactor(types): remove SimplifyDeepArray from json types by @BarryThePenguin in #4406
refactor(types): fix the type definitions in hono-base by @yusukebe in #4407
fix(request): return empty string for empty catch-all param by @amitksingh0880 in #4395

New Contributors

@amitksingh0880 made their first contribution in #4395

Full Changelog: https://github.com/honojs/hono/compare/v4.9.7...v4.9.8

`v4.9.7`

Compare Source

Security

Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory

What's Changed

fix(client): Fix parseResponse not parsing json in react native by @lr0pb in #4399
chore: add .tool-versions file by @3w36zj6 in #4397
chore: update bun install commands to use --frozen-lockfile by @3w36zj6 in #4398
test(jwk): Add tests of JWK token verification by @buckett in #4402

New Contributors

@lr0pb made their first contribution in #4399
@buckett made their first contribution in #4402

Full Changelog: https://github.com/honojs/hono/compare/v4.9.6...v4.9.7

`v4.9.6`

Compare Source

Security

Fixed a bug in URL path parsing (getPath) that could cause path confusion under malformed requests.

If you rely on reverse proxies (e.g. Nginx) for ACLs or restrict access to endpoints like /admin, please update immediately.

See advisory for details: GHSA-9hp6-4448-45g2

What's Changed

chore: update packages in the router bench by @yusukebe in #4386
chore(benchmarks): remove comment-out from router bench by @yusukebe in #4387

Full Changelog: https://github.com/honojs/hono/compare/v4.9.5...v4.9.6

`v4.9.5`

Compare Source

What's Changed

chore: replace supertest with undici by @BarryThePenguin in #4365
fix(aws-lambda): preserve percent-encoded values in query strings by @yusukebe in #4372
feat(cors): Allow async functions for origin and allowMethods by @jobrk in #4373
feat(cors): Correct origin function return type asynchronously returning null or undefined for origin by @jobrk in #4375
fix(service-worker): correct args for app.fetch in handle by @yusukebe in #4374
fix(language-detector): Detect language from path after getPath changed by @iflamed in #4369

New Contributors

@jobrk made their first contribution in #4373
@iflamed made their first contribution in #4369

Full Changelog: https://github.com/honojs/hono/compare/v4.9.4...v4.9.5

`v4.9.4`

Compare Source

What's Changed

chore: add a type cast to run deno publish by @yusukebe in #4364

Full Changelog: https://github.com/honojs/hono/compare/v4.9.3...v4.9.4

`v4.9.3`

Compare Source

What's Changed

feat(csrf): Add modern CSRF protection with Fetch Metadata support by @meck93 in #4353
tests: use vitest projects by @BarryThePenguin in #4359
feat(proxy): add customFetch option to allow custom fetch function by @yusukebe in #4360
chore: update typescript to 5.9.2 by @yusukebe in #4362
chore: add packageManager field to package.json by @yusukebe in #4363

Full Changelog: https://github.com/honojs/hono/compare/v4.9.2...v4.9.3

`v4.9.2`

Compare Source

What's Changed

fix(jsx): 'plaintext-only' value for contenteditable attribute by @object1037 in #4349
fix(client): handle query parameters in removeIndexString by @yusukebe in #4352

New Contributors

@object1037 made their first contribution in #4349

Full Changelog: https://github.com/honojs/hono/compare/v4.9.1...v4.9.2

`v4.9.1`

Compare Source

What's Changed

feat(parseResponse): set DetailedError.name (+ error tests) by @NamesMT in #4344
fix(parseResponse): should not include error responses in result by @NamesMT in #4348

Full Changelog: https://github.com/honojs/hono/compare/v4.9.0...v4.9.1

`v4.9.0`

Compare Source

Release Notes

Hono v4.9.0 is now available!

This release introduces several enhancements and utilities.

The main highlight is the new parseResponse utility that makes it easier to work with RPC client responses.

parseResponse Utility

The new parseResponse utility provides a convenient way to parse responses from Hono RPC clients (hc). It automatically handles different response formats and throws structured errors for failed requests.

import { parseResponse, DetailedError } from 'hono/client'

// result contains the parsed response body (automatically parsed based on Content-Type)
const result = await parseResponse(client.hello.$get()).catch(
  // parseResponse automatically throws an error if response is not ok
  (e: DetailedError) => {
    console.error(e)
  }
)

This makes working with RPC client responses much more straightforward and type-safe.

Thanks @NamesMT!

New features

feat(bun): allow importing upgradeWebSocket and websocket directly #4242
feat(aws-lambda): specify content-type as binary #4250
feat(jwt): add validation for the issuer (iss) claim #4253
feat(jwk): add headerName to JWK middleware #4279
feat(cookie): add generateCookie and generateSignedCookie helpers #4285
feat(serve-static): use join to correct path resolution #4291
feat(jwt): expose utility function verifyWithJwks for external use #4302
feat: add parseResponse util to smartly parse hc's Response #4314
feat(ssg): mark old hook options as deprecated #4331

All changes

feat(aws-lambda): specify content-type as binary by @Kanahiro in #4250
feat(jwt): added validation for the issuer (iss) claim by @yolocat-dev in #4253
feat(jwk): Add custom headerName to JWK middleware by @JoaquinGimenez1 in #4279
feat(cookie): generateCookie and generateSignedCookie helpers by @Soviut in #4285
feat(serve-static): use join to correct path resolution by @yusukebe in #4291
feat(jwt): Exposing utility function verifyWithJwks for external use by @Beyondo in #4302
feat: add parseResponse util to smartly parse hc's Response by @NamesMT in #4314
feat(ssg): mark old hook options as deprecated by @3w36zj6 in #4331
fix(bun): exports functions related to websocket by @yusukebe in #4341
Next by @yusukebe in #4340
chore: enable skipLibCheck to resolve TypeScript compilation issues by @yusukebe in #4342

New Contributors

@yolocat-dev made their first contribution in #4253
@JoaquinGimenez1 made their first contribution in #4279
@Soviut made their first contribution in #4285

Full Changelog: https://github.com/honojs/hono/compare/v4.8.12...v4.9.0

`v4.8.12`

Compare Source

What's Changed

fix(router): support /files/:name{.*} by @yusukebe in #4329

Full Changelog: https://github.com/honojs/hono/compare/v4.8.11...v4.8.12

`v4.8.11`

Compare Source

What's Changed

fix(types): should populate output type for c.body() by @NamesMT in #4318
ci: add editorconfig-checker by @3w36zj6 in #4321
fix(service-worker): pass FetchEvent as second argument to app.fetch by @yusukebe in #4328
chore(ci): upgrade bun version to 1.2.19 by @BarryThePenguin in #4323
chore: bump @hono/eslint-config by @yusukebe in #4330
chore: autofix ci by @BarryThePenguin in #4322

Full Changelog: https://github.com/honojs/hono/compare/v4.8.10...v4.8.11

`v4.8.10`

Compare Source

What's Changed

chore: add EditorConfig by @3w36zj6 in #4309
chore: format JSON, YAML, and Markdown by @yusukebe in #4310
chore: format and lint benchmarks/* by @yusukebe in #4317
refactor(types): bring adapter/service-worker types up to date by @idealsh in #4315
chore: add editorconfig-checker by @3w36zj6 in #4312
fix(cookie): support lowercase priority for compatibility with other libraries by @bytaesu in #4293

New Contributors

@idealsh made their first contribution in #4315
@bytaesu made their first contribution in #4293

Full Changelog: https://github.com/honojs/hono/compare/v4.8.9...v4.8.10

`v4.8.9`

Compare Source

What's Changed

fix(context): use isByteString in c.redirect by @yusukebe in #4307

Full Changelog: https://github.com/honojs/hono/compare/v4.8.8...v4.8.9

`v4.8.8`

Compare Source

What's Changed

docs: simplify the readme by @yusukebe in #4305
fix(utils/url): prevent double encoding in safeEncodeURI by @yusukebe in #4306

Full Changelog: https://github.com/honojs/hono/compare/v4.8.7...v4.8.8

`v4.8.7`

Compare Source

What's Changed

chore: fix the deno version for publishing to jsr by @yusukebe in #4304

Full Changelog: https://github.com/honojs/hono/compare/v4.8.6...v4.8.7

`v4.8.6`

Compare Source

What's Changed

perf(types): remove unnecessary default types by @yusukebe in #4282
fix(context): encode the redirect location by @yayugu in #4297

Full Changelog: https://github.com/honojs/hono/compare/v4.8.5...v4.8.6

`v4.8.5`

Compare Source

What's Changed

fix(serve-static): support Windows by @yusukebe in #3477

Full Changelog: https://github.com/honojs/hono/compare/v4.8.4...v4.8.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Adoption](https://docs.renovatebot.com/merge-confidence/) | [Passing](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [hono](https://hono.dev) ([source](https://github.com/honojs/hono)) | [`4.8.4` → `4.11.7`](https://renovatebot.com/diffs/npm/hono/4.8.4/4.11.7) | ![age](https://developer.mend.io/api/mc/badges/age/npm/hono/4.11.7?slim=true) | ![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/hono/4.11.7?slim=true) | ![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/hono/4.8.4/4.11.7?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/hono/4.8.4/4.11.7?slim=true) | --- ### Hono's flaw in URL path parsing could cause path confusion [CVE-2025-58362](https://nvd.nist.gov/vuln/detail/CVE-2025-58362) / [GHSA-9hp6-4448-45g2](https://github.com/advisories/GHSA-9hp6-4448-45g2) <details> <summary>More information</summary> #### Details ##### Summary A flaw in the `getPath` utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). ##### Details The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction. Most standards-compliant runtimes and reverse proxies reject such malformed requests with a 400 Bad Request, so the impact depends on the application and environment. ##### Impact If proxy ACLs are used to protect sensitive endpoints such as `/admin`, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be High (CVSS 7.5); otherwise it may be Medium (CVSS 5.3). ##### Resolution The implementation has been updated to correctly locate the first slash after "://", preventing such path confusion. #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-9hp6-4448-45g2](https://github.com/honojs/hono/security/advisories/GHSA-9hp6-4448-45g2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-58362](https://nvd.nist.gov/vuln/detail/CVE-2025-58362) - [https://github.com/honojs/hono/commit/1d79aedc3f82d8c9969b115fe61bc4bd705ec8de](https://github.com/honojs/hono/commit/1d79aedc3f82d8c9969b115fe61bc4bd705ec8de) - [https://github.com/honojs/hono](https://github.com/honojs/hono) - [https://github.com/honojs/hono/releases/tag/v4.9.6](https://github.com/honojs/hono/releases/tag/v4.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9hp6-4448-45g2) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono has Body Limit Middleware Bypass [CVE-2025-59139](https://nvd.nist.gov/vuln/detail/CVE-2025-59139) / [GHSA-92vj-g62v-jqhh](https://github.com/advisories/GHSA-92vj-g62v-jqhh) <details> <summary>More information</summary> #### Details ##### Summary A flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. ##### Details The middleware previously prioritized the `Content-Length` header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and deployment environment. ##### Impact If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests. ##### Resolution The implementation has been updated to align with the HTTP specification, ensuring that `Transfer-Encoding` takes precedence over `Content-Length`. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately. #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh](https://github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh) - [https://nvd.nist.gov/vuln/detail/CVE-2025-59139](https://nvd.nist.gov/vuln/detail/CVE-2025-59139) - [https://github.com/honojs/hono/commit/605c70560b52f13af10379f79b76717042fafe8d](https://github.com/honojs/hono/commit/605c70560b52f13af10379f79b76717042fafe8d) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-92vj-g62v-jqhh) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono Improper Authorization vulnerability [CVE-2025-62610](https://nvd.nist.gov/vuln/detail/CVE-2025-62610) / [GHSA-m732-5p4w-x69g](https://github.com/advisories/GHSA-m732-5p4w-x69g) <details> <summary>More information</summary> #### Details ##### Improper Authorization in Hono (JWT Audience Validation) Hono’s JWT authentication middleware did not validate the `aud` (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up). The issue is addressed by adding a new `verification.aud` configuration option to allow RFC 7519–compliant audience validation. This change is classified as a **security hardening improvement**, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification. ##### Recommended secure configuration You can enable RFC 7519–compliant audience validation using the new `verification.aud` option: ```ts import { Hono } from 'hono' import { jwt } from 'hono/jwt' const app = new Hono() app.use( '/api/*', jwt({ secret: 'my-secret', verification: { // Require this API to only accept tokens with aud = 'service-a' aud: 'service-a', }, }) ) ``` Below is the original description by the reporter. For security reasons, it does not include PoC reproduction steps, as the vulnerability can be clearly understood from the technical description. --- ##### The original description by the reporter ##### Summary Hono’s **JWT Auth Middleware does not provide a built-in `aud` (Audience) verification option**, which can cause **confused-deputy / token-mix-up** issues: an API may accept a valid token that was **issued for a different audience** (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for `iss/nbf/iat/exp` only, with **no `aud` support**; RFC 7519 requires that when an `aud` claim is present, tokens **MUST** be rejected unless the processing party identifies itself in that claim. **Note:** This problem likely exists in the **JWK/JWKS-based middleware** as well (e.g., `jwk` / `verifyWithJwks`) ##### Details - The middleware’s `verifyOptions` enumerate only `iss`, `nbf`, `iat`, and `exp`; there is **no `aud` option**. The same omission appears in the JWT Helper’s “Payload Validation” list. Developers relying on the middleware for complete standards-aligned validation therefore won’t check audience by default. - **Standards requirement:** RFC 7519 §4.1.3 states that each principal intended to process the JWT **MUST** identify itself with a value in the `aud` claim; if it does not, the JWT **MUST** be rejected (when `aud` is present). Lack of a first-class `aud` check increases the risk that tokens issued for **Service B** are accepted by **Service A**. - **Real-world effect:** In deployments with a single IdP/JWKS and shared keys across multiple services, a token minted for one audience can be mistakenly accepted by another audience unless developers implement a custom audience check. - For example, with Google Identity (OIDC), iss is always https://accounts.google.com (shared across apps), but aud differs per application because it is that app’s OAuth client ID; therefore, an attacker can host a separate service that supports “Sign in with Google,” obtain a valid ID token (JWT) for the victim user, and—if your API does not verify aud—use that token to access your API with the victim’s privileges. ##### Impact **Type:** Authentication/authorization weakness via **token mix-up (confused-deputy)**. **Who is impacted:** Any Hono user who: - shares an issuer/keys across multiple services (common with a single IdP/JWKS) - distinguishes tokens by intended recipient using `aud`. **What can happen:** - **Cross-service access:** A token for *Service B* may be accepted by *Service A*. - **Boundary erosion:** ID tokens and access tokens, or separate API audiences, can be inadvertently intermixed. - This may causes unauthorized invocation of sensitive endpoints. **Recommended remediation:** 1) Add `verifyOptions.aud` (`string | string[] | RegExp`) to the middleware and enforce RFC 7519 semantics: In [verify method](https://github.com/honojs/hono/blob/db764c2f1d8a2905d66c78c41aa47e47d3a4165d/src/utils/jwt/jwt.ts#L99-L156), if `aud` is present and does not match with specified audiences, reject. 2) Ensure equivalent `aud` handling exists in the JWK/JWKS flow (`jwk` middleware / `verifyWithJwks`) so users of external IdPs can enforce audience consistently. #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g](https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g) - [https://nvd.nist.gov/vuln/detail/CVE-2025-62610](https://nvd.nist.gov/vuln/detail/CVE-2025-62610) - [https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef](https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m732-5p4w-x69g) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono vulnerable to Vary Header Injection leading to potential CORS Bypass [GHSA-q7jf-gf43-6x6p](https://github.com/advisories/GHSA-q7jf-gf43-6x6p) <details> <summary>More information</summary> #### Details ##### Summary A flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` values and potentially affecting cache behavior. ##### Details The middleware previously copied the `Vary` header from the request when `origin` was not set to `"*"`. Since `Vary` is a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling. Most environments will see impact only when shared caches or proxies rely on the `Vary` header. The practical effect varies by configuration. ##### Impact May cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations. ##### Resolution Update to the latest patched release. The CORS middleware has been corrected to handle `Vary` exclusively as a response header. #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-q7jf-gf43-6x6p](https://github.com/honojs/hono/security/advisories/GHSA-q7jf-gf43-6x6p) - [https://github.com/honojs/hono/commit/d9b8b4b73b4f997994f2764013207365fe711282](https://github.com/honojs/hono/commit/d9b8b4b73b4f997994f2764013207365fe711282) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-q7jf-gf43-6x6p) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass [CVE-2026-22817](https://nvd.nist.gov/vuln/detail/CVE-2026-22817) / [GHSA-f67f-6cw9-8mq4](https://github.com/advisories/GHSA-f67f-6cw9-8mq4) <details> <summary>More information</summary> #### Details ##### Summary A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s `alg` value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable **JWT algorithm confusion** and, in certain configurations, allow forged tokens to be accepted. ##### Details When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s `alg` field if present, but otherwise fell back to the `alg` value provided in the unverified JWT header. Because the `alg` field in a JWK is optional and often omitted in real-world JWKS configurations, this behavior could allow an attacker to control the algorithm used for verification. In some environments, this may lead to authentication or authorization bypass through crafted tokens. The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used for authorization decisions. ##### Impact In affected configurations, an attacker may be able to forge JWTs with attacker-controlled claims, potentially resulting in authentication or authorization bypass. Applications that do not use the JWK/JWKS middleware, do not rely on JWT-based authentication, or explicitly restrict allowed algorithms are not affected. ##### Resolution Update to the latest patched release. **Breaking change:** As part of this fix, the JWT middleware now requires the `alg` option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. Applications upgrading must update their configuration accordingly. ##### Before (vulnerable configuration) ```ts import { jwt } from 'hono/jwt' app.use( '/auth/*', jwt({ secret: 'it-is-very-secret', // alg was optional }) ) ``` ##### After (patched configuration) ```ts import { jwt } from 'hono/jwt' app.use( '/auth/*', jwt({ secret: 'it-is-very-secret', alg: 'HS256', // required }) ) ``` #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4](https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4) - [https://nvd.nist.gov/vuln/detail/CVE-2026-22817](https://nvd.nist.gov/vuln/detail/CVE-2026-22817) - [https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f](https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-f67f-6cw9-8mq4) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback) [CVE-2026-22818](https://nvd.nist.gov/vuln/detail/CVE-2026-22818) / [GHSA-3vhc-576x-3qv4](https://github.com/advisories/GHSA-3vhc-576x-3qv4) <details> <summary>More information</summary> #### Details ##### Summary A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. ##### Details When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s `alg` field if present. If the JWK did not specify an algorithm, the middleware fell back to using the `alg` value provided in the unverified JWT header. Because the `alg` field in a JWK is optional and commonly omitted in real-world JWKS configurations, this behavior could allow an attacker to influence which algorithm is used for verification. In some environments, this may result in authentication or authorization bypass through crafted JWTs. The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used to make authorization decisions. ##### Impact In affected configurations, an attacker may be able to forge JWTs with attacker-controlled claims, potentially leading to authentication or authorization bypass. Applications that do not use the JWK/JWKS middleware, do not rely on JWT-based authentication, or explicitly restrict allowed algorithms are not affected. ##### Resolution Update to the latest patched release. **Breaking change:** The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. Instead, callers must explicitly specify which asymmetric algorithms are permitted, and only tokens signed with those algorithms will be accepted. This prevents JWT algorithm confusion by ensuring that algorithm selection is fully controlled by application configuration. As part of this fix, the `alg` option is now required when using the JWK/JWKS middleware, and symmetric (HS*) algorithms are no longer accepted in this context. ##### Before (vulnerable configuration) ```ts import { jwk } from 'hono/jwk' app.use( '/auth/*', jwk({ jwks_uri: 'https://example.com/.well-known/jwks.json', // alg was optional }) ) ``` ##### After (patched configuration) ```ts import { jwk } from 'hono/jwk' app.use( '/auth/*', jwk({ jwks_uri: 'https://example.com/.well-known/jwks.json', alg: ['RS256'], // required: explicit asymmetric algorithm allowlist }) ) ``` #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4](https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4) - [https://nvd.nist.gov/vuln/detail/CVE-2026-22818](https://nvd.nist.gov/vuln/detail/CVE-2026-22818) - [https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134](https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-3vhc-576x-3qv4) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception [CVE-2026-24472](https://nvd.nist.gov/vuln/detail/CVE-2026-24472) / [GHSA-6wqw-2p9w-4vw4](https://github.com/advisories/GHSA-6wqw-2p9w-4vw4) <details> <summary>More information</summary> #### Details ##### Summary Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. ##### Details The vulnerability exists in the cache decision logic of Cache Middleware. When determining whether a response should be cached, the middleware does not take HTTP cache control semantics into account and may cache responses that are explicitly marked as private by the application. While some runtimes, such as Cloudflare Workers, enforce cache control restrictions at the platform level, other runtimes including Deno, Bun, and Node.js rely on the middleware’s behavior. As a result, applications running on these runtimes may unintentionally cache sensitive responses. ##### Impact This issue can lead to Web Cache Deception and information disclosure. If an authenticated user accesses an endpoint that returns user-specific or sensitive data and the response is cached despite being marked as private, subsequent unauthenticated requests may receive the cached response. This may result in the exposure of personally identifiable information or session-related data. The impact is limited to applications that use the hono/cache middleware and rely on it to correctly honor HTTP cache control directives. ##### Affected Components * Cache Middleware #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4](https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4) - [https://nvd.nist.gov/vuln/detail/CVE-2026-24472](https://nvd.nist.gov/vuln/detail/CVE-2026-24472) - [https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1](https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1) - [https://github.com/honojs/hono](https://github.com/honojs/hono) - [https://github.com/honojs/hono/releases/tag/v4.11.7](https://github.com/honojs/hono/releases/tag/v4.11.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6wqw-2p9w-4vw4) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing [CVE-2026-24398](https://nvd.nist.gov/vuln/detail/CVE-2026-24398) / [GHSA-r354-f388-2fhh](https://github.com/advisories/GHSA-r354-f388-2fhh) <details> <summary>More information</summary> #### Details ##### Summary IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. ##### Details The vulnerability exists in two components: 1. **Permissive regex pattern:** The `IPV4_REGEX (/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/)` accepts octet values greater than 255 (e.g., `999`). 2. **Unsafe binary conversion:** The `convertIPv4ToBinary` function does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation. For example, the IP address `1.2.2.355` is accepted and converts to the same binary value as 1.2.3.99: * `355` = `256 + 99` = `0x163` * After bit-shifting: `(1 << 24) + (2 << 16) + (2 << 8) + 355` = `0x01020363` = `1.2.3.99` ##### Impact An attacker can bypass IP-based restrictions by crafting malformed IP addresses: * **Blocklist bypass:** If `1.2.3.0/24` is blocked, an attacker can use `1.2.2.355` (or similar) to bypass the restriction. * **Allowlist bypass:** Requests from unauthorized IP ranges may be incorrectly permitted. This is exploitable when the application relies on client-provided IP addresses (e.g., `X-Forwarded-For header`) for access control decisions. ##### Affected Components * IP Restriction Middleware * `src/utils/ipaddr.ts`: `IPV4_REGEX`, `convertIPv4ToBinary`, `distinctRemoteAddr` #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh](https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh) - [https://nvd.nist.gov/vuln/detail/CVE-2026-24398](https://nvd.nist.gov/vuln/detail/CVE-2026-24398) - [https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37](https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37) - [https://github.com/honojs/hono](https://github.com/honojs/hono) - [https://github.com/honojs/hono/releases/tag/v4.11.7](https://github.com/honojs/hono/releases/tag/v4.11.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-r354-f388-2fhh) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono vulnerable to XSS through ErrorBoundary component [CVE-2026-24771](https://nvd.nist.gov/vuln/detail/CVE-2026-24771) / [GHSA-9r54-q6cx-xmh5](https://github.com/advisories/GHSA-9r54-q6cx-xmh5) <details> <summary>More information</summary> #### Details ##### Summary A Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. ##### Details The issue is in the `ErrorBoundary` component (`src/jsx/components.ts`). `ErrorBoundary` previously forced certain rendered output paths to be treated as raw HTML, bypassing the library's default escaping behavior. This could result in unescaped rendering when developers pass user-controlled strings directly as children, or when fallbackRender returns user-controlled strings (for example, reflecting error messages that contain attacker input). This vulnerability is only exploitable when an application renders untrusted user input within `ErrorBoundary` without appropriate escaping or sanitization. ##### Impact Successful exploitation may allow attackers to execute arbitrary JavaScript in the victim’s browser (reflected XSS). Depending on the application context, this can lead to actions such as session compromise, data exfiltration, or performing unauthorized actions as the victim. ##### Affected Components * hono/jsx: `ErrorBoundary` component #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5](https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5) - [https://nvd.nist.gov/vuln/detail/CVE-2026-24771](https://nvd.nist.gov/vuln/detail/CVE-2026-24771) - [https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990](https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9r54-q6cx-xmh5) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) [CVE-2026-24473](https://nvd.nist.gov/vuln/detail/CVE-2026-24473) / [GHSA-w332-q679-j88p](https://github.com/advisories/GHSA-w332-q679-j88p) <details> <summary>More information</summary> #### Details ##### Summary Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. ##### Details The vulnerability exists in the serve-static middleware used with the Cloudflare Workers adapter. When serving static assets, the middleware does not sufficiently validate or restrict user-supplied paths before resolving them against the Workers asset storage. As a result, an attacker may craft requests that access arbitrary keys beyond the intended static asset scope. This issue only affects applications running on Cloudflare Workers that use Serve static Middleware with user-controllable request paths. ##### Impact This vulnerability may lead to information disclosure by allowing unauthorized access to internal assets or data stored in the Workers environment. The exposed data is limited to readable asset keys and does not allow modification of stored data or execution of arbitrary code. The impact is limited to applications that use Serve static Middleware in the Cloudflare Workers adapter and rely on it to safely handle untrusted request paths. ##### Affected Components * Serve static Middleware (Cloudflare Workers adapter) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p](https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p) - [https://nvd.nist.gov/vuln/detail/CVE-2026-24473](https://nvd.nist.gov/vuln/detail/CVE-2026-24473) - [https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817](https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817) - [https://github.com/honojs/hono](https://github.com/honojs/hono) - [https://github.com/honojs/hono/releases/tag/v4.11.7](https://github.com/honojs/hono/releases/tag/v4.11.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-w332-q679-j88p) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.11.7`](https://github.com/honojs/hono/releases/tag/v4.11.7) [Compare Source](https://github.com/honojs/hono/compare/v4.11.6...v4.11.7) ### Security Release This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components. #### Components ##### IP Restriction Middleware Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations. ##### Cache Middleware Fixed an issue where responses marked with `Cache-Control: private` or `no-store` could be cached, potentially leading to information disclosure on some runtimes. ##### Serve Static Middleware (Cloudflare Workers adapter) Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths. ##### hono/jsx `ErrorBoundary` Fixed a reflected Cross-Site Scripting (XSS) issue in the `ErrorBoundary` component that could occur when untrusted strings were rendered without proper escaping. #### Recommendation Users are encouraged to upgrade to this release, especially if they: - Use IP Restriction Middleware - Use Cache Middleware on Deno, Bun, or Node.js - Use Serve Static Middleware with user-controlled paths on Cloudflare Workers - Render untrusted data inside `ErrorBoundary` components #### Security Advisories & CVEs - **IP Restriction Middleware – IPv4 address validation bypass** - Advisory: <https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh> - CVE: CVE-2026-24398 - **Cache Middleware ignores `Cache-Control: private`** - Advisory: <https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4> - CVE: CVE-2026-24472 - **Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read** - Advisory: <https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p> - CVE: CVE-2026-24473 - **hono/jsx `ErrorBoundary` – Cross-Site Scripting (XSS)** - Advisory: <https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5> - CVE: Pending *** **Full Changelog**: <https://github.com/honojs/hono/compare/v4.11.6...v4.11.7> ### [`v4.11.6`](https://github.com/honojs/hono/releases/tag/v4.11.6) [Compare Source](https://github.com/honojs/hono/compare/v4.11.5...v4.11.6) #### What's Changed - refactor: use `unique symbol` for more accurate typing. by [@usualoma](https://github.com/usualoma) in [#4651](https://github.com/honojs/hono/pull/4651) - docs: align CODE\_OF\_CONDUCT.md wording with Contributor Covenant by [@sano-suguru](https://github.com/sano-suguru) in [#4630](https://github.com/honojs/hono/pull/4630) - fix(sse): handle `\r` and `\r\n` line endings in writeSSE by [@AprilNEA](https://github.com/AprilNEA) in [#4644](https://github.com/honojs/hono/pull/4644) - feat(bun): export getBunServer by [@artemtam](https://github.com/artemtam) in [#4626](https://github.com/honojs/hono/pull/4626) #### New Contributors - [@sano-suguru](https://github.com/sano-suguru) made their first contribution in [#4630](https://github.com/honojs/hono/pull/4630) - [@AprilNEA](https://github.com/AprilNEA) made their first contribution in [#4644](https://github.com/honojs/hono/pull/4644) - [@artemtam](https://github.com/artemtam) made their first contribution in [#4626](https://github.com/honojs/hono/pull/4626) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.11.5...v4.11.6> ### [`v4.11.5`](https://github.com/honojs/hono/releases/tag/v4.11.5) [Compare Source](https://github.com/honojs/hono/compare/v4.11.4...v4.11.5) #### What's Changed - fix(client): exclude $all from ClientRequest type by [@paveg](https://github.com/paveg) in [#4611](https://github.com/honojs/hono/pull/4611) - refactor(jwks): mark allowedAlgorithms, so the user can pass a \`const… by [@nikeee](https://github.com/nikeee) in [#4641](https://github.com/honojs/hono/pull/4641) - feat(jwt): export `AlgorithmTypes` by [@yusukebe](https://github.com/yusukebe) in [#4642](https://github.com/honojs/hono/pull/4642) #### New Contributors - [@paveg](https://github.com/paveg) made their first contribution in [#4611](https://github.com/honojs/hono/pull/4611) - [@nikeee](https://github.com/nikeee) made their first contribution in [#4641](https://github.com/honojs/hono/pull/4641) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.11.4...v4.11.5> ### [`v4.11.4`](https://github.com/honojs/hono/releases/tag/v4.11.4) [Compare Source](https://github.com/honojs/hono/compare/v4.11.3...v4.11.4) #### Security Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware. Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values. If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible. ##### JWT middleware ```ts import { jwt } from 'hono/jwt' app.use( '/auth/*', jwt({ secret: 'it-is-very-secret', alg: 'HS256', // required }) ) ``` ##### JWK/JWKS middleware ```ts import { jwk } from 'hono/jwk' app.use( '/auth/*', jwk({ jwks_uri: 'https://example.com/.well-known/jwks.json', alg: ['RS256'], // required (asymmetric algorithms only) }) ) ``` For more details, see the Security Advisory. - <https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4> - <https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4> #### What's Changed - test(utils/jwt): add missing algorithm types in jwa.test.ts by [@flathill404](https://github.com/flathill404) in [#4607](https://github.com/honojs/hono/pull/4607) - chore: bump `@hono/eslint-config` and enable curly rule by [@yusukebe](https://github.com/yusukebe) in [#4620](https://github.com/honojs/hono/pull/4620) - docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by [@Itsnotaka](https://github.com/Itsnotaka) in [#4618](https://github.com/honojs/hono/pull/4618) - test: support `alg` option for JWT middleware by [@yusukebe](https://github.com/yusukebe) in [#4624](https://github.com/honojs/hono/pull/4624) #### New Contributors - [@flathill404](https://github.com/flathill404) made their first contribution in [#4607](https://github.com/honojs/hono/pull/4607) - [@Itsnotaka](https://github.com/Itsnotaka) made their first contribution in [#4618](https://github.com/honojs/hono/pull/4618) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.11.3...v4.11.4> ### [`v4.11.3`](https://github.com/honojs/hono/releases/tag/v4.11.3) [Compare Source](https://github.com/honojs/hono/compare/v4.11.2...v4.11.3) #### What's Changed - fix(types): fix middleware union type merging in MergeMiddlewareResponse by [@yusukebe](https://github.com/yusukebe) in [#4602](https://github.com/honojs/hono/pull/4602) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.11.2...v4.11.3> ### [`v4.11.2`](https://github.com/honojs/hono/releases/tag/v4.11.2) [Compare Source](https://github.com/honojs/hono/compare/v4.11.1...v4.11.2) #### What's Changed - docs: improve grammar in contributing documentation by [@Ishiezz](https://github.com/Ishiezz) in [#4581](https://github.com/honojs/hono/pull/4581) - fix(validator): preserve literal union types in input type inference by [@yusukebe](https://github.com/yusukebe) in [#4583](https://github.com/honojs/hono/pull/4583) - chore: bump typescript-go preview for accurate benchmarking by [@sushichan044](https://github.com/sushichan044) in [#4586](https://github.com/honojs/hono/pull/4586) - refactor(hono-base): add type annotations by [@yusukebe](https://github.com/yusukebe) in [#4591](https://github.com/honojs/hono/pull/4591) - refactor(client): refactor `HonoURL` types by [@yusukebe](https://github.com/yusukebe) in [#4592](https://github.com/honojs/hono/pull/4592) - perf(types): reduce `Simplify` in `ToSchema` by [@yusukebe](https://github.com/yusukebe) in [#4597](https://github.com/honojs/hono/pull/4597) - perf(types): optimize `MergeMiddlewareResponse` type by [@yusukebe](https://github.com/yusukebe) in [#4598](https://github.com/honojs/hono/pull/4598) #### New Contributors - [@Ishiezz](https://github.com/Ishiezz) made their first contribution in [#4581](https://github.com/honojs/hono/pull/4581) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.11.1...v4.11.2> ### [`v4.11.1`](https://github.com/honojs/hono/releases/tag/v4.11.1) [Compare Source](https://github.com/honojs/hono/compare/v4.11.0...v4.11.1) #### What's Changed - fix(types): fix app.on method array type inference by [@kosei28](https://github.com/kosei28) in [#4578](https://github.com/honojs/hono/pull/4578) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.11.0...v4.11.1> ### [`v4.11.0`](https://github.com/honojs/hono/releases/tag/v4.11.0) [Compare Source](https://github.com/honojs/hono/compare/v4.10.8...v4.11.0) ### Release Notes Hono v4.11.0 is now available! This release includes new features for the Hono client, middleware improvements, and an important type system fix. #### Type System Fix for Middleware We've fixed a bug in the type system for middleware. Previously, `app` did not have the correct type with pathless handlers: ```ts const app = new Hono() .use(async (c, next) => { await next() }) .get('/a', async (c, next) => { await next() }) .get((c) => { return c.text('Hello') }) // app's type was incorrect ``` This has now been fixed. Thanks [@kosei28](https://github.com/kosei28)! #### Typed URL for Hono Client You can now pass the base URL as the second type parameter to `hc` to get more precise URL types: ```ts const client = hc<typeof app, 'http://localhost:8787'>( 'http://localhost:8787/' ) const url = client.api.posts.$url() // url is TypedURL with precise type information // including protocol, host, and path ``` This is useful when you want to use the URL as a type-safe key for libraries like SWR. Thanks [@miyaji255](https://github.com/miyaji255)! #### Custom NotFoundResponse Type You can now customize the `NotFoundResponse` type using module augmentation. This allows `c.notFound()` to return a typed response: ```ts import { Hono, TypedResponse } from 'hono' declare module 'hono' { interface NotFoundResponse extends Response, TypedResponse<{ error: string }, 404, 'json'> {} } const app = new Hono() .get('/posts/:id', async (c) => { const post = await getPost(c.req.param('id')) if (!post) { return c.notFound() } return c.json({ post }, 200) }) .notFound((c) => c.json({ error: 'not found' }, 404)) ``` Now the client can correctly infer the 404 response type. Thanks [@miyaji255](https://github.com/miyaji255)! #### tryGetContext Helper The new `tryGetContext()` helper in the Context Storage middleware returns `undefined` instead of throwing an error when the context is not available: ```ts import { tryGetContext } from 'hono/context-storage' const context = tryGetContext<Env>() if (context) { // Context is available console.log(context.var.message) } ``` Thanks [@AyushCoder9](https://github.com/AyushCoder9)! #### Custom Query Serializer You can now customize how query parameters are serialized using the `buildSearchParams` option: ```ts const client = hc<AppType>('http://localhost', { buildSearchParams: (query) => { const searchParams = new URLSearchParams() for (const [k, v] of Object.entries(query)) { if (v === undefined) continue if (Array.isArray(v)) { v.forEach((item) => searchParams.append(`${k}[]`, item)) } else { searchParams.set(k, v) } } return searchParams }, }) ``` Thanks [@bolasblack](https://github.com/bolasblack)! #### New features - feat(types): make Hono client's $url return the exact URL type [#4502](https://github.com/honojs/hono/pull/4502) - feat(types): enhance NotFoundHandler to support custom NotFoundResponse type [#4518](https://github.com/honojs/hono/pull/4518) - feat(timing): add wrapTime to simplify usage [#4519](https://github.com/honojs/hono/pull/4519) - feat(pretty-json): support force option [#4531](https://github.com/honojs/hono/pull/4531) - feat(client): add buildSearchParams option to customize query serialization [#4535](https://github.com/honojs/hono/pull/4535) - feat(context-storage): add optional tryGetContext helper [#4539](https://github.com/honojs/hono/pull/4539) - feat(secure-headers): add CSP report-to and report-uri directive support [#4555](https://github.com/honojs/hono/pull/4555) - fix(types): replace schema-based path tracking with CurrentPath parameter [#4552](https://github.com/honojs/hono/pull/4552) #### All changes - chore: update esbuild to version 0.27.1 by [@kosei28](https://github.com/kosei28) in [#4571](https://github.com/honojs/hono/pull/4571) - fix(hono/jsx): display blank when children is nullish by [@techfish-11](https://github.com/techfish-11) in [#4573](https://github.com/honojs/hono/pull/4573) - feat(types): make Hono client's $url return the exact URL type by [@miyaji255](https://github.com/miyaji255) in [#4502](https://github.com/honojs/hono/pull/4502) - feat(types): enhance NotFoundHandler to support custom NotFoundResponse type by [@miyaji255](https://github.com/miyaji255) in [#4518](https://github.com/honojs/hono/pull/4518) - feat(timing): add wrapTime to simplify usage by [@PassiDel](https://github.com/PassiDel) in [#4519](https://github.com/honojs/hono/pull/4519) - feat(pretty-json): support force option by [@missinglink](https://github.com/missinglink) in [#4531](https://github.com/honojs/hono/pull/4531) - feat(context-storage): Add optional tryGetContext helper to context-storage middleware by [@AyushCoder9](https://github.com/AyushCoder9) in [#4539](https://github.com/honojs/hono/pull/4539) - feat(client): add buildSearchParams option to customize query serialization by [@bolasblack](https://github.com/bolasblack) in [#4535](https://github.com/honojs/hono/pull/4535) - feat(secure-headers): Add CSP report-to and report-uri directive support by [@cruzz77](https://github.com/cruzz77) in [#4555](https://github.com/honojs/hono/pull/4555) - fix(types): replace schema-based path tracking with CurrentPath parameter by [@kosei28](https://github.com/kosei28) in [#4552](https://github.com/honojs/hono/pull/4552) - Next by [@yusukebe](https://github.com/yusukebe) in [#4574](https://github.com/honojs/hono/pull/4574) #### New Contributors - [@missinglink](https://github.com/missinglink) made their first contribution in [#4531](https://github.com/honojs/hono/pull/4531) - [@bolasblack](https://github.com/bolasblack) made their first contribution in [#4535](https://github.com/honojs/hono/pull/4535) - [@cruzz77](https://github.com/cruzz77) made their first contribution in [#4555](https://github.com/honojs/hono/pull/4555) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.8...v4.11.0> ### [`v4.10.8`](https://github.com/honojs/hono/releases/tag/v4.10.8) [Compare Source](https://github.com/honojs/hono/compare/v4.10.7...v4.10.8) #### What's Changed - chore: bump linter and formatter by [@ryuapp](https://github.com/ryuapp) in [#4568](https://github.com/honojs/hono/pull/4568) - chore: bump github actions by [@ryuapp](https://github.com/ryuapp) in [#4569](https://github.com/honojs/hono/pull/4569) - fix(linear-router): incorrect path matching by [@cromery](https://github.com/cromery) in [#4567](https://github.com/honojs/hono/pull/4567) - docs(cookie): update outdated RFC links by [@AyushCoder9](https://github.com/AyushCoder9) in [#4557](https://github.com/honojs/hono/pull/4557) - feat(csrf): Support async `IsAllowedOriginHandler` by [@baseballyama](https://github.com/baseballyama) in [#4558](https://github.com/honojs/hono/pull/4558) - feat(csrf): Support async `IsAllowedSecFetchSiteHandler` by [@baseballyama](https://github.com/baseballyama) in [#4559](https://github.com/honojs/hono/pull/4559) #### New Contributors - [@cromery](https://github.com/cromery) made their first contribution in [#4567](https://github.com/honojs/hono/pull/4567) - [@AyushCoder9](https://github.com/AyushCoder9) made their first contribution in [#4557](https://github.com/honojs/hono/pull/4557) - [@baseballyama](https://github.com/baseballyama) made their first contribution in [#4558](https://github.com/honojs/hono/pull/4558) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.7...v4.10.8> ### [`v4.10.7`](https://github.com/honojs/hono/releases/tag/v4.10.7) [Compare Source](https://github.com/honojs/hono/compare/v4.10.6...v4.10.7) #### What's Changed - fix(validator): fix incomplete types and wrong tests by [@EdamAme-x](https://github.com/EdamAme-x) in [#4521](https://github.com/honojs/hono/pull/4521) - refactor(types): delete type `NotSpecified` and `StrictVerifyOptions` by [@ysknsid25](https://github.com/ysknsid25) in [#4525](https://github.com/honojs/hono/pull/4525) - fix: add JSX type for hono/jsx/dom by [@ssssota](https://github.com/ssssota) in [#4534](https://github.com/honojs/hono/pull/4534) - fix(adapter/bun): fix TypeError: null is not an object ([#4429](https://github.com/honojs/hono/issues/4429)) by [@brenc](https://github.com/brenc) in [#4538](https://github.com/honojs/hono/pull/4538) - chore: add config version to `bun.lock` by [@yusukebe](https://github.com/yusukebe) in [#4548](https://github.com/honojs/hono/pull/4548) #### New Contributors - [@ysknsid25](https://github.com/ysknsid25) made their first contribution in [#4525](https://github.com/honojs/hono/pull/4525) - [@brenc](https://github.com/brenc) made their first contribution in [#4538](https://github.com/honojs/hono/pull/4538) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.6...v4.10.7> ### [`v4.10.6`](https://github.com/honojs/hono/releases/tag/v4.10.6) [Compare Source](https://github.com/honojs/hono/compare/v4.10.5...v4.10.6) #### Deperecated ##### bearer-auth options The following options are deprecated and will be removed in a future version: - `noAuthenticationHeaderMessage` => use `noAuthenticationHeader.message` - `invalidAuthenticationHeaderMessage` => use `invalidAuthenticationHeader.message` - `invalidTokenMessage` => use `invalidToken.message` #### What's Changed - feat(aws-lambda): handle AWS Lattice events by [@anho](https://github.com/anho) in [#4451](https://github.com/honojs/hono/pull/4451) - feat(secure-headers): support CSP TrustedTypePolicy by [@RosApr](https://github.com/RosApr) in [#4500](https://github.com/honojs/hono/pull/4500) - feat: Improve auth middlewares by [@MathurAditya724](https://github.com/MathurAditya724) in [#4485](https://github.com/honojs/hono/pull/4485) #### New Contributors - [@anho](https://github.com/anho) made their first contribution in [#4451](https://github.com/honojs/hono/pull/4451) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.5...v4.10.6> ### [`v4.10.5`](https://github.com/honojs/hono/releases/tag/v4.10.5) [Compare Source](https://github.com/honojs/hono/compare/v4.10.4...v4.10.5) #### What's Changed - docs(CONTRIBUTING): use bun instead of yarn in local development setup by [@taichi-1](https://github.com/taichi-1) in [#4503](https://github.com/honojs/hono/pull/4503) - docs: grammar issue by [@WuMingDao](https://github.com/WuMingDao) in [#4508](https://github.com/honojs/hono/pull/4508) - fix(utils/url): make \_getQueryParam search behind question mark by [@tuzi3040](https://github.com/tuzi3040) in [#4507](https://github.com/honojs/hono/pull/4507) - fix(jsx): self-close wrapped empty tags by [@jakelee8](https://github.com/jakelee8) in [#4511](https://github.com/honojs/hono/pull/4511) - chore: improve private field removal by [@BlankParticle](https://github.com/BlankParticle) in [#4513](https://github.com/honojs/hono/pull/4513) - fix(middleware/cache): skip caching when `Vary: *` is present by [@pHo9UBenaA](https://github.com/pHo9UBenaA) in [#4504](https://github.com/honojs/hono/pull/4504) #### New Contributors - [@taichi-1](https://github.com/taichi-1) made their first contribution in [#4503](https://github.com/honojs/hono/pull/4503) - [@WuMingDao](https://github.com/WuMingDao) made their first contribution in [#4508](https://github.com/honojs/hono/pull/4508) - [@tuzi3040](https://github.com/tuzi3040) made their first contribution in [#4507](https://github.com/honojs/hono/pull/4507) - [@jakelee8](https://github.com/jakelee8) made their first contribution in [#4511](https://github.com/honojs/hono/pull/4511) - [@pHo9UBenaA](https://github.com/pHo9UBenaA) made their first contribution in [#4504](https://github.com/honojs/hono/pull/4504) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.4...v4.10.5> ### [`v4.10.4`](https://github.com/honojs/hono/releases/tag/v4.10.4) [Compare Source](https://github.com/honojs/hono/compare/v4.10.3...v4.10.4) #### What's Changed - chore: add a monochrome logo image by [@yusukebe](https://github.com/yusukebe) in [#4487](https://github.com/honojs/hono/pull/4487) - chore: fix the monochrome logo by [@yusukebe](https://github.com/yusukebe) in [#4488](https://github.com/honojs/hono/pull/4488) - fix(secure-headers): proposed features typo spelling mistake by [@RosApr](https://github.com/RosApr) in [#4494](https://github.com/honojs/hono/pull/4494) - fix(types): preserve handler response typing in createHandlers by [@s-junio](https://github.com/s-junio) in [#4492](https://github.com/honojs/hono/pull/4492) #### New Contributors - [@RosApr](https://github.com/RosApr) made their first contribution in [#4494](https://github.com/honojs/hono/pull/4494) - [@s-junio](https://github.com/s-junio) made their first contribution in [#4492](https://github.com/honojs/hono/pull/4492) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.3...v4.10.4> ### [`v4.10.3`](https://github.com/honojs/hono/releases/tag/v4.10.3) [Compare Source](https://github.com/honojs/hono/compare/v4.10.2...v4.10.3) #### Securiy Fix A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware. #### What's Changed - fix(aws-lambda): serve microsoft office files as binary in lambda handler by [@matthiasfeist](https://github.com/matthiasfeist) in [#4469](https://github.com/honojs/hono/pull/4469) - fix(request-id): validation accepts `=` by [@ryuapp](https://github.com/ryuapp) in [#4478](https://github.com/honojs/hono/pull/4478) - refactor(jwt): reduce the size of the code generated by minification by [@usualoma](https://github.com/usualoma) in [#4480](https://github.com/honojs/hono/pull/4480) #### New Contributors - [@matthiasfeist](https://github.com/matthiasfeist) made their first contribution in [#4469](https://github.com/honojs/hono/pull/4469) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.2...v4.10.3> ### [`v4.10.2`](https://github.com/honojs/hono/releases/tag/v4.10.2) [Compare Source](https://github.com/honojs/hono/compare/v4.10.1...v4.10.2) #### Security hardening improvement If you are using JWT middleware, please read the following and consider applying the configuration. ##### Improper Authorization in Hono (JWT Audience Validation) Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up). The issue is addressed by adding a new `verification.aud` configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification. ##### Recommended secure configuration You can enable RFC 7519–compliant audience validation using the new `verification.aud` option: ```ts import { Hono } from 'hono' import { jwt } from 'hono/jwt' const app = new Hono() app.use( '/api/*', jwt({ secret: 'my-secret', verification: { // Require this API to only accept tokens with aud = 'service-a' aud: 'service-a', }, }) ) ``` #### What's Changed - tests: Fix test case of handlers without a path by [@IAmSSH](https://github.com/IAmSSH) in [#4472](https://github.com/honojs/hono/pull/4472) #### New Contributors - [@IAmSSH](https://github.com/IAmSSH) made their first contribution in [#4472](https://github.com/honojs/hono/pull/4472) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.1...v4.10.2> ### [`v4.10.1`](https://github.com/honojs/hono/releases/tag/v4.10.1) [Compare Source](https://github.com/honojs/hono/compare/v4.10.0...v4.10.1) #### What's Changed - fix(types): cannot `.use` non-return mw from `createMiddleware` by [@NamesMT](https://github.com/NamesMT) in [#4465](https://github.com/honojs/hono/pull/4465) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.0...v4.10.1> ### [`v4.10.0`](https://github.com/honojs/hono/releases/tag/v4.10.0) [Compare Source](https://github.com/honojs/hono/compare/v4.9.12...v4.10.0) ### Release Notes Hono v4.10.0 is now available! This release brings improved TypeScript support and new utilities. The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients. #### Middleware Type Improvements Imagine the following app: ```ts import { Hono } from 'hono' const app = new Hono() const routes = app.get( '/', (c) => { return c.json({ errorMessage: 'Error!' }, 500) }, (c) => { return c.json({ message: 'Success!' }, 200) } ) ``` The client with RPC: ```ts import { hc } from 'hono/client' const client = hc<typeof routes>('/') const res = await client.index.$get() if (res.status === 500) { } if (res.status === 200) { } ``` Previously, it couldn't infer the responses from middleware, so a type error was thrown. <img width="1538" height="724" alt="CleanShot 2025-10-17 at 06 51 48@2x" src="https://github.com/user-attachments/assets/7e660db0-6c52-4249-9a3d-2932614bbace" /> Now the responses are correctly typed. <img width="1586" height="876" alt="CleanShot 2025-10-17 at 06 54 13@2x" src="https://github.com/user-attachments/assets/ef6136f1-bc26-4625-9238-0aec25110efc" /> *** This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true. Thank you for the great work [@slawekkolodziej](https://github.com/slawekkolodziej)! #### cloneRawRequest Utility The new `cloneRawRequest` utility allows you to clone the raw Request object after it has been consumed by validators or middleware. ```ts import { cloneRawRequest } from 'hono/request' app.post('/api', async (c) => { const body = await c.req.json() // Clone the consumed request const clonedRequest = cloneRawRequest(c.req) await externalLibrary.process(clonedRequest) }) ``` Thanks [@kamaal111](https://github.com/kamaal111)! #### New features - feat(types): passing middleware types [#4393](https://github.com/honojs/hono/pull/4393) - feat(ssg): add default plugin that defines the recommended behavior [#4394](https://github.com/honojs/hono/pull/4394) - feat(request): add cloneRawRequest utility for request cloning [#4382](https://github.com/honojs/hono/pull/4382) #### All changes - feat(types): passing middleware types by [@slawekkolodziej](https://github.com/slawekkolodziej) in [#4393](https://github.com/honojs/hono/pull/4393) - feat(ssg): add default plugin that defines the recommended behavior by [@3w36zj6](https://github.com/3w36zj6) in [#4394](https://github.com/honojs/hono/pull/4394) - feat(request): add cloneRawRequest utility for request cloning by [@kamaal111](https://github.com/kamaal111) in [#4382](https://github.com/honojs/hono/pull/4382) - fix(proxy): Correct hop-by-hop header handling per RFC 9110 by [@sugar-cat7](https://github.com/sugar-cat7) in [#4459](https://github.com/honojs/hono/pull/4459) #### New Contributors - [@slawekkolodziej](https://github.com/slawekkolodziej) made their first contribution in [#4393](https://github.com/honojs/hono/pull/4393) - [@kamaal111](https://github.com/kamaal111) made their first contribution in [#4382](https://github.com/honojs/hono/pull/4382) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.12...v4.10.0> ### [`v4.9.12`](https://github.com/honojs/hono/releases/tag/v4.9.12) [Compare Source](https://github.com/honojs/hono/compare/v4.9.11...v4.9.12) #### What's Changed - refactor: internal structure of `PreparedRegExpRouter` for optimization and added tests by [@usualoma](https://github.com/usualoma) in [#4456](https://github.com/honojs/hono/pull/4456) - refactor: use protected methods instead of computed properties to allow `tree shaking` by [@usualoma](https://github.com/usualoma) in [#4458](https://github.com/honojs/hono/pull/4458) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.11...v4.9.12> ### [`v4.9.11`](https://github.com/honojs/hono/releases/tag/v4.9.11) [Compare Source](https://github.com/honojs/hono/compare/v4.9.10...v4.9.11) #### What's Changed - fix(types): fix 4.9.8 regression by [@aadito123](https://github.com/aadito123) in [#4448](https://github.com/honojs/hono/pull/4448) - feat(reg-exp-router): Introduced PreparedRegExpRouter by [@usualoma](https://github.com/usualoma) in [#1796](https://github.com/honojs/hono/pull/1796) #### New Contributors - [@aadito123](https://github.com/aadito123) made their first contribution in [#4448](https://github.com/honojs/hono/pull/4448) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.10...v4.9.11> ### [`v4.9.10`](https://github.com/honojs/hono/releases/tag/v4.9.10) [Compare Source](https://github.com/honojs/hono/compare/v4.9.9...v4.9.10) #### What's Changed - fix(context): Fix [#4427](https://github.com/honojs/hono/issues/4427) type regression by removing non-public export by [@aantthony](https://github.com/aantthony) in [#4433](https://github.com/honojs/hono/pull/4433) - fix(aws-lambda): sanitize non-ASCII header values to prevent ByteString errors by [@yusukebe](https://github.com/yusukebe) in [#4437](https://github.com/honojs/hono/pull/4437) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.9...v4.9.10> ### [`v4.9.9`](https://github.com/honojs/hono/releases/tag/v4.9.9) [Compare Source](https://github.com/honojs/hono/compare/v4.9.8...v4.9.9) #### What's Changed - fix(service-worker): Update service-worker fire() to accept generic variants of Hono app instance by [@harmony7](https://github.com/harmony7) in [#4420](https://github.com/honojs/hono/pull/4420) - fix(service-worker): correct generics for `handle` by [@yusukebe](https://github.com/yusukebe) in [#4421](https://github.com/honojs/hono/pull/4421) - feat(helper/route): enable to get route path at specific index by [@usualoma](https://github.com/usualoma) in [#4423](https://github.com/honojs/hono/pull/4423) #### New Contributors - [@harmony7](https://github.com/harmony7) made their first contribution in [#4420](https://github.com/honojs/hono/pull/4420) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.8...v4.9.9> ### [`v4.9.8`](https://github.com/honojs/hono/releases/tag/v4.9.8) [Compare Source](https://github.com/honojs/hono/compare/v4.9.7...v4.9.8) #### What's Changed - fix(types): JSONParsed infer unknown values by [@BarryThePenguin](https://github.com/BarryThePenguin) in [#4405](https://github.com/honojs/hono/pull/4405) - refactor(types): remove SimplifyDeepArray from json types by [@BarryThePenguin](https://github.com/BarryThePenguin) in [#4406](https://github.com/honojs/hono/pull/4406) - refactor(types): fix the type definitions in hono-base by [@yusukebe](https://github.com/yusukebe) in [#4407](https://github.com/honojs/hono/pull/4407) - fix(request): return empty string for empty catch-all param by [@amitksingh0880](https://github.com/amitksingh0880) in [#4395](https://github.com/honojs/hono/pull/4395) #### New Contributors - [@amitksingh0880](https://github.com/amitksingh0880) made their first contribution in [#4395](https://github.com/honojs/hono/pull/4395) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.7...v4.9.8> ### [`v4.9.7`](https://github.com/honojs/hono/releases/tag/v4.9.7) [Compare Source](https://github.com/honojs/hono/compare/v4.9.6...v4.9.7) #### Security - Fixed an issue in the `bodyLimit` middleware where the body size limit could be bypassed when both `Content-Length` and `Transfer-Encoding` headers were present. If you are using this middleware, please update immediately. [Security Advisory](https://github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh) #### What's Changed - fix(client): Fix `parseResponse` not parsing json in react native by [@lr0pb](https://github.com/lr0pb) in [#4399](https://github.com/honojs/hono/pull/4399) - chore: add `.tool-versions` file by [@3w36zj6](https://github.com/3w36zj6) in [#4397](https://github.com/honojs/hono/pull/4397) - chore: update `bun install` commands to use `--frozen-lockfile` by [@3w36zj6](https://github.com/3w36zj6) in [#4398](https://github.com/honojs/hono/pull/4398) - test(jwk): Add tests of JWK token verification by [@buckett](https://github.com/buckett) in [#4402](https://github.com/honojs/hono/pull/4402) #### New Contributors - [@lr0pb](https://github.com/lr0pb) made their first contribution in [#4399](https://github.com/honojs/hono/pull/4399) - [@buckett](https://github.com/buckett) made their first contribution in [#4402](https://github.com/honojs/hono/pull/4402) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.6...v4.9.7> ### [`v4.9.6`](https://github.com/honojs/hono/releases/tag/v4.9.6) [Compare Source](https://github.com/honojs/hono/compare/v4.9.5...v4.9.6) #### Security Fixed a bug in URL path parsing (`getPath`) that could cause path confusion under malformed requests. If you rely on reverse proxies (e.g. Nginx) for ACLs or restrict access to endpoints like `/admin`, please update immediately. See advisory for details: GHSA-9hp6-4448-45g2 #### What's Changed - chore: update packages in the router bench by [@yusukebe](https://github.com/yusukebe) in [#4386](https://github.com/honojs/hono/pull/4386) - chore(benchmarks): remove comment-out from router bench by [@yusukebe](https://github.com/yusukebe) in [#4387](https://github.com/honojs/hono/pull/4387) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.5...v4.9.6> ### [`v4.9.5`](https://github.com/honojs/hono/releases/tag/v4.9.5) [Compare Source](https://github.com/honojs/hono/compare/v4.9.4...v4.9.5) #### What's Changed - chore: replace supertest with undici by [@BarryThePenguin](https://github.com/BarryThePenguin) in [#4365](https://github.com/honojs/hono/pull/4365) - fix(aws-lambda): preserve percent-encoded values in query strings by [@yusukebe](https://github.com/yusukebe) in [#4372](https://github.com/honojs/hono/pull/4372) - feat(cors): Allow async functions for `origin` and `allowMethods` by [@jobrk](https://github.com/jobrk) in [#4373](https://github.com/honojs/hono/pull/4373) - feat(cors): Correct origin function return type asynchronously returning null or undefined for origin by [@jobrk](https://github.com/jobrk) in [#4375](https://github.com/honojs/hono/pull/4375) - fix(service-worker): correct args for `app.fetch` in `handle` by [@yusukebe](https://github.com/yusukebe) in [#4374](https://github.com/honojs/hono/pull/4374) - fix(language-detector): Detect language from path after getPath changed by [@iflamed](https://github.com/iflamed) in [#4369](https://github.com/honojs/hono/pull/4369) #### New Contributors - [@jobrk](https://github.com/jobrk) made their first contribution in [#4373](https://github.com/honojs/hono/pull/4373) - [@iflamed](https://github.com/iflamed) made their first contribution in [#4369](https://github.com/honojs/hono/pull/4369) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.4...v4.9.5> ### [`v4.9.4`](https://github.com/honojs/hono/releases/tag/v4.9.4) [Compare Source](https://github.com/honojs/hono/compare/v4.9.3...v4.9.4) #### What's Changed - chore: add a type cast to run `deno publish` by [@yusukebe](https://github.com/yusukebe) in [#4364](https://github.com/honojs/hono/pull/4364) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.3...v4.9.4> ### [`v4.9.3`](https://github.com/honojs/hono/releases/tag/v4.9.3) [Compare Source](https://github.com/honojs/hono/compare/v4.9.2...v4.9.3) #### What's Changed - feat(csrf): Add modern CSRF protection with Fetch Metadata support by [@meck93](https://github.com/meck93) in [#4353](https://github.com/honojs/hono/pull/4353) - tests: use vitest projects by [@BarryThePenguin](https://github.com/BarryThePenguin) in [#4359](https://github.com/honojs/hono/pull/4359) - feat(proxy): add `customFetch` option to allow custom fetch function by [@yusukebe](https://github.com/yusukebe) in [#4360](https://github.com/honojs/hono/pull/4360) - chore: update `typescript` to `5.9.2` by [@yusukebe](https://github.com/yusukebe) in [#4362](https://github.com/honojs/hono/pull/4362) - chore: add `packageManager` field to `package.json` by [@yusukebe](https://github.com/yusukebe) in [#4363](https://github.com/honojs/hono/pull/4363) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.2...v4.9.3> ### [`v4.9.2`](https://github.com/honojs/hono/releases/tag/v4.9.2) [Compare Source](https://github.com/honojs/hono/compare/v4.9.1...v4.9.2) #### What's Changed - fix(jsx): 'plaintext-only' value for contenteditable attribute by [@object1037](https://github.com/object1037) in [#4349](https://github.com/honojs/hono/pull/4349) - fix(client): handle query parameters in `removeIndexString` by [@yusukebe](https://github.com/yusukebe) in [#4352](https://github.com/honojs/hono/pull/4352) #### New Contributors - [@object1037](https://github.com/object1037) made their first contribution in [#4349](https://github.com/honojs/hono/pull/4349) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.1...v4.9.2> ### [`v4.9.1`](https://github.com/honojs/hono/releases/tag/v4.9.1) [Compare Source](https://github.com/honojs/hono/compare/v4.9.0...v4.9.1) #### What's Changed - feat(parseResponse): set `DetailedError.name` (+ error tests) by [@NamesMT](https://github.com/NamesMT) in [#4344](https://github.com/honojs/hono/pull/4344) - fix(parseResponse): should not include error responses in result by [@NamesMT](https://github.com/NamesMT) in [#4348](https://github.com/honojs/hono/pull/4348) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.0...v4.9.1> ### [`v4.9.0`](https://github.com/honojs/hono/releases/tag/v4.9.0) [Compare Source](https://github.com/honojs/hono/compare/v4.8.12...v4.9.0) ### Release Notes Hono v4.9.0 is now available! This release introduces several enhancements and utilities. The main highlight is the new `parseResponse` utility that makes it easier to work with RPC client responses. #### parseResponse Utility The new `parseResponse` utility provides a convenient way to parse responses from Hono RPC clients (`hc`). It automatically handles different response formats and throws structured errors for failed requests. ```ts import { parseResponse, DetailedError } from 'hono/client' // result contains the parsed response body (automatically parsed based on Content-Type) const result = await parseResponse(client.hello.$get()).catch( // parseResponse automatically throws an error if response is not ok (e: DetailedError) => { console.error(e) } ) ``` This makes working with RPC client responses much more straightforward and type-safe. Thanks [@NamesMT](https://github.com/NamesMT)! #### New features - feat(bun): allow importing upgradeWebSocket and websocket directly [#4242](https://github.com/honojs/hono/pull/4242) - feat(aws-lambda): specify content-type as binary [#4250](https://github.com/honojs/hono/pull/4250) - feat(jwt): add validation for the issuer (iss) claim [#4253](https://github.com/honojs/hono/pull/4253) - feat(jwk): add headerName to JWK middleware [#4279](https://github.com/honojs/hono/pull/4279) - feat(cookie): add generateCookie and generateSignedCookie helpers [#4285](https://github.com/honojs/hono/pull/4285) - feat(serve-static): use join to correct path resolution [#4291](https://github.com/honojs/hono/pull/4291) - feat(jwt): expose utility function verifyWithJwks for external use [#4302](https://github.com/honojs/hono/pull/4302) - feat: add parseResponse util to smartly parse hc's Response [#4314](https://github.com/honojs/hono/pull/4314) - feat(ssg): mark old hook options as deprecated [#4331](https://github.com/honojs/hono/pull/4331) #### All changes - feat(aws-lambda): specify content-type as binary by [@Kanahiro](https://github.com/Kanahiro) in [#4250](https://github.com/honojs/hono/pull/4250) - feat(jwt): added validation for the issuer (`iss`) claim by [@yolocat-dev](https://github.com/yolocat-dev) in [#4253](https://github.com/honojs/hono/pull/4253) - feat(jwk): Add custom `headerName` to JWK middleware by [@JoaquinGimenez1](https://github.com/JoaquinGimenez1) in [#4279](https://github.com/honojs/hono/pull/4279) - feat(cookie): generateCookie and generateSignedCookie helpers by [@Soviut](https://github.com/Soviut) in [#4285](https://github.com/honojs/hono/pull/4285) - feat(serve-static): use `join` to correct path resolution by [@yusukebe](https://github.com/yusukebe) in [#4291](https://github.com/honojs/hono/pull/4291) - feat(jwt): Exposing utility function `verifyWithJwks` for external use by [@Beyondo](https://github.com/Beyondo) in [#4302](https://github.com/honojs/hono/pull/4302) - feat: add `parseResponse` util to smartly parse `hc`'s Response by [@NamesMT](https://github.com/NamesMT) in [#4314](https://github.com/honojs/hono/pull/4314) - feat(ssg): mark old hook options as deprecated by [@3w36zj6](https://github.com/3w36zj6) in [#4331](https://github.com/honojs/hono/pull/4331) - fix(bun): exports functions related to websocket by [@yusukebe](https://github.com/yusukebe) in [#4341](https://github.com/honojs/hono/pull/4341) - Next by [@yusukebe](https://github.com/yusukebe) in [#4340](https://github.com/honojs/hono/pull/4340) - chore: enable `skipLibCheck` to resolve TypeScript compilation issues by [@yusukebe](https://github.com/yusukebe) in [#4342](https://github.com/honojs/hono/pull/4342) #### New Contributors - [@yolocat-dev](https://github.com/yolocat-dev) made their first contribution in [#4253](https://github.com/honojs/hono/pull/4253) - [@JoaquinGimenez1](https://github.com/JoaquinGimenez1) made their first contribution in [#4279](https://github.com/honojs/hono/pull/4279) - [@Soviut](https://github.com/Soviut) made their first contribution in [#4285](https://github.com/honojs/hono/pull/4285) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.12...v4.9.0> ### [`v4.8.12`](https://github.com/honojs/hono/releases/tag/v4.8.12) [Compare Source](https://github.com/honojs/hono/compare/v4.8.11...v4.8.12) #### What's Changed - fix(router): support `/files/:name{.*}` by [@yusukebe](https://github.com/yusukebe) in [#4329](https://github.com/honojs/hono/pull/4329) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.11...v4.8.12> ### [`v4.8.11`](https://github.com/honojs/hono/releases/tag/v4.8.11) [Compare Source](https://github.com/honojs/hono/compare/v4.8.10...v4.8.11) #### What's Changed - fix(types): should populate `output` type for `c.body()` by [@NamesMT](https://github.com/NamesMT) in [#4318](https://github.com/honojs/hono/pull/4318) - ci: add editorconfig-checker by [@3w36zj6](https://github.com/3w36zj6) in [#4321](https://github.com/honojs/hono/pull/4321) - fix(service-worker): pass `FetchEvent` as second argument to `app.fetch` by [@yusukebe](https://github.com/yusukebe) in [#4328](https://github.com/honojs/hono/pull/4328) - chore(ci): upgrade bun version to 1.2.19 by [@BarryThePenguin](https://github.com/BarryThePenguin) in [#4323](https://github.com/honojs/hono/pull/4323) - chore: bump `@hono/eslint-config` by [@yusukebe](https://github.com/yusukebe) in [#4330](https://github.com/honojs/hono/pull/4330) - chore: autofix ci by [@BarryThePenguin](https://github.com/BarryThePenguin) in [#4322](https://github.com/honojs/hono/pull/4322) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.10...v4.8.11> ### [`v4.8.10`](https://github.com/honojs/hono/releases/tag/v4.8.10) [Compare Source](https://github.com/honojs/hono/compare/v4.8.9...v4.8.10) #### What's Changed - chore: add EditorConfig by [@3w36zj6](https://github.com/3w36zj6) in [#4309](https://github.com/honojs/hono/pull/4309) - chore: format JSON, YAML, and Markdown by [@yusukebe](https://github.com/yusukebe) in [#4310](https://github.com/honojs/hono/pull/4310) - chore: format and lint `benchmarks/*` by [@yusukebe](https://github.com/yusukebe) in [#4317](https://github.com/honojs/hono/pull/4317) - refactor(types): bring adapter/service-worker types up to date by [@idealsh](https://github.com/idealsh) in [#4315](https://github.com/honojs/hono/pull/4315) - chore: add editorconfig-checker by [@3w36zj6](https://github.com/3w36zj6) in [#4312](https://github.com/honojs/hono/pull/4312) - fix(cookie): support lowercase priority for compatibility with other libraries by [@bytaesu](https://github.com/bytaesu) in [#4293](https://github.com/honojs/hono/pull/4293) #### New Contributors - [@idealsh](https://github.com/idealsh) made their first contribution in [#4315](https://github.com/honojs/hono/pull/4315) - [@bytaesu](https://github.com/bytaesu) made their first contribution in [#4293](https://github.com/honojs/hono/pull/4293) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.9...v4.8.10> ### [`v4.8.9`](https://github.com/honojs/hono/releases/tag/v4.8.9) [Compare Source](https://github.com/honojs/hono/compare/v4.8.8...v4.8.9) #### What's Changed - fix(context): use `isByteString` in `c.redirect` by [@yusukebe](https://github.com/yusukebe) in [#4307](https://github.com/honojs/hono/pull/4307) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.8...v4.8.9> ### [`v4.8.8`](https://github.com/honojs/hono/releases/tag/v4.8.8) [Compare Source](https://github.com/honojs/hono/compare/v4.8.7...v4.8.8) #### What's Changed - docs: simplify the readme by [@yusukebe](https://github.com/yusukebe) in [#4305](https://github.com/honojs/hono/pull/4305) - fix(utils/url): prevent double encoding in `safeEncodeURI` by [@yusukebe](https://github.com/yusukebe) in [#4306](https://github.com/honojs/hono/pull/4306) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.7...v4.8.8> ### [`v4.8.7`](https://github.com/honojs/hono/releases/tag/v4.8.7) [Compare Source](https://github.com/honojs/hono/compare/v4.8.6...v4.8.7) #### What's Changed - chore: fix the deno version for publishing to jsr by [@yusukebe](https://github.com/yusukebe) in [#4304](https://github.com/honojs/hono/pull/4304) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.6...v4.8.7> ### [`v4.8.6`](https://github.com/honojs/hono/releases/tag/v4.8.6) [Compare Source](https://github.com/honojs/hono/compare/v4.8.5...v4.8.6) #### What's Changed - perf(types): remove unnecessary default types by [@yusukebe](https://github.com/yusukebe) in [#4282](https://github.com/honojs/hono/pull/4282) - fix(context): encode the redirect location by [@yayugu](https://github.com/yayugu) in [#4297](https://github.com/honojs/hono/pull/4297) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.5...v4.8.6> ### [`v4.8.5`](https://github.com/honojs/hono/releases/tag/v4.8.5) [Compare Source](https://github.com/honojs/hono/compare/v4.8.4...v4.8.5) #### What's Changed - fix(serve-static): support Windows by [@yusukebe](https://github.com/yusukebe) in [#3477](https://github.com/honojs/hono/pull/3477) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.8.4...v4.8.5> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added the

backend

renovate

labels

2026-02-21 19:03:30 +00:00

renovate-bot added 1 commit

2026-02-21 19:03:30 +00:00

Update dependency hono to v4.11.7 [SECURITY] 2cffcc2b6d

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/npm-hono-vulnerability:renovate/npm-hono-vulnerability

git switch renovate/npm-hono-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff renovate/npm-hono-vulnerability

git switch renovate/npm-hono-vulnerability

git rebase main

git switch main

git merge --ff-only renovate/npm-hono-vulnerability

git switch renovate/npm-hono-vulnerability

git rebase main

git switch main

git merge --no-ff renovate/npm-hono-vulnerability

git switch main

git merge --squash renovate/npm-hono-vulnerability