Releases: honojs/hono
v4.12.12
Security fixes
This release includes fixes for the following security issues:
Middleware bypass via repeated slashes in serveStatic
Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c
Path traversal in toSSG() allows writing files outside the output directory
Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx
Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g
Missing validation of cookie name on write path in setCookie()
Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm
Non-breaking space prefix bypass in cookie name handling in getCookie()
Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4
Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.
v4.12.11
Contributors
Assets 2
v4.12.10
What's Changed
- test(router): fix
Simple capturing grouptest by @yusukebe in #4838 - docs: fix impaired -> inspired typo in benchmark READMEs by @Abhi3975 in #4843
- fix(jsx/dom): apply select value after children are rendered by @usualoma in #4847
- fix(compress): convert strong ETag to weak ETag when compressing by @usualoma in #4848
- docs(ip-restriction): add clear JSDoc examples and param types by @VISHNU7KASIREDDY in #4851
New Contributors
- @Abhi3975 made their first contribution in #4843
- @VISHNU7KASIREDDY made their first contribution in #4851
Full Changelog: v4.12.9...v4.12.10
Contributors
Assets 2
v4.12.9
What's Changed
- fix(request): remove
parseBodyfrom bodyCache to prevent TypeError by @yusukebe in #4807 - feat(client): add
PickResponseByStatusCodetype by @yusukebe in #4791 - fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @yuintei in #4810
- fix(service-worker): make
fire()fallback behavior consistent withhandle()by @yusukebe in #4821 - fix(cors): reflect request origin when credentials is true with wildcard by @ctonneslan in #4813
New Contributors
Full Changelog: v4.12.8...v4.12.9
Contributors
Assets 2
v4.12.8
What's Changed
- fix(utils/mime): Normalize input extension to lowercase before MIME check by @TheEssem in #4800
- fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @otoneko1102 in #4750
New Contributors
Full Changelog: v4.12.7...v4.12.8
Contributors
Assets 2
v4.12.7
Security hardening
Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.
Full Changelog: v4.12.6...v4.12.7
v4.12.6
What's Changed
- fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in #4758
- fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in #4792
- chore(builld): tsconfig project references by @BarryThePenguin in #4797
- chore: add
tsconfig.spec.jsonby @yusukebe in #4798 - feat(jsx-renderer): support function-based options by @3w36zj6 in #4780
- fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in #4782
New Contributors
Full Changelog: v4.12.5...v4.12.6
Contributors
Assets 2
v4.12.5
What's Changed
- fix(request): return
string | undefinedfrom param() when path type is any by @andrewdamelio in #4723 - fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in #4752
- fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in #4770
- chore(eslint): upgrade
@hono/eslint-configby @BarryThePenguin in #4781
New Contributors
- @andrewdamelio made their first contribution in #4723
- @otoneko1102 made their first contribution in #4752
- @gaearon made their first contribution in #4770
Full Changelog: v4.12.4...v4.12.5
Contributors
Assets 2
v4.12.4
Security fixes
This release includes fixes for the following security issues:
SSE Control Field Injection
Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr
Cookie Attribute Injection in setCookie()
Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w
Middleware Bypass in Serve Static
Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr
Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.
Other changes
- fix(client): preserve route schema in ApplyGlobalResponse by @agumy in #4777
- fix(utils/url): specify the return type of
tryDecodeURIby @yusukebe in #4779
New Contributors
Full Changelog: v4.12.3...v4.12.4
Contributors
Assets 2
v4.12.3
What's Changed
- fix(validator): prevent type diff bug in form data parsing by @EdamAme-x in #4753
- fix(jwt): use
Math.floorinstead of bitwise OR for safe timestamp by @EdamAme-x in #4754 - fix(jwt): fix
JwtVariablesforContextVariableMapby @yusukebe in #4764 - fix(types): remove DOM type dependencies from ClientResponse and request method by @YevheniiKotyrlo in #4768
- fix(types): correct middleware types by @hmnd in #4774
- fix(jwt): prevent memory leak by avoiding mutation of options object by @EdamAme-x in #4759
New Contributors
- @YevheniiKotyrlo made their first contribution in #4768
- @hmnd made their first contribution in #4774
Full Changelog: v4.12.2...v4.12.3
