fix(deps): update dependency hono to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	^3.0.0 -> ^4.0.0

GitHub Vulnerability Alerts

CVE-2023-50710

Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'

const wait = async (ms: number) => {
  return new Promise((resolve) => {
    setTimeout(resolve, ms)
  })
}

const app = new Hono({ router: new TrieRouter() })

app.use('*', async (c, next) => {
  await wait(Math.random() * 200)
  return next()
})

app.get('/modules/:id/versions/:version', async (c) => {
  const id = c.req.param('id')
  const version = c.req.param('version')

  console.log('path', c.req.path)
  console.log('version', version)

  return c.json({
    id,
    version,
  })
})

export default app

The client code which makes requests to the server application:

const examples = [
  'http://localhost:8787/modules/first/versions/first',
  'http://localhost:8787/modules/second/versions/second',
  'http://localhost:8787/modules/third/versions/third',
]

const test = () => {
  for (const example of examples) {
    fetch(example)
      .then((response) => response.json())
      .then((data) => {
        const splitted = example.split('/')
        const expected = splitted[splitted.length - 1]

        if (expected !== data.version) {
          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
        }
      })
  }
}

test()

The results:

Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

Patches

"v3.11.7" includes the change to fix this issue.

Workarounds

Don't use TrieRouter directly.

// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })

References

Router options on the Hono website: https://hono.dev/api/hono#router-option

CVE-2024-32869

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial
https://hono.dev/getting-started/deno

PoC

$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
    └── a.txt

source

import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)

request

curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

CVE-2024-43787

Summary

Hono CSRF middleware can be bypassed using crafted Content-Type header.

Details

MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case.

https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17

As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded".

PoC

<html>
  <head>
    <title>CSRF Test</title>
    <script defer>
      document.addEventListener("DOMContentLoaded", () => {
        document.getElementById("btn").addEventListener("click", async () => {
          const res = await fetch("http://victim.example.com/test", {
            method: "POST",
            credentials: "include",
            headers: {
              "Content-Type": "Application/x-www-form-urlencoded",
            },
          });
        });
      });
    </script>
  </head>
  <body>
    <h1>CSRF Test</h1>
    <button id="btn">Click me!</button>
  </body>
</html>

Impact

Bypass csrf protection implemented with hono csrf middleware.

Discussion

I'm not sure that omitting csrf checks for Simple POST request is a good idea.
CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases.

---

Release Notes

honojs/hono (hono)

v4.5.8

Compare Source

Security Fix for CSRF Protection Middleware

Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including Content-Types with uppercase letters (e.g., Application/x-www-form-urlencoded) as potential attacks, allowing them to pass.

This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.

For more details, see the report here: GHSA-rpfr-3m35-5vx5

v4.5.7

Compare Source

What's Changed

• fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by @​usualoma in https://github.com/honojs/hono/pull/3294
• perf(jsx/dom): improve performance by @​usualoma in https://github.com/honojs/hono/pull/3288
• feat(jsx): improve a-tag types with well known values by @​ssssota in https://github.com/honojs/hono/pull/3287
• fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by @​uttk in https://github.com/honojs/hono/pull/3297
• feat(jsx): improve target and formtarget attribute types by @​ssssota in https://github.com/honojs/hono/pull/3299
• docs(README): change Twitter to X by @​nakasyou in https://github.com/honojs/hono/pull/3301
• fix(client): replace optional params to url correctly by @​yusukebe in https://github.com/honojs/hono/pull/3304
• feat(jsx): improve input attribute types based on react by @​ssssota in https://github.com/honojs/hono/pull/3302

New Contributors

• @​uttk made their first contribution in https://github.com/honojs/hono/pull/3297

Full Changelog: honojs/hono@v4.5.6...v4.5.7

v4.5.6

Compare Source

What's Changed

• fix(jsx): handle async component error explicitly and throw the error in the response by @​usualoma in https://github.com/honojs/hono/pull/3274
• fix(validator): support multipart headers without a separating space by @​Ernxst in https://github.com/honojs/hono/pull/3286
• fix(validator): Allow form data will mutliple values appended by @​nicksrandall in https://github.com/honojs/hono/pull/3273
• feat(jsx): improve meta-tag types with well known values by @​ssssota in https://github.com/honojs/hono/pull/3276

New Contributors

• @​Ernxst made their first contribution in https://github.com/honojs/hono/pull/3286
• @​ssssota made their first contribution in https://github.com/honojs/hono/pull/3276

Full Changelog: honojs/hono@v4.5.5...v4.5.6

v4.5.5

Compare Source

What's Changed

• fix(jsx): allow null, undefined, and boolean to be returned from function component by @​usualoma in https://github.com/honojs/hono/pull/3241
• feat(context): Add types for c.header by @​nakasyou in https://github.com/honojs/hono/pull/3221
• fix(jsx): fix draggable type to accept boolean by @​yasuaki640 in https://github.com/honojs/hono/pull/3253
• feat(context): add Context-Type types to c.header by @​nakasyou in https://github.com/honojs/hono/pull/3255
• fix(serve-static): supports directory contains . and not end / by @​yusukebe in https://github.com/honojs/hono/pull/3256

Full Changelog: honojs/hono@v4.5.4...v4.5.5

v4.5.4

Compare Source

What's Changed

• fix(jsx): corrects the type of 'draggable' attribute in intrinsic-elements.ts by @​yasuaki640 in https://github.com/honojs/hono/pull/3224
• feat(jsx): allow to merge CSSProperties declaration by @​jonasnobile in https://github.com/honojs/hono/pull/3228
• feat(client): Add WebSocket Provider Integration Tests and Enhance WebSocket Initialization by @​naporin0624 in https://github.com/honojs/hono/pull/3213
• fix(types): param in ValidationTargets supports optional param by @​yusukebe in https://github.com/honojs/hono/pull/3229

New Contributors

• @​jonasnobile made their first contribution in https://github.com/honojs/hono/pull/3228

Full Changelog: honojs/hono@v4.5.3...v4.5.4

v4.5.3

Compare Source

What's Changed

• fix(validator): Add double quotation marks to multipart checker regex by @​CPlusPatch in https://github.com/honojs/hono/pull/3195
• fix(validator): support application/json with a charset as JSON by @​yusukebe in https://github.com/honojs/hono/pull/3199
• fix(jsx): fix handling of SVG elements in JSX. by @​usualoma in https://github.com/honojs/hono/pull/3204
• fix(jsx/dom): fix performance issue with adding many new node listings by @​usualoma in https://github.com/honojs/hono/pull/3205
• fix(service-worker): refer to self.fetch correctly by @​yusukebe in https://github.com/honojs/hono/pull/3200

New Contributors

• @​CPlusPatch made their first contribution in https://github.com/honojs/hono/pull/3195

Full Changelog: honojs/hono@v4.5.2...v4.5.3

v4.5.2

Compare Source

What's Changed

• fix(helper/adapter): don't check navigator is undefined by @​yusukebe in https://github.com/honojs/hono/pull/3171
• fix(types): handle readonly array correctly by @​m-shaka in https://github.com/honojs/hono/pull/3172
• Revert "fix(helper/adapter): don't check navigator is undefined by @​yusukebe in https://github.com/honojs/hono/pull/3173
• fix(type): degradation of generic type handling by @​m-shaka in https://github.com/honojs/hono/pull/3138
• fix:(csrf) fix typo of csrf middleware by @​yasuaki640 in https://github.com/honojs/hono/pull/3178
• feat(secure-headers): remove "X-Powered-By" should be an option by @​EdamAme-x in https://github.com/honojs/hono/pull/3177

Full Changelog: honojs/hono@v4.5.1...v4.5.2

v4.5.1

Compare Source

What's Changed

• chore: remove rimraf and use bun shell by @​nakasyou in https://github.com/honojs/hono/pull/3146
• chore: moving the setup file of vitest by @​EdamAme-x in https://github.com/honojs/hono/pull/3157
• fix(middleware/jwt): Changed the jwt-secret type to SignatureKey by @​JulesVerner in https://github.com/honojs/hono/pull/3167
• feat(bearer-auth): Allow empty bearer-auth middleware prefixes by @​prevostc in https://github.com/honojs/hono/pull/3161
• chore(factory): remove @experimental from createApp by @​yusukebe in https://github.com/honojs/hono/pull/3164
• fix(client): support array values for query in ws by @​yusukebe in https://github.com/honojs/hono/pull/3169
• fix(validator): ignore content-type mismatches by @​yusukebe in https://github.com/honojs/hono/pull/3165

New Contributors

• @​JulesVerner made their first contribution in https://github.com/honojs/hono/pull/3167
• @​prevostc made their first contribution in https://github.com/honojs/hono/pull/3161

Full Changelog: honojs/hono@v4.5.0...v4.5.1

v4.5.0

Compare Source

v4.4.13

Compare Source

What's Changed

• chore: update benchmark by @​yusukebe in https://github.com/honojs/hono/pull/3102
• chore: replace tsx with Bun by @​nakasyou in https://github.com/honojs/hono/pull/3103
• refactor(http-status): remove unnecessary line of types and use common types by @​EdamAme-x in https://github.com/honojs/hono/pull/3110
• fix(jsx): redefine scope attribute as enum type by @​yasuaki640 in https://github.com/honojs/hono/pull/3118
• fix(types): allow string[] | File[] for RPC form value by @​yusukebe in https://github.com/honojs/hono/pull/3117
• fix(validator-types): type Alignment with Web Standards by @​EdamAme-x in https://github.com/honojs/hono/pull/3120
• fix(types): app.use(path, mw) return correct schema type by @​yusukebe in https://github.com/honojs/hono/pull/3128

Full Changelog: honojs/hono@v4.4.12...v4.4.13

v4.4.12

Compare Source

What's Changed

• fix(aws-lambda): set cookies with comma is bugged by @​NamesMT in https://github.com/honojs/hono/pull/3084
• fix(types): infer path when chaining after use by @​yusukebe in https://github.com/honojs/hono/pull/3087
• chore: update outdated links in JSDoc by @​ryuapp in https://github.com/honojs/hono/pull/3089
• fix(jsx): changes behavior when download attribute is set to a boolean value. by @​oon00b in https://github.com/honojs/hono/pull/3094
• chore: add the triage label by @​mvares in https://github.com/honojs/hono/pull/3092
• feat(types): improve JSONParsed by @​m-shaka in https://github.com/honojs/hono/pull/3074
• fix(helper/streaming): remove slow types by @​yusukebe in https://github.com/honojs/hono/pull/3100
• chore(utils/jwt): add @module docs by @​yusukebe in https://github.com/honojs/hono/pull/3101

New Contributors

• @​oon00b made their first contribution in https://github.com/honojs/hono/pull/3094

Full Changelog: honojs/hono@v4.4.11...v4.4.12

v4.4.11

Compare Source

What's Changed

• refactor: remove unnecessary async keyword from router tests by @​K-tecchan in https://github.com/honojs/hono/pull/3061
• fix(validator): don't return a FormData if formData is cached by @​yusukebe in https://github.com/honojs/hono/pull/3067
• fix(client): Add Query Parameter Support to WebSocket Client in hono/client by @​naporin0624 in https://github.com/honojs/hono/pull/3066
• refactor(types): move HandlerInterface's (path, handler)s overloads down by @​NamesMT in https://github.com/honojs/hono/pull/3072
• test(helper/dev): fix typo of test case name by @​yasuaki640 in https://github.com/honojs/hono/pull/3073
• fix(stream): Fixed a problem that onAbort() is called even if request is normally closed in deno by @​usualoma in https://github.com/honojs/hono/pull/3079

New Contributors

• @​K-tecchan made their first contribution in https://github.com/honojs/hono/pull/3061

Full Changelog: honojs/hono@v4.4.10...v4.4.11

v4.4.10

Compare Source

What's Changed

• chore(jsr): export JWT utils by @​ryuapp in https://github.com/honojs/hono/pull/3056
• fix(streaming): call stream.abort() explicitly when request is aborted by @​usualoma in https://github.com/honojs/hono/pull/3042
• fix(client): set Path as the default of Original by @​m-shaka in https://github.com/honojs/hono/pull/3058

New Contributors

• @​m-shaka made their first contribution in https://github.com/honojs/hono/pull/3058

Full Changelog: honojs/hono@v4.4.9...v4.4.10

v4.4.9

Compare Source

What's Changed

• perf(context): improve initializing Context by @​yusukebe in https://github.com/honojs/hono/pull/3046
• fix(types): correct inferring env when routes channing by @​yusukebe in https://github.com/honojs/hono/pull/3051
• docs: update the description of package.json and README by @​yusukebe in https://github.com/honojs/hono/pull/3052
• fix(timing): prevent duplicate applications by @​yusukebe in https://github.com/honojs/hono/pull/3054

Full Changelog: honojs/hono@v4.4.8...v4.4.9

v4.4.8

Compare Source

What's Changed

• fix(jsx): add an explicit type by @​yusukebe in https://github.com/honojs/hono/pull/3007
• ci: use env for codecov GitHub Actions by @​yusukebe in https://github.com/honojs/hono/pull/3010
• chore: Fix typos in JSDoc by @​NicoPlyley in https://github.com/honojs/hono/pull/3002
• fix: change to allow use of websocket options by @​EdamAme-x in https://github.com/honojs/hono/pull/2999
• perf: parseAccept without spread operator by @​Jayllyz in https://github.com/honojs/hono/pull/3003
• test: add tests for buffer.ts by @​yasuaki640 in https://github.com/honojs/hono/pull/3004
• chore: upload bun test coverage to CodeCov by @​exoego in https://github.com/honojs/hono/pull/3022
• refactor: remove unneeded import statements by @​EdamAme-x in https://github.com/honojs/hono/pull/3014
• perf(utils/buffer): use promise all for better performance by @​yasuaki640 in https://github.com/honojs/hono/pull/3031

Full Changelog: honojs/hono@v4.4.7...v4.4.8

v4.4.7

Compare Source

What's Changed

• use correct return type for c.html depending on input by @​asmadsen in https://github.com/honojs/hono/pull/2973
• test: test uncovered return statement by @​yasuaki640 in https://github.com/honojs/hono/pull/2985
• test: Update request.test.ts to remove duplicate checks by @​JoaquimLey in https://github.com/honojs/hono/pull/2984
• fix(types): env variables override ContextVariableMap by @​KaelWD in https://github.com/honojs/hono/pull/2987

New Contributors

• @​asmadsen made their first contribution in https://github.com/honojs/hono/pull/2973
• @​JoaquimLey made their first contribution in https://github.com/honojs/hono/pull/2984
• @​KaelWD made their first contribution in https://github.com/honojs/hono/pull/2987

Full Changelog: honojs/hono@v4.4.6...v4.4.7

v4.4.6

Compare Source

What's Changed

• fix(aws-lambda): handle multiple cookies in streaming responses by @​KnisterPeter in https://github.com/honojs/hono/pull/2926

Full Changelog: honojs/hono@v4.4.5...v4.4.6

v4.4.5

Compare Source

What's Changed

• fix(cors): allow custom vary header by @​fzn0x in https://github.com/honojs/hono/pull/2934
• fix(jsx): rename Hono to JSX and export JSX namespace by @​yusukebe in https://github.com/honojs/hono/pull/2937
• refactor(hono-base): make 2nd arg of app.route() required by @​yusukebe in https://github.com/honojs/hono/pull/2945
• refactor(hono-base): don't check 1st argument of app.on() by @​yusukebe in https://github.com/honojs/hono/pull/2946
• refactor(context): remove unnecessary initialization add add tests for Context by @​yusukebe in https://github.com/honojs/hono/pull/2949
• test(hono-base): add tests for covering 100% by @​yusukebe in https://github.com/honojs/hono/pull/2952
• fix(context): default JSONRespond and TextRespond StatusCode generic arg by @​EdamAme-x in https://github.com/honojs/hono/pull/2954
• refactor(request): shorten parseBody and remove unnecessary check by @​yusukebe in https://github.com/honojs/hono/pull/2947
• refactor(jsx): reduce code size and improve maintainability by @​usualoma in https://github.com/honojs/hono/pull/2956

Full Changelog: honojs/hono@v4.4.4...v4.4.5

v4.4.4

Compare Source

What's Changed

• fix(typo): Fix typo in request.test.ts by @​yasuaki640 in https://github.com/honojs/hono/pull/2899
• feat(hono-base): skip import HTTPException by using HTTPResponseError by @​usualoma in https://github.com/honojs/hono/pull/2898
• chore: improve unfinalized response error by @​Cherry in https://github.com/honojs/hono/pull/2902
• chore: create .gitpod.yml by @​EdamAme-x in https://github.com/honojs/hono/pull/2868
• fix(cloudflare-workers): export getConnInfo() by @​ryuapp in https://github.com/honojs/hono/pull/2906
• fix(hono-base): return 404 if lacking response in a single sync handler by @​yusukebe in https://github.com/honojs/hono/pull/2909
• refactor: remove Prettify as duplicated with Simplify by @​NamesMT in https://github.com/honojs/hono/pull/2914
• fix(types): #​2912: interfaces array's respond typed as never by @​NamesMT in https://github.com/honojs/hono/pull/2915
• feat(context): c.redirect() supports TypedResponse by @​yusukebe in https://github.com/honojs/hono/pull/2908
• feat(jsx): support htmlfor attribute alias by @​akira-tsuno in https://github.com/honojs/hono/pull/2916
• fix(filepath): allow suffix includes - and _ by @​yusukebe in https://github.com/honojs/hono/pull/2910
• fix(types): add _ prefix to TypedResponse properties by @​yusukebe in https://github.com/honojs/hono/pull/2917
• fix(types): SimplifyDeepArray should now actually be "deep" by @​NamesMT in https://github.com/honojs/hono/pull/2920
• refactor(middleware/serve-static): call getContent only once if the file does not exist by @​usualoma in https://github.com/honojs/hono/pull/2922
• chore: add text and html for coverage reporter by @​yusukebe in https://github.com/honojs/hono/pull/2923
• refactor(conninfo): create types.ts for type definitions by @​yusukebe in https://github.com/honojs/hono/pull/2924

New Contributors

• @​yasuaki640 made their first contribution in https://github.com/honojs/hono/pull/2899
• @​Cherry made their first contribution in https://github.com/honojs/hono/pull/2902
• @​akira-tsuno made their first contribution in https://github.com/honojs/hono/pull/2916

Full Changelog: honojs/hono@v4.4.3...v4.4.4

v4.4.3

Compare Source

What's Changed

• ci: Update workflow name of release.yml by @​siguici in https://github.com/honojs/hono/pull/2874
• refactor: removed unnecessary line by @​EdamAme-x in https://github.com/honojs/hono/pull/2869
• ci: change name of workflow jobs by @​EdamAme-x in https://github.com/honojs/hono/pull/2875
• docs(jsdoc): add jsdoc of some modules by @​EdamAme-x in https://github.com/honojs/hono/pull/2836
• ci: Report coverage with CodeCov by @​exoego in https://github.com/honojs/hono/pull/2862
• docs: update readme and migrate guide for migrating deno.land/x to JSR by @​yusukebe in https://github.com/honojs/hono/pull/2879
• chore: add coverage badge to README by @​exoego in https://github.com/honojs/hono/pull/2881
• fix(websocket): the onopen event cannot be triggered during delayed operations in deno by @​JetLua in https://github.com/honojs/hono/pull/2864
• fix(cloudflare-workers): Update websocket.ts to return 101 status code by @​ronkeiser in https://github.com/honojs/hono/pull/2886
• test(workerd): rename the runtime test wrangler to workerd by @​yusukebe in https://github.com/honojs/hono/pull/2888
• test(workerd): add tests for WebSocket by @​yusukebe in https://github.com/honojs/hono/pull/2891
• refactor(aws-lambda): merge custom-context into types by @​exoego in https://github.com/honojs/hono/pull/2889
• chore: Exclude type-only files from coverage by @​exoego in https://github.com/honojs/hono/pull/2890
• test(presets): add tests for hono/quick and hono/tiny by @​yusukebe in https://github.com/honojs/hono/pull/2892
• fix(types): fix typo for unofficial status code type by @​ryuapp in https://github.com/honojs/hono/pull/2894
• feat(hono-base): add replaceRequest option for app.mount by @​yusukebe in https://github.com/honojs/hono/pull/2852

New Contributors

• @​siguici made their first contribution in https://github.com/honojs/hono/pull/2874
• @​JetLua made their first contribution in https://github.com/honojs/hono/pull/2864
• @​ronkeiser made their first contribution in https://github.com/honojs/hono/pull/2886

Full Changelog: honojs/hono@v4.4.2...v4.4.3

v4.4.2

Compare Source

What's Changed

• fix: add return types of void function by @​EdamAme-x in https://github.com/honojs/hono/pull/2870

Full Changelog: honojs/hono@v4.4.1...v4.4.2

v4.4.1

Compare Source

What's Changed

• refactor(pretty-json): remove useless condition by @​6km in https://github.com/honojs/hono/pull/2815
• fix(aws-lambda): Update handler.ts getQueryString by @​qualipsolutions in https://github.com/honojs/hono/pull/2782
• refactor(aws-lambda): Object.hasOwn is recommended by @​exoego in https://github.com/honojs/hono/pull/2831
• fix(client): allow multiple files on the same key in form by @​olivier-drieux in https://github.com/honojs/hono/pull/2791
• fix(helper/ssg): fix bug of joinPaths by @​EdamAme-x in https://github.com/honojs/hono/pull/2809
• chore: Author should include JSDoc by @​fzn0x in https://github.com/honojs/hono/pull/2840
• fix(middleware/body-limit): set default duplex option for readable stream by @​fzn0x in https://github.com/honojs/hono/pull/2837
• refactor(websocket): remove unused condition by @​fzn0x in https://github.com/honojs/hono/pull/2839
• feat(bun): WebSocket helper supports that env be { server: server } by @​nakasyou in https://github.com/honojs/hono/pull/2812
• refactor: added paths-ignore for ignore files of dont need tests by @​EdamAme-x in https://github.com/honojs/hono/pull/2850
• ci: include node22 tests by @​Jayllyz in https://github.com/honojs/hono/pull/2851
• docs(src/*): Add TSDoc comments to improve code documentation by @​fzn0x in https://github.com/honojs/hono/pull/2841
• fix(types): allow blank env by @​fzn0x in https://github.com/honojs/hono/pull/2834
• refactor: removed v4 branch in actions. by @​EdamAme-x in https://github.com/honojs/hono/pull/2849
• refactor(helper/adapter): improve runtime detection by @​6km in https://github.com/honojs/hono/pull/2846
• fix(jsx/dom): Fixed to not add "px" for certain properties, even if numeric value is given by @​usualoma in https://github.com/honojs/hono/pull/2845
• refactor(aws-lambda): remove unused setHeadersToResult by @​exoego in https://github.com/honojs/hono/pull/2828
• fix(validator): support json api header by @​dil-borosz in https://github.com/honojs/hono/pull/2855
• refactor(helper/testing): remove some any of helper/testing by @​EdamAme-x in https://github.com/honojs/hono/pull/2833
• docs: change to shell highlight by @​EdamAme-x in https://github.com/honojs/hono/pull/2848
• refactor(compose): Remove type definition of ComposeContext that was defined twice by @​chimame in https://github.com/honojs/hono/pull/2858

New Contributors

• @​6km made their first contribution in https://github.com/honojs/hono/pull/2815
• @​qualipsolutions made their first contribution in https://github.com/honojs/hono/pull/2782
• @​olivier-drieux made their first contribution in https://github.com/honojs/hono/pull/2791
• @​Jayllyz made their first contribution in https://github.com/honojs/hono/pull/2851
• @​dil-borosz made their first contribution in https://github.com/honojs/hono/pull/2855
• @​chimame made their first contribution in https://github.com/honojs/hono/pull/2858

Full Changelog: honojs/hono@v4.4.0...v4.4.1

v4.4.0

Compare Source

Hono v4.4.0 is now available! Let's take a look at the new features.

Support JSR

Now, Hono is available on JSR - a new JavaScript/TypeScript registry! You can install the Hono package from JSR right now. If you want to run your Hono app on Deno, you can install it with the following command:

deno add @​hono/hono

Then, use it in your code!

// main.ts
import { Hono } from '@​hono/hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello JSR!'))

export default app

And run it:

deno serve main.ts

If you edit the deno.json and set the paths appropriately, the exact same code that you are familiar with will work in Deno, Cloudflare Workers, and Bun.

deno.json:

{
  "imports": {
    "hono": "jsr:@​hono/hono@^4.4.0"
  }
}

Area.mp4

JSR is not exclusive to Deno. You can use it with npm and Bun.

### npm
npx jsr add @​hono/hono

### bun
bunx jsr add @​hono/hono

And, removing "slow types" has improved the performance of TypeScript type inference.

With the introduction of JSR, the previous package publishing from deno.land/x will be obsolete.

Introduce ConnInfo Helper

The ConnInfo Helper is a helper helps you to get the connection information. For example, you can get the client's remote address easily.

import { Hono } from 'hono'
import { getConnInfo } from 'hono/deno' // For Deno

const app = new Hono()

app.get('/', (c) => {
  const info = getConnInfo(c) // info is `ConnInfo`
  return c.text(`Your remote address is ${info.remote.address}`)
})

export default app

Thank you for creating the feature, @​nakasyou!

Introduce Timeout Middleware

The Timeout Middleware is a middleware enables you to easily manage request timeouts in your application.

Here is a simple example:

import { Hono } from 'hono'
import { timeout } from 'hono/timeout'

const app = new Hono()

// Applying a 5-second timeout
app.use('/api', timeout(5000))

// Handling a route
app.get('/api/data', async (c) => {
  // Your route handler logic
  return c.json({ data: 'Your data here' })
})

Thank you for creating the feature, @​watany-dev!

Improving JSDoc

We are now trying to improve the JSDocs. In the PR, we've added the JSDocs for all middleware. Thank you, @​goisaki!

Other features

• URL utility - decode percent-encoded path in getPath https://github.com/honojs/hono/pull/2714
• Body utility - add dot notation support for parseBody https://github.com/honojs/hono/pull/2675
• Body utility - specify detailed return type for parseBody https://github.com/honojs/hono/pull/2771
• SSG Helper - enhance combined hooks https://github.com/honojs/hono/pull/2686
• JSX DOM - improve compatibility with React - The 2024 May Update https://github.com/honojs/hono/pull/2756
• JSX DOM - introduce react-dom/client APIs and React.version https://github.com/honojs/hono/pull/2795

All Updates

• fix(secure-header): Replace NodeJS Buffer API by @​watany-dev in https://github.com/honojs/hono/pull/2761
• fix(http-exception): prioritize the status code by @​yusukebe in https://github.com/honojs/hono/pull/2767
• feat: Introduce ConnInfo helper/adapter by @​nakasyou in https://github.com/honojs/hono/pull/2595
• feat(middleware): Introduce Timeout Middleware by @​watany-dev in https://github.com/honojs/hono/pull/2615
• feat: decode percent-encoded path in getPath by @​usualoma in https://github.com/honojs/hono/pull/2714
• feat(utils/body): add dot notation support for parseBody by @​fzn0x in https://github.com/honojs/hono/pull/2675
• refactor(cloudflare-workers): remove @cloudflare/workers-types by @​yusukebe in https://github.com/honojs/hono/pull/2773
• feat(jsx/dom): improve compatibility with React - The 2024 May Update by @​usualoma in https://github.com/honojs/hono/pull/2756
• feat(utils): specify detailed return type for parseBody by @​usualoma in https://github.com/honojs/hono/pull/2771
• feat(ssg): enhance conbined hooks by @​watany-dev in https://github.com/honojs/hono/pull/2686
• feat(jsr): support JSR by @​yusukebe in https://github.com/honojs/hono/pull/2662
• refactor(request): show user-friendly type for c.req.param() by @​usualoma in https://github.com/honojs/hono/pull/2780
• refactor(utils/body): minor cleanup by @​MathurAditya724 in https://github.com/honojs/hono/pull/2783
• docs(readme): update the badges by @​yusukebe in https://github.com/honojs/hono/pull/2785
• chore(actions): update on condition for publish-to-jsr by @​yusukebe in https://github.com/honojs/hono/pull/2786
• chore(deno): change path including deno_dist by @​ryuapp in https://github.com/honojs/hono/pull/2788
• fix(middleware/jwt): typo by @​euijinkk in https://github.com/honojs/hono/pull/2789
• chore(lint): update eslint rules by @​yusukebe in https://github.com/honojs/hono/pull/2790
• fix(middleware): export variables type from each index.ts by @​yusukebe in https://github.com/honojs/hono/pull/2793
• docs: add module docs by @​yusukebe in https://github.com/honojs/hono/pull/2796
• feat(jsx/dom): introduce react-dom/client APIs and React.version by @​usualoma in https://github.com/honojs/hono/pull/2795
• docs(readme): update readme and jsr.json by @​yusukebe in https://github.com/honojs/hono/pull/2803
• Next for v4.4.0 by @​yusukebe in https://github.com/honojs/hono/pull/2769
• chore: update lockfile by @​yusukebe in https://github.com/honojs/hono/pull/2805

New Contributors

• @​euijinkk made their first contribution in https://github.com/honojs/hono/pull/2789

Full Changelog: honojs/hono@v4.3.9...v4.4.0

v4.3.11

Compare Source

What's Changed

• fix(middleware/jwt): fix incorrect assumption in jwt impl by @​boehs in https://github.com/honojs/hono/pull/2775

New Contributors

• @​boehs made their first contribution in https://github.com/honojs/hono/pull/2775

Full Changelog: honojs/hono@v4.3.10...v4.3.11

v4.3.10

Compare Source

What's Changed

• fix(secure-header): Replace NodeJS Buffer API by @​watany-dev in https://github.com/honojs/hono/pull/2761
• fix(http-exception): prioritize the status code by @​yusukebe in https://github.com/honojs/hono/pull/2767
• feat(etag): export RETAINED_304_HEADERS by @​yusukebe in https://github.com/honojs/hono/pull/2763

Full Changelog: honojs/hono@v4.3.9...v4.3.10

v4.3.9

Compare Source

What's Changed

• fix(factory): export CreateHandlersInterface by @​yusukebe in https://github.com/honojs/hono/pull/2752
• feat(aws-lambda): add support for alb multiValueQueryStringParameters by @​yiss in https://github.com/honojs/hono/pull/2751

Full Changelog: honojs/hono@v4.3.8...v4.3.9

v4.3.8

Compare Source

What's Changed

• test(validator): compatibility with Node.js v20.13.1 by @​yusukebe in https://github.com/honojs/hono/pull/2682
• refactor(utils/jwt): remove some any by @​fzn0x in https://github.com/honojs/hono/pull/2684
• refactor(timing): don't use Partial for the options by @​yusukebe in https://github.com/honojs/hono/pull/2712
• refactor(secure-headers): don't use Partial for the options by @​yusukebe in https://github.com/honojs/hono/pull/2713
• fix(context): Retain all cookies when passing ResponseInit to c.body by @​codeflows in https://github.com/honojs/hono/pull/2690
• fix(hono-jsx): make ref unrequried for forward ref by @​dygy in https://github.com/honojs/hono/pull/2715

New Contributors

• @​fzn0x made their first contribution in https://github.com/honojs/hono/pull/2684
• @​codeflows made their first contribution in https://github.com/honojs/hono/pull/2690
• @​dygy made their first contribution in https://github.com/honojs/hono/pull/2715

Full Changelog: honojs/hono@v4.3.7...v4.3.8

v4.3.7

Compare Source

What's Changed

• doc(ssg): Define the default value for Content-Type by @​watany-dev in https://github.com/honojs/hono/pull/2666
• feat(aws-lambda): add alb event processor by @​yiss in https://github.com/honojs/hono/pull/2657
• feat(utils/cookie): allow setting cookie SameSite attribute in lowercase too by @​BlankParticle in https://github.com/honojs/hono/pull/2668
• fix(method-override): remove un-needed import of URLSearchParams in method override middleware by @​f5io in https://github.com/honojs/hono/pull/2679

New Contributors

• @​yiss made their first contribution in https://github.com/honojs/hono/pull/2657
• @​BlankParticle made their first contribution in https://github.com/honojs/hono/pull/2668
• @​f5io made their first contribution in https://github.com/honojs/hono/pull/2679

Full Changelog: honojs/hono@v4.3.6...v4.3.7

v4.3.6

Compare Source

What's Changed

• feat(cache): improved customizability by @​MathurAditya724 in https://github.com/honojs/hono/pull/2652
• fix(utils/body): support multiple Files by @​yusukebe in [https://github.com/fix(utils/body): support multiple Files honojs/hono#2665](https://togithub.com/honojs/hono/p

[changeset-bot]

⚠️ No Changeset found

Latest commit: 464c8a8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR