v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @hiendv in #4889

New Contributors

• @hiendv made their first contribution in #4889

Full Changelog: v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74f

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @T4ko0522 in #4865
• feat(trailing-slash): add skip option by @yusukebe in #4862
• feat(cache): add onCacheNotAvailable option by @yusukebe in #4876

New Contributors

• @T4ko0522 made their first contribution in #4865

Full Changelog: v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @flow-pie in #4834

New Contributors

• @flow-pie made their first contribution in #4834

Full Changelog: v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @yusukebe in #4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @Abhi3975 in #4843
• fix(jsx/dom): apply select value after children are rendered by @usualoma in #4847
• fix(compress): convert strong ETag to weak ETag when compressing by @usualoma in #4848
• docs(ip-restriction): add clear JSDoc examples and param types by @VISHNU7KASIREDDY in #4851

New Contributors

• @Abhi3975 made their first contribution in #4843
• @VISHNU7KASIREDDY made their first contribution in #4851

Full Changelog: v4.12.9...v4.12.10

v4.12.9

What's Changed

• fix(request): remove parseBody from bodyCache to prevent TypeError by @yusukebe in #4807
• feat(client): add PickResponseByStatusCode type by @yusukebe in #4791
• fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @yuintei in #4810
• fix(service-worker): make fire() fallback behavior consistent with handle() by @yusukebe in #4821
• fix(cors): reflect request origin when credentials is true with wildcard by @ctonneslan in #4813

New Contributors

• @yuintei made their first contribution in #4810
• @ctonneslan made their first contribution in #4813

Full Changelog: v4.12.8...v4.12.9

v4.12.8

What's Changed

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @TheEssem in #4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @otoneko1102 in #4750

New Contributors

• @TheEssem made their first contribution in #4800

Full Changelog: v4.12.7...v4.12.8

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: v4.12.6...v4.12.7