Releases: honojs/hono
v4.10.4
What's Changed
- chore: add a monochrome logo image by @yusukebe in #4487
- chore: fix the monochrome logo by @yusukebe in #4488
- fix(secure-headers): proposed features typo spelling mistake by @RosApr in #4494
- fix(types): preserve handler response typing in createHandlers by @s-junio in #4492
New Contributors
Full Changelog: v4.10.3...v4.10.4
Contributors
Assets 2
v4.10.3
Securiy Fix
A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.
What's Changed
- fix(aws-lambda): serve microsoft office files as binary in lambda handler by @matthiasfeist in #4469
- fix(request-id): validation accepts
=by @ryuapp in #4478 - refactor(jwt): reduce the size of the code generated by minification by @usualoma in #4480
New Contributors
- @matthiasfeist made their first contribution in #4469
Full Changelog: v4.10.2...v4.10.3
Contributors
Assets 2
v4.10.2
Security hardening improvement
If you are using JWT middleware, please read the following and consider applying the configuration.
Improper Authorization in Hono (JWT Audience Validation)
Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).
The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.
Recommended secure configuration
You can enable RFC 7519–compliant audience validation using the new verification.aud option:
import { Hono } from 'hono'
import { jwt } from 'hono/jwt'
const app = new Hono()
app.use(
'/api/*',
jwt({
secret: 'my-secret',
verification: {
// Require this API to only accept tokens with aud = 'service-a'
aud: 'service-a',
},
})
)What's Changed
New Contributors
Full Changelog: v4.10.1...v4.10.2
Contributors
Assets 2
v4.10.1
What's Changed
Full Changelog: v4.10.0...v4.10.1
Contributors
Assets 2
v4.10.0
Release Notes
Hono v4.10.0 is now available!
This release brings improved TypeScript support and new utilities.
The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients.
Middleware Type Improvements
Imagine the following app:
import { Hono } from 'hono'
const app = new Hono()
const routes = app.get(
'/',
(c) => {
return c.json({ errorMessage: 'Error!' }, 500)
},
(c) => {
return c.json({ message: 'Success!' }, 200)
}
)The client with RPC:
import { hc } from 'hono/client'
const client = hc<typeof routes>('/')
const res = await client.index.$get()
if (res.status === 500) {
}
if (res.status === 200) {
}Previously, it couldn't infer the responses from middleware, so a type error was thrown.
Now the responses are correctly typed.
This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true.
Thank you for the great work @slawekkolodziej!
cloneRawRequest Utility
The new cloneRawRequest utility allows you to clone the raw Request object after it has been consumed by validators or middleware.
import { cloneRawRequest } from 'hono/request'
app.post('/api', async (c) => {
const body = await c.req.json()
// Clone the consumed request
const clonedRequest = cloneRawRequest(c.req)
await externalLibrary.process(clonedRequest)
})Thanks @kamaal111!
New features
- feat(types): passing middleware types #4393
- feat(ssg): add default plugin that defines the recommended behavior #4394
- feat(request): add cloneRawRequest utility for request cloning #4382
All changes
- feat(types): passing middleware types by @slawekkolodziej in #4393
- feat(ssg): add default plugin that defines the recommended behavior by @3w36zj6 in #4394
- feat(request): add cloneRawRequest utility for request cloning by @kamaal111 in #4382
- fix(proxy): Correct hop-by-hop header handling per RFC 9110 by @sugar-cat7 in #4459
New Contributors
- @slawekkolodziej made their first contribution in #4393
- @kamaal111 made their first contribution in #4382
Full Changelog: v4.9.12...v4.10.0
Contributors
Assets 2
v4.9.12
What's Changed
- refactor: internal structure of
PreparedRegExpRouterfor optimization and added tests by @usualoma in #4456 - refactor: use protected methods instead of computed properties to allow
tree shakingby @usualoma in #4458
Full Changelog: v4.9.11...v4.9.12
Contributors
Assets 2
v4.9.11
What's Changed
- fix(types): fix 4.9.8 regression by @aadito123 in #4448
- feat(reg-exp-router): Introduced PreparedRegExpRouter by @usualoma in #1796
New Contributors
- @aadito123 made their first contribution in #4448
Full Changelog: v4.9.10...v4.9.11
Contributors
Assets 2
v4.9.10
What's Changed
- fix(context): Fix #4427 type regression by removing non-public export by @aantthony in #4433
- fix(aws-lambda): sanitize non-ASCII header values to prevent ByteString errors by @yusukebe in #4437
Full Changelog: v4.9.9...v4.9.10
Contributors
Assets 2
v4.9.9
What's Changed
- fix(service-worker): Update service-worker fire() to accept generic variants of Hono app instance by @harmony7 in #4420
- fix(service-worker): correct generics for
handleby @yusukebe in #4421 - feat(helper/route): enable to get route path at specific index by @usualoma in #4423
New Contributors
Full Changelog: v4.9.8...v4.9.9
Contributors
Assets 2
v4.9.8
What's Changed
- fix(types): JSONParsed infer unknown values by @BarryThePenguin in #4405
- refactor(types): remove SimplifyDeepArray from json types by @BarryThePenguin in #4406
- refactor(types): fix the type definitions in hono-base by @yusukebe in #4407
- fix(request): return empty string for empty catch-all param by @amitksingh0880 in #4395
New Contributors
- @amitksingh0880 made their first contribution in #4395
Full Changelog: v4.9.7...v4.9.8
