fix(deps): update dependency hono to v4.9.7 [security]

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	4.6.14 -> 4.9.7

GitHub Vulnerability Alerts

CVE-2025-59139

Summary

A flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.

Details

The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included. According to the HTTP specification, Content-Length must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit.

Most standards-compliant runtimes and reverse proxies may reject such malformed requests with 400 Bad Request, so the practical impact depends on the runtime and deployment environment.

Impact

If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests.

Resolution

The implementation has been updated to align with the HTTP specification, ensuring that Transfer-Encoding takes precedence over Content-Length. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.

---

Release Notes

honojs/hono (hono)

v4.9.7

Compare Source

Security

• Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory

What's Changed

• fix(client): Fix parseResponse not parsing json in react native by @​lr0pb in #​4399
• chore: add .tool-versions file by @​3w36zj6 in #​4397
• chore: update bun install commands to use --frozen-lockfile by @​3w36zj6 in #​4398
• test(jwk): Add tests of JWK token verification by @​buckett in #​4402

New Contributors

• @​lr0pb made their first contribution in #​4399
• @​buckett made their first contribution in #​4402

Full Changelog: honojs/hono@v4.9.6...v4.9.7

v4.9.6

Compare Source

Security

Fixed a bug in URL path parsing (getPath) that could cause path confusion under malformed requests.

If you rely on reverse proxies (e.g. Nginx) for ACLs or restrict access to endpoints like /admin, please update immediately.

See advisory for details: GHSA-9hp6-4448-45g2

What's Changed

• chore: update packages in the router bench by @​yusukebe in #​4386
• chore(benchmarks): remove comment-out from router bench by @​yusukebe in #​4387

Full Changelog: honojs/hono@v4.9.5...v4.9.6

v4.9.5

Compare Source

What's Changed

• chore: replace supertest with undici by @​BarryThePenguin in #​4365
• fix(aws-lambda): preserve percent-encoded values in query strings by @​yusukebe in #​4372
• feat(cors): Allow async functions for origin and allowMethods by @​jobrk in #​4373
• feat(cors): Correct origin function return type asynchronously returning null or undefined for origin by @​jobrk in #​4375
• fix(service-worker): correct args for app.fetch in handle by @​yusukebe in #​4374
• fix(language-detector): Detect language from path after getPath changed by @​iflamed in #​4369

New Contributors

• @​jobrk made their first contribution in #​4373
• @​iflamed made their first contribution in #​4369

Full Changelog: honojs/hono@v4.9.4...v4.9.5

v4.9.4

Compare Source

What's Changed

• chore: add a type cast to run deno publish by @​yusukebe in #​4364

Full Changelog: honojs/hono@v4.9.3...v4.9.4

v4.9.3

Compare Source

What's Changed

• feat(csrf): Add modern CSRF protection with Fetch Metadata support by @​meck93 in #​4353
• tests: use vitest projects by @​BarryThePenguin in #​4359
• feat(proxy): add customFetch option to allow custom fetch function by @​yusukebe in #​4360
• chore: update typescript to 5.9.2 by @​yusukebe in #​4362
• chore: add packageManager field to package.json by @​yusukebe in #​4363

Full Changelog: honojs/hono@v4.9.2...v4.9.3

v4.9.2

Compare Source

What's Changed

• fix(jsx): 'plaintext-only' value for contenteditable attribute by @​object1037 in #​4349
• fix(client): handle query parameters in removeIndexString by @​yusukebe in #​4352

New Contributors

• @​object1037 made their first contribution in #​4349

Full Changelog: honojs/hono@v4.9.1...v4.9.2

v4.9.1

Compare Source

What's Changed

• feat(parseResponse): set DetailedError.name (+ error tests) by @​NamesMT in #​4344
• fix(parseResponse): should not include error responses in result by @​NamesMT in #​4348

Full Changelog: honojs/hono@v4.9.0...v4.9.1

v4.9.0

Compare Source

Release Notes

Hono v4.9.0 is now available!

This release introduces several enhancements and utilities.

The main highlight is the new parseResponse utility that makes it easier to work with RPC client responses.

parseResponse Utility

The new parseResponse utility provides a convenient way to parse responses from Hono RPC clients (hc). It automatically handles different response formats and throws structured errors for failed requests.

import { parseResponse, DetailedError } from 'hono/client'

// result contains the parsed response body (automatically parsed based on Content-Type)
const result = await parseResponse(client.hello.$get()).catch(
  // parseResponse automatically throws an error if response is not ok
  (e: DetailedError) => {
    console.error(e)
  }
)

This makes working with RPC client responses much more straightforward and type-safe.

Thanks @​NamesMT!

New features

• feat(bun): allow importing upgradeWebSocket and websocket directly #​4242
• feat(aws-lambda): specify content-type as binary #​4250
• feat(jwt): add validation for the issuer (iss) claim #​4253
• feat(jwk): add headerName to JWK middleware #​4279
• feat(cookie): add generateCookie and generateSignedCookie helpers #​4285
• feat(serve-static): use join to correct path resolution #​4291
• feat(jwt): expose utility function verifyWithJwks for external use #​4302
• feat: add parseResponse util to smartly parse hc's Response #​4314
• feat(ssg): mark old hook options as deprecated #​4331

All changes

• feat(aws-lambda): specify content-type as binary by @​Kanahiro in #​4250
• feat(jwt): added validation for the issuer (iss) claim by @​yolocat-dev in #​4253
• feat(jwk): Add custom headerName to JWK middleware by @​JoaquinGimenez1 in #​4279
• feat(cookie): generateCookie and generateSignedCookie helpers by @​Soviut in #​4285
• feat(serve-static): use join to correct path resolution by @​yusukebe in #​4291
• feat(jwt): Exposing utility function verifyWithJwks for external use by @​Beyondo in #​4302
• feat: add parseResponse util to smartly parse hc's Response by @​NamesMT in #​4314
• feat(ssg): mark old hook options as deprecated by @​3w36zj6 in #​4331
• fix(bun): exports functions related to websocket by @​yusukebe in #​4341
• Next by @​yusukebe in #​4340
• chore: enable skipLibCheck to resolve TypeScript compilation issues by @​yusukebe in #​4342

New Contributors

• @​yolocat-dev made their first contribution in #​4253
• @​JoaquinGimenez1 made their first contribution in #​4279
• @​Soviut made their first contribution in #​4285

Full Changelog: honojs/hono@v4.8.12...v4.9.0

v4.8.12

Compare Source

What's Changed

• fix(router): support /files/:name{.*} by @​yusukebe in #​4329

Full Changelog: honojs/hono@v4.8.11...v4.8.12

v4.8.11

Compare Source

What's Changed

• fix(types): should populate output type for c.body() by @​NamesMT in #​4318
• ci: add editorconfig-checker by @​3w36zj6 in #​4321
• fix(service-worker): pass FetchEvent as second argument to app.fetch by @​yusukebe in #​4328
• chore(ci): upgrade bun version to 1.2.19 by @​BarryThePenguin in #​4323
• chore: bump @hono/eslint-config by @​yusukebe in #​4330
• chore: autofix ci by @​BarryThePenguin in #​4322

Full Changelog: honojs/hono@v4.8.10...v4.8.11

v4.8.10

Compare Source

What's Changed

• chore: add EditorConfig by @​3w36zj6 in #​4309
• chore: format JSON, YAML, and Markdown by @​yusukebe in #​4310
• chore: format and lint benchmarks/* by @​yusukebe in #​4317
• refactor(types): bring adapter/service-worker types up to date by @​idealsh in #​4315
• chore: add editorconfig-checker by @​3w36zj6 in #​4312
• fix(cookie): support lowercase priority for compatibility with other libraries by @​bytaesu in #​4293

New Contributors

• @​idealsh made their first contribution in #​4315
• @​bytaesu made their first contribution in #​4293

Full Changelog: honojs/hono@v4.8.9...v4.8.10

v4.8.9

Compare Source

What's Changed

• fix(context): use isByteString in c.redirect by @​yusukebe in #​4307

Full Changelog: honojs/hono@v4.8.8...v4.8.9

v4.8.8

Compare Source

What's Changed

• docs: simplify the readme by @​yusukebe in #​4305
• fix(utils/url): prevent double encoding in safeEncodeURI by @​yusukebe in #​4306

Full Changelog: honojs/hono@v4.8.7...v4.8.8

v4.8.7

Compare Source

What's Changed

• chore: fix the deno version for publishing to jsr by @​yusukebe in #​4304

Full Changelog: honojs/hono@v4.8.6...v4.8.7

v4.8.6

Compare Source

What's Changed

• perf(types): remove unnecessary default types by @​yusukebe in #​4282
• fix(context): encode the redirect location by @​yayugu in #​4297

Full Changelog: honojs/hono@v4.8.5...v4.8.6

v4.8.5

Compare Source

What's Changed

• fix(serve-static): support Windows by @​yusukebe in #​3477

Full Changelog: honojs/hono@v4.8.4...v4.8.5

v4.8.4

Compare Source

What's Changed

• test: correct usages of Proxy to support Node.js 24 by @​yusukebe in #​4260
• fix(cookie): remove not used signingSecret option by @​yusukebe in #​4263
• fix(jsx): cloneElement didn't copy children by @​yayugu in #​4257
• fix(client): remove index string when calling $url() by @​yusukebe in #​4267
• fix(ssg): invoke callback when it's only a dynamic route by @​yusukebe in #​4249
• fix(request): req.json() keeps the content as is by @​yusukebe in #​4269

Full Changelog: honojs/hono@v4.8.3...v4.8.4

v4.8.3

Compare Source

What's Changed

• fix(cookie): use tryDecode when parsing cookie by @​yusukebe in #​4240
• fix(jsx): throw new Error instead of string by @​usualoma in #​4241
• fix(jwt): fix the JwtTokenIssuedAt error message by @​yusukebe in #​4244
• fix(jsx): Fix the JSXNode validation. Allow the function type for props.ref by @​yayugu in #​4236
• chore(cr): continuation release to pkg.pr.new by @​NEKOYASAN in #​4245

New Contributors

• @​yayugu made their first contribution in #​4236
• @​NEKOYASAN made their first contribution in #​4245

Full Changelog: honojs/hono@v4.8.2...v4.8.3

v4.8.2

Compare Source

What's Changed

• fix(utils/color): avoid resolving pacakages via Bun.build by @​ryuapp in #​4239

Full Changelog: honojs/hono@v4.8.1...v4.8.2

v4.8.1

Compare Source

What's Changed

• docs(bearer-auth): fix typo by @​Einherjar1632 in #​4238
• fix(utils/color): avoid unhandled scheme errors by @​ryuapp in #​4234

New Contributors

• @​Einherjar1632 made their first contribution in #​4238

Full Changelog: honojs/hono@v4.8.0...v4.8.1

v4.8.0

Compare Source

Release Notes

Hono v4.8.0 is now available!

This release enhances existing features with new options and introduces powerful helpers for routing and static site generation. Additionally, we're introducing new third-party middleware packages.

• Route Helper
• JWT Custom Header Location
• JSX Streaming Nonce Support
• CORS Dynamic allowedMethods
• JWK Allow Anonymous Access
• Cache Status Codes Option
• Service Worker fire() Function
• SSG Plugin System

Plus new third-party middleware:

• MCP Middleware
• UA Blocker Middleware
• Zod Validator v4 Support

Let's look at each of these.

Reduced the code size

First, this update reduces the code size! The smallest hono/tiny package has been reduced by about 800 bytes from v4.7.11, bringing it down to approximately 11 KB. When gzipped, it's only 4.5 KB. Very tiny!

Route Helper

New route helper functions provide easy access to route information and path utilities.

import { Hono } from 'hono'
import {
  matchedRoutes,
  routePath,
  baseRoutePath,
  basePath,
} from 'hono/route'

const api = new Hono()

api.get('/users/:id/posts/:postId', (c) => {
  const matched = matchedRoutes(c) // Array of matched route handlers
  const current = routePath(c) // '/api/users/:id/posts/:postId'
  const base = baseRoutePath(c) // '/api' Base route path
  const appBase = basePath(c) // '/api' Base path
  return c.json({ matched, current, base, appBase })
})

const app = new Hono()
app.route('/api', api)

export default app

These helpers make route introspection cleaner and more explicit.

Thanks @​usualoma!

JWT Custom Header Location

JWT middleware now supports custom header locations beyond the standard Authorization header. You can specify any header name to retrieve JWT tokens from.

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'secret-key',
    headerName: 'X-Auth-Token', // Custom header name
  })
)

app.get('/api/protected', (c) => {
  return c.json({ message: 'Protected resource' })
})

This is useful when working with APIs that use non-standard authentication headers.

Thanks @​kunalbhagawati!

JSX Streaming Nonce Support

JSX streaming now supports nonce values for Content Security Policy (CSP) compliance. The streaming context can include a nonce that gets applied to inline scripts.

import { Hono } from 'hono'
import {
  renderToReadableStream,
  Suspense,
  StreamingContext,
} from 'hono/jsx/streaming'

const app = new Hono()

app.get('/', (c) => {
  const stream = renderToReadableStream(
    <html>
      <body>
        <StreamingContext
          value={{ scriptNonce: 'random-nonce-value' }}
        >
          <Suspense fallback={<div>Loading...</div>}>
            <AsyncComponent />
          </Suspense>
        </StreamingContext>
      </body>
    </html>
  )

  return c.body(stream, {
    headers: {
      'Content-Type': 'text/html; charset=UTF-8',
      'Transfer-Encoding': 'chunked',
      'Content-Security-Policy':
        "script-src 'nonce-random-nonce-value'",
    },
  })
})

Thanks @​usualoma!

CORS Dynamic allowedMethods

CORS middleware now supports dynamic allowedMethods based on the request origin. You can provide a function that returns different allowed methods depending on the origin.

import { Hono } from 'hono'
import { cors } from 'hono/cors'

const app = new Hono()

app.use(
  '*',
  cors({
    origin: ['https://example.com', 'https://api.example.com'],
    allowMethods: (origin) => {
      if (origin === 'https://api.example.com') {
        return ['GET', 'POST', 'PUT', 'DELETE']
      }
      return ['GET', 'POST'] // Default for other origins
    },
  })
)

This enables fine-grained control over CORS policies per origin.

Thanks @​Kanahiro!

JWK Allow Anonymous Access

JWK middleware now supports anonymous access with the allow_anon option. When enabled, requests without valid tokens can still proceed to your handlers.

import { Hono } from 'hono'
import { jwk } from 'hono/jwk'

const app = new Hono()

app.use(
  '/api/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    allow_anon: true,
  })
)

app.get('/api/data', (c) => {
  const payload = c.get('jwtPayload')
  if (payload) {
    return c.json({ message: 'Authenticated user', user: payload })
  }
  return c.json({ message: 'Anonymous access' })
})

Additionally, keys and jwks_uri options now support functions that receive the context, enabling dynamic key resolution.

Thanks @​Beyondo!

Cache Status Codes Option

Cache middleware now allows you to specify which status codes should be cached using the cacheableStatusCodes option.

import { Hono } from 'hono'
import { cache } from 'hono/cache'

const app = new Hono()

app.use(
  '*',
  cache({
    cacheName: 'my-cache',
    cacheControl: 'max-age=3600',
    cacheableStatusCodes: [200, 404], // Cache both success and not found responses
  })
)

Thanks @​miyamo2!

Service Worker fire() Function

A new fire() function is available from the Service Worker adapter, providing a cleaner alternative to app.fire().

import { Hono } from 'hono'
import { fire } from 'hono/service-worker'

const app = new Hono()

app.get('/', (c) => c.text('Hello from Service Worker!'))

// Use the standalone fire function
fire(app)

The app.fire() method is now deprecated in favor of this approach. Goodbye app.fire().

SSG Plugin System

Static Site Generation (SSG) now supports a plugin system that allows you to extend the generation process with custom functionality.

For example, the following is easy implementation of a sitemap plugin:

// plugins.ts
import fs from 'node:fs/promises'
import path from 'node:path'
import type { SSGPlugin } from 'hono/ssg'
import { DEFAULT_OUTPUT_DIR } from 'hono/ssg'

export const sitemapPlugin = (baseURL: string): SSGPlugin => {
  return {
    afterGenerateHook: (result, fsModule, options) => {
      const outputDir = options?.dir ?? DEFAULT_OUTPUT_DIR
      const filePath = path.join(outputDir, 'sitemap.xml')
      const urls = result.files.map((file) =>
        new URL(file, baseURL).toString()
      )
      const siteMapText = `<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
${urls.map((url) => `<url><loc>${url}</loc></url>`).join('\n')}
</urlset>`
      fsModule.writeFile(filePath, siteMapText)
    },
  }
}

Applying the plugin:

import { toSSG } from 'hono/ssg'
import { sitemapPlugin } from './plugins'

toSSG(app, fs, {
  plugins: [sitemapPlugin('https://example.com')],
})

Plugins can hook into various stages of the generation process to perform custom actions.

Thanks @​3w36zj6!

Third-party Middleware Updates

In addition to core Hono features, we're excited to introduce new third-party middleware packages that extend Hono's capabilities.

MCP Middleware

A new middleware package @hono/mcp enables creating remote MCP (Model Context Protocol) servers over Streamable HTTP Transport. This is the initial release with more features planned for the future.

import { McpServer } from '@​modelcontextprotocol/sdk/server/mcp.js'
import { StreamableHTTPTransport } from '@​hono/mcp'
import { Hono } from 'hono'

const app = new Hono()

// Your MCP server implementation
const mcpServer = new McpServer({
  name: 'my-mcp-server',
  version: '1.0.0',
})

app.all('/mcp', async (c) => {
  const transport = new StreamableHTTPTransport()
  await mcpServer.connect(transport)
  return transport.handleRequest(c)
})

Currently, this is ideal for creating stateless and authentication-less remote MCP servers.

Thanks @​MathurAditya724!

UA Blocker Middleware

The new @hono/ua-blocker middleware allows blocking requests based on user agent headers. It includes blocking AI bots functions.

import { uaBlocker } from '@​hono/ua-blocker'
import { aiBots } from '@​hono/ua-blocker/ai-bots'
import { Hono } from 'hono'

const app = new Hono()

// Block specific user agents
app.use(
  '*',
  uaBlocker({
    blocklist: ['ForbiddenBot', 'Not You'],
  })
)

// Block all AI bots
app.use(
  '*',
  uaBlocker({
    blocklist: aiBots,
  })
)

// Serve robots.txt to discourage AI bots
app.use('/robots.txt', useAiRobotsTxt())

Thanks @​finxol!

Zod Validator v4 Support

The @hono/zod-validator middleware now supports Zod v4!

All Changes

• fix(etag): fallback if res.clone() is not supported by @​yusukebe in #​4198
• Revert "fix(etag): fallback if res.clone() is not supported (#​4198)" by @​yusukebe in #​4200
• chore(devcontainer): remove obsolete version field from docker-compose.yml by @​kyodaj in #​4208
• docs(context): fix docstring link in the set header method by @​Carlos-err406 in #​4221
• ci: consolidate perf-measures GitHub Actions comments by @​yusukebe in #​4222
• chore(secure-headers): format by @​yusukebe in #​4224
• ci: add HTTP speed check by @​yusukebe in #​4220
• ci: simplify HTTP benchmark implementation by @​yusukebe in #​4226
• feat(middleware/cache): add cacheableStatusCodes option by @​miyamo2 in #​3943
• feat(hono/jwk): Extended with allow_anon option & passing Context to callbacks by @​Beyondo in #​3961
• fix(context): add props to ExecutionContext by @​yusukebe in #​4030
• feat(hono/testing): Allow passing hc options to testClient by @​kbrgl in #​4059
• feat(cors): allowedMethods by function by @​Kanahiro in #​4060
• feat(mime): support webmanifest by @​sushichan044 in #​4085
• feat(jsx): enable to add nonce to script tag generated by Suspense and ErrorBoundary by @​usualoma in #​4216
• fix(utils/body): normalize key names in parseBody (#​4108) by @​hiroki-307 in #​4183
• feat(logger): support for NO_COLOR on cloudflare workers by @​ryuapp in #​4094
• feat: introduce Route Helper by @​usualoma in #​4204
• feat: support http+unix scheme by @​usualoma in #​4148
• feat(jwt): Add custom header location by @​kunalbhagawati in #​4218
• fix: reduce Context code by @​yusukebe in #​4100
• fix(req): don't throw if the query param is invalid by @​yusukebe in #​4110
• perf(trie-router): improve performance and reduce file size by @​yusukebe in #​4217
• ci: handle fork PRs in http-benchmark workflow by @​yusukebe in #​4229
• feat(service-worker): add fire() by @​yusukebe in #​4214
• feat(hono-base): mark app.fire() as deprecated by @​yusukebe in #​4231
• feat(ssg): add plugin system by @​3w36zj6 in #​4156
• Next by @​yusukebe in #​4227

New Contributors

• @​kyodaj made their first contribution in #​4208
• @​Carlos-err406 made their first contribution in #​4221
• @​miyamo2 made their first contribution in #​3943
• @​kbrgl made their first contribution in #​4059
• @​hiroki-307 made their first contribution in #​4183
• @​kunalbhagawati made their first contribution in #​4218
• @​3w36zj6 made their first contribution in #​4156

Full Changelog: honojs/hono@v4.7.11...v4.8.0

v4.7.11

Compare Source

What's Changed

• chore(benchmark): add URLSearchParams to the query-params benchmark by @​yusukebe in #​4149
• ci: skip lib check in type check benchmark by @​sushichan044 in #​4162
• CI: add type benchmark with typescript-go preview by @​sushichan044 in #​4161
• chore: ignore CLAUDE.local.md in gitignore by @​yusukebe in #​4176
• fix(middleware/etag): should return 304 when weak etag is passed in 'If-None-Match' by @​techfish-11 in #​4171
• docs(readme): Added Deepwiki link in README by @​MathurAditya724 in #​4179
• fix(base): use c.newResponse() for the response of err.getResponse() by @​yusukebe in #​4181

New Contributors

• @​techfish-11 made their first contribution in #​4171

Full Changelog: honojs/hono@v4.7.10...v4.7.11

v4.7.10

Compare Source

What's Changed

• fix(hono-base): copy notfound and error handlers in #clone() by @​yusukebe in #​4139
• fix(jwt): use header.alg as fallback in verifyFromJwks by @​yusukebe in #​4144

Full Changelog: honojs/hono@v4.7.9...v4.7.10

v4.7.9

Compare Source

What's Changed

• fix(helper/cookie): correct getSignedCookie parameters type by @​Hill-98 in #​4123
• fix(ssg): Fix SSG Extension Map by @​pspeter3 in #​4130
• fix(cookie): get deleted value with prefix by @​BarryThePenguin in #​4133

New Contributors

• @​Hill-98 made their first contribution in #​4123
• @​pspeter3 made their first contribution in #​4130

Full Changelog: honojs/hono@v4.7.8...v4.7.9

v4.7.8

Compare Source

What's Changed

• chore(deps): bump wrangler to 4.12.0 by @​yusukebe in #​4096
• feat(ws): allow to use upgradeWebSocket in handler by @​nakasyou in #​3942
• feat(hono-base): Added replaceRequest: false option for .mount by @​geelen in #​4113

New Contributors

• @​geelen made their first contribution in #​4113

Full Changelog: honojs/hono@v4.7.7...v4.7.8

v4.7.7

Compare Source

What's Changed

• fix(trailing-slash): handle HEAD request in trailing slash middleware by @​sushichan044 in #​4049
• fix(proxy): accept a Request object as proxyInit by @​usualoma in #​4067
• test(deno): wait for stream to start before aborting request by @​yusukebe in #​4068
• ci: Add Bundle Analysis by @​katia-sentry in #​4072
• chore: Revert "ci: Add Bundle Analysis (#​4072)" by @​yusukebe in #​4076
• fix(context): don't throw the error with c.header() when it's finalized by @​yusukebe in #​4078

New Contributors

• @​katia-sentry made their first contribution in #​4072

Full Changelog: honojs/hono@v4.7.6...v4.7.7

v4.7.6

Compare Source

What's Changed

• fix(compress): avoid compressing if transfer-encoding is set by @​usualoma in #​4027
• chore(lint): patch warnings by @​EdamAme-x in #​4034
• chore(april-fool): change hono is cool to hono is hot by @​EdamAme-x in #​4035
• fix(client): Support browsers without Array.prototype.at by @​isnifer in #​4057

New Contributors

• @​isnifer made their first contribution in #​4057

Full Changelog: honojs/hono@v4.7.5...v4.7.6

v4.7.5

Compare Source

What's Changed

• docs(MIGRATION): Fix typo by @​movahhedi in #​3999
• fix(bun): export BunWebSocketData and BunWebSocketHandler by @​yusukebe in #​4002
• types(compose): follow up #​3932 by @​EdamAme-x in #​3934
• fix(adapter/aws-lambda): APIGWProxyResult should contain either of headers or multiValueHeaders, not both by @​exoego in #​3883

New Contributors

• @​movahhedi made their first contribution in #​3999

Full Changelog: honojs/hono@v4.7.4...v4.7.5

v4.7.4

Compare Source

What's Changed

• fix(types): fix unhandled types for Deno 2.2 by @​yusukebe in #​3977

Full Changelog: honojs/hono@v4.7.3...v4.7.4

v4.7.3

Compare Source

What's Changed

• refactor: support TypeScript 5.7 for Deno 2.2 by @​yusukebe in #​3939
• refactor(pattern-router): reduce bundle size and fix comments by @​EdamAme-x in #​3936
• fix(bun): export BunWebSocketHandler by @​yusukebe in #​3964
• fix(hono-base): prevent options object mutation by @​yusukebe in #​3975
• perf(utils/url): Short circuit the regex in checkOptionalParameter by @​csainty in #​3974

New Contributors

• @​csainty made their first contribution in #​3974

Full Changelog: honojs/hono@v4.7.2...v4.7.3

v4.7.2

Compare Source

What's Changed

• fix(proxy): fix header overwrite by @​usualoma in #​3922
• fix(proxy): include original request signal in proxy request by @​BarryThePenguin in #​3925
• fix(helper/proxy): missing proxy response status by @​BarryThePenguin in #​3927
• fix(proxy): remove spread operator from Request and Response classes by @​BarryThePenguin in #​3928
• refactor(compose): remove unnecessary complexity and improve testing by @​EdamAme-x in #​3932

Full Changelog: honojs/hono@v4.7.1...v4.7.2

v4.7.1

Compare Source

What's Changed

• refactor(helper/streaming): remove unused variables by @​EdamAme-x in #​3904
• fix(combine): halt middleware evaluation if error in next() by @​usualoma in #​3905
• fix(utils/url): calculate ends with slash on every iteration by @​luxass in #​3910
• perf(utils/url): shorten mergePath and optimize for normal use cases. by @​usualoma in #​3911
• fix(adapter/aws-lambda): remove unneeded import and compatibility for LLRT by @​EdamAme-x in #​3915
• fix(etag): change where to check for crypto by @​EdamAme-x in #​3916

New Contributors

• @​luxass made their first contribution in #​3910

Full Changelog: honojs/hono@v4.7.0...v4.7.1

v4.7.0

Compare Source

Release Notes

Hono v4.7.0 is now available!

This release introduces one helper and two middleware.

• Proxy Helper
• Language Middleware
• JWK Auth Middleware

Plus, Standard Schema Validator has been born.

Let's look at each of these.

Proxy Helper

We sometimes use the Hono application as a reverse proxy. In that case, it accesses the backend using fetch. However, it sends an unintended headers.

app.all('/proxy/:path', (c) => {
  // Send unintended header values to the origin server
  return fetch(`http://${originServer}/${c.req.param('path')}`)
})

For example, fetch may send Accept-Encoding, causing the origin server to return a compressed response. Some runtimes automatically decode it, leading to a Content-Length mismatch and potential client-side errors.

Also, you should probably remove some of the headers sent from the origin server, such as Transfer-Encoding.

Proxy Helper will send requests to the origin and handle responses properly. The above headers problem is solved simply by writing as follows.

import { Hono } from 'hono'
import { proxy } from 'hono/proxy'

app.get('/proxy/:path', (c) => {
  return proxy(`http://${originServer}/${c.req.param('path')}`)
})

You can also use it in more complex ways.

app.get('/proxy/:path', async (c) => {
  const res = await proxy(
    `http://${originServer}/${c.req.param('path')}`,
    {
      headers: {
        ...c.req.header(),
        'X-Forwarded-For': '127.0.0.1',
        'X-Forwarded-Host': c.req.header('host'),
        Authorization: undefined,
      },
    }
  )
  res.headers.delete('Set-Cookie')
  return res
})

Thanks @​usualoma!

Language Middleware

Language Middleware provides 18n functions to Hono applications. By using the languageDetector function, you can get the language that your application should support.

import { Hono } from 'hono'
import { languageDetector } from 'hono/language'

const app = new Hono()

app.use(
  languageDetector({
    supportedLanguages: ['en', 'ar', 'ja'], // Must include fallback
    fallbackLanguage: 'en', // Required
  })
)

app.get('/', (c) => {
  const lang = c.get('language')
  return c.text(`Hello! Your language is ${lang}`)
})

You can get the target language in various ways, not just by using Accept-Language.

• Query parameters
• Cookies
• Accept-Language header
• URL path

Thanks @​lord007tn!

JWK Auth Middleware

Finally, middleware that supports JWK (JSON Web Key) has landed. Using JWK Auth Middleware, you can authenticate by verifying JWK tokens. It can access keys fetched from the specified URL.

import { Hono } from 'hono'
import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: `https://${backendServer}/.well-known/jwks.json`,
  })
)

app.get('/auth/page', (c) => {
  return c.text('You are authorized')
})

Thanks @​Beyondo!

Standard Schema Validator

Standard Schema provides a common interface for TypeScript validator libraries. Standard Schema Validator is a validator that uses it. This means that Standa

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6e05b0c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR