fix(deps): update dependency hono to v4 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	^2.3.0 → ^4.0.0

---

Named path parameters can be overridden in TrieRouter

CVE-2023-50710 / GHSA-f6gv-hh8j-q8vq

More information

Details

Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'

const wait = async (ms: number) => {
  return new Promise((resolve) => {
    setTimeout(resolve, ms)
  })
}

const app = new Hono({ router: new TrieRouter() })

app.use('*', async (c, next) => {
  await wait(Math.random() * 200)
  return next()
})

app.get('/modules/:id/versions/:version', async (c) => {
  const id = c.req.param('id')
  const version = c.req.param('version')

  console.log('path', c.req.path)
  console.log('version', version)

  return c.json({
    id,
    version,
  })
})

export default app

The client code which makes requests to the server application:

const examples = [
  'http://localhost:8787/modules/first/versions/first',
  'http://localhost:8787/modules/second/versions/second',
  'http://localhost:8787/modules/third/versions/third',
]

const test = () => {
  for (const example of examples) {
    fetch(example)
      .then((response) => response.json())
      .then((data) => {
        const splitted = example.split('/')
        const expected = splitted[splitted.length - 1]

        if (expected !== data.version) {
          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
        }
      })
  }
}

test()

The results:

Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

Patches

"v3.11.7" includes the change to fix this issue.

Workarounds

Don't use TrieRouter directly.

// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })

References

Router options on the Hono website: https://hono.dev/api/hono#router-option

Severity

• CVSS Score: 4.2 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

References

• https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq
• https://nvd.nist.gov/vuln/detail/CVE-2023-50710
• https://github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8
• https://github.com/honojs/hono/releases/tag/v3.11.7
• https://github.com/advisories/GHSA-f6gv-hh8j-q8vq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

CVE-2024-32869 / GHSA-3mpf-rcc7-5347

More information

Details

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial
https://hono.dev/getting-started/deno

PoC

$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
    └── a.txt

source

import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)

request

curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347
• https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65
• https://nvd.nist.gov/vuln/detail/CVE-2024-32869
• https://github.com/advisories/GHSA-3mpf-rcc7-5347

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono CSRF middleware can be bypassed using crafted Content-Type header

CVE-2024-43787 / GHSA-rpfr-3m35-5vx5

More information

Details

Summary

Hono CSRF middleware can be bypassed using crafted Content-Type header.

Details

MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case.

https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17

As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded".

PoC

<html>
  <head>
    <title>CSRF Test</title>
    <script defer>
      document.addEventListener("DOMContentLoaded", () => {
        document.getElementById("btn").addEventListener("click", async () => {
          const res = await fetch("http://victim.example.com/test", {
            method: "POST",
            credentials: "include",
            headers: {
              "Content-Type": "Application/x-www-form-urlencoded",
            },
          });
        });
      });
    </script>
  </head>
  <body>
    <h1>CSRF Test</h1>
    <button id="btn">Click me!</button>
  </body>
</html>

Impact

Bypass csrf protection implemented with hono csrf middleware.

Discussion

I'm not sure that omitting csrf checks for Simple POST request is a good idea.
CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5
• https://nvd.nist.gov/vuln/detail/CVE-2024-43787
• https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449
• https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17
• https://github.com/advisories/GHSA-rpfr-3m35-5vx5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono allows bypass of CSRF Middleware by a request without Content-Type header.

CVE-2024-48913 / GHSA-2234-fmw7-43wr

More information

Details

Summary

Bypass CSRF Middleware by a request without Content-Type herader.

Details

Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

PoC

// server.js
import { Hono } from 'hono'
import { csrf }from 'hono/csrf'
const app = new Hono()
app.use(csrf())
app.get('/', (c) => {
  return c.html('Hello Hono!')
})
app.post('/', async (c) => {
  console.log("executed")
  return c.text( await c.req.text())
})
Deno.serve(app.fetch)

<!-- PoC.html -->
<script>
async function myclick() {
    await fetch("http://evil.example.com", {
    method: "POST",
    credentials: "include",
    body:new Blob([`test`],{}),
    });
}
</script>
<input type="button" onclick="myclick()" value="run" />

Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.

await fetch("http://localhost:8000", { method: "POST", credentials: "include"});

Impact

Bypass csrf protection implemented with hono csrf middleware.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-2234-fmw7-43wr
• https://github.com/honojs/hono/commit/aa50e0ab77b5af8c53c50fe3b271892f8eeeea82
• https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89
• https://nvd.nist.gov/vuln/detail/CVE-2024-48913
• https://github.com/advisories/GHSA-2234-fmw7-43wr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

honojs/hono (hono)

v4.6.5

Compare Source

Security fix for CSRF Protection Middleware

This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this hono package immediately.

Before this release, a request without a Content-Type header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wr

What's Changed

• perf(types): replace intersection with union to get better perf by @​m-shaka in #​3443
• ci: use Deno v2 by @​yusukebe in #​3506
• ci: use Deno v2 for a test running for deno by @​nakasyou in #​3509
• fix(types): rm ExcludeEmptyObject to fix massively increased type instantiations by @​m-shaka in #​3507
• fix(cors): avoid setting Access-Control-Allow-Origin if there is no matching origin by @​uki00a in #​3510
• feat(powered-by): optional server name by @​PatrickJS in #​3492
• fix(factory): revert PR #​3498 by @​yusukebe in #​3515
• fix(build): remove private fields by @​nakasyou in #​3514

New Contributors

• @​uki00a made their first contribution in #​3510
• @​PatrickJS made their first contribution in #​3492

Full Changelog: honojs/hono@v4.6.4...v4.6.5

v4.6.4

Compare Source

What's Changed

• chore: upgrade dependencies by @​yusukebe in #​3446
• chore: remove crypto-js from dev dependencies by @​yusukebe in #​3447
• chore(test): suppress no-unused-vars "'x' is assigned a value but only used as type" by @​exoego in #​3451
• chore(test): include bun coverage by @​exoego in #​3457
• test(deno): remove duplicated app.get by @​exoego in #​3469
• fix(types): add key to IntrinsicAttributes by @​codehz in #​3474
• fix(factory): relax Bindings and Variables for createMiddleware by @​yusukebe in #​3498
• fix(service-worker): bind fetch to globalThis by @​sapphi-red in #​3500
• refactor(jsx): add override to toStringToBuffer in classes extending JSXNode by @​yusukebe in #​3505

New Contributors

• @​sapphi-red made their first contribution in #​3500

Full Changelog: honojs/hono@v4.6.3...v4.6.4

v4.6.3

Compare Source

This release has many new features, but each feature is small, so we've released it as a patch release.

What's Changed

• chore: rename runtime_tests to runtime-tests by @​yusukebe in #​3419
• ci: Type check perf by @​m-shaka in #​3406
• refactor(jsx/streaming): Clarified the type of renderToReadableStream. by @​usualoma in #​3434
• perf(types): use homomorphic mapped type to reduce conditional branches by @​m-shaka in #​3440
• ci: prettify type check result and rm a comment by @​m-shaka in #​3442
• fix(types): useSyncExternalStore type by @​codehz in #​3437
• fix(combine/every): make every middleware work with short-circuiting middlewares by @​paolostyle in #​3441
• feat(secureHeader): add CSP Report-Only mode support by @​isoppp in #​3413
• feat(jwt): make JwtVariables generic for improved type safety by @​TinsFox in #​3428
• feat(request): Make request.ts available throught JSR for frameworks that need to instantiate HonoRequest by @​Sorikairox in #​3425
• feat(jsx/precompile): Normalization and stringification of attribute values as renderToString by @​usualoma in #​3432
• feat(serve-static): support absolute root by @​yusukebe in #​3420

New Contributors

• @​codehz made their first contribution in #​3437
• @​paolostyle made their first contribution in #​3441
• @​isoppp made their first contribution in #​3413
• @​TinsFox made their first contribution in #​3428
• @​Sorikairox made their first contribution in #​3425

Full Changelog: honojs/hono@v4.6.2...v4.6.3

v4.6.2

Compare Source

What's Changed

• chore(lint): ESLint v9 by @​yusukebe in #​3393
• perf(serve-static): performance optimization for precompressed feature by @​usualoma in #​3414
• fix(serve-static): use application/octet-stream if the mime type is not detected by @​usualoma in #​3415

Full Changelog: honojs/hono@v4.6.1...v4.6.2

v4.6.1

Compare Source

What's Changed

• fix(build): improve addExtension esbuild plugin by @​kt3k in #​3405

New Contributors

• @​kt3k made their first contribution in #​3405

Full Changelog: honojs/hono@v4.6.0...v4.6.1

v4.6.0

Compare Source

Hono v4.6.0 is now available!

One of the highlights of this release is the Context Storage Middleware. Let's introduce it.

Context Storage Middleware

Many users may have been waiting for this feature. The Context Storage Middleware uses AsyncLocalStorage to allow handling of the current Context object even outside of handlers.

For example, let’s define a Hono app with a variable message: string.

type Env = {
  Variables: {
    message: string
  }
}

const app = new Hono<Env>()

To enable Context Storage Middleware, register contextStorage() as middleware at the top and set the message value.

import { contextStorage } from 'hono/context-storage'

//...

app.use(contextStorage())

app.use(async (c, next) => {
  c.set('message', 'Hello!')
  await next()
})

getContext() returns the current Context object, allowing you to get the value of the message variable outside the handler.

import { getContext } from 'hono/context-storage'

app.get('/', (c) => {
  return c.text(getMessage())
})

// Access the variable outside the handler.
const getMessage = () => {
  return getContext<Env>().var.message
}

In the case of Cloudflare Workers, you can also access the Bindings outside the handler by using this middleware.

type Env = {
  Bindings: {
    KV: KVNamespace
  }
}

const app = new Hono<Env>()

app.use(contextStorage())

const setKV = (value: string) => {
  return getContext<Env>().env.KV.put('key', value)
}

Thanks @​marceloverdijk !

New features

• feat(secureHeader): add Permissions-Policy header to secure headers middleware #​3314
• feat(cloudflare-pages): enable c.env.eventContext in handleMiddleware #​3332
• feat(websocket): Add generics type to WSContext #​3337
• feat(jsx-renderer): set Content-Encoding when stream is true #​3355
• feat(serveStatic): add precompressed option #​3366
• feat(helper/streaming): Support Promise<string> or (async) JSX.Element in streamSSE #​3344
• feat(context): make fetch Response headers mutable #​3318
• feat(serve-static): add onFound option #​3396
• feat(basic-auth): added custom response message option #​3371
• feat(bearer-auth): added custom response message options #​3372

Other changes

• chore(jsx-renderer): fix typo in JSDoc by @​taga3s in #​3378
• chore(deno): use the latest jsr libraries for testing by @​ryuapp in #​3375
• fix(secure-headers): optimize getPermissionsPolicyDirectives function by @​kbkn3 in #​3398
• fix(bearer-auth): typo by @​yusukebe in #​3404

New Contributors

• @​kbkn3 made their first contribution in #​3314
• @​hayatosc made their first contribution in #​3337
• @​inetol made their first contribution in #​3366

Full Changelog: honojs/hono@v4.5.11...v4.6.0

v4.5.11

Compare Source

What's Changed

• fix(jsx): race condition in ErrorBoundary with event loop by @​usualoma in #​3343
• perf(jsx): skip the special behavior when the element is in the head. by @​usualoma in #​3352
• refactor(utils/body): shorten the code by @​yusukebe in #​3353
• docs: Twitter to X by @​yusukebe in #​3354
• chore: fix typo in JSDoc by @​taga3s in #​3364
• refactor(utils/basic-auth): Moved Internal function to utils by @​sugar-cat7 in #​3359

New Contributors

• @​taga3s made their first contribution in #​3364
• @​sugar-cat7 made their first contribution in #​3359

Full Changelog: honojs/hono@v4.5.10...v4.5.11

v4.5.10

Compare Source

What's Changed

• feat(compress): improve compress middleware by @​nitedani in #​3317
• feat(jsx): add popover api attributes by @​ssssota in #​3323
• feat(jsx): improve form attribute types by @​ssssota in #​3330
• chore(test): migrate to vitest v2 by @​yasuaki640 in #​3326
• chore(test): replace deprecated vitest type by @​yasuaki640 in #​3338
• fix(logger): removing spaces from logger by @​marceloverdijk in #​3334

New Contributors

• @​nitedani made their first contribution in #​3317
• @​marceloverdijk made their first contribution in #​3334

Full Changelog: honojs/hono@v4.5.9...v4.5.10

v4.5.9

Compare Source

What's Changed

• test(types): broken test in future versions of typescript by @​m-shaka in #​3310
• fix(utils/color): Deno does not require permission for NO_COLOR by @​ryuapp in #​3306
• feat(jsx): improve type (MIME) attribute types by @​ssssota in #​3305
• feat(pretty-json): support custom query by @​nakasyou in #​3300

Full Changelog: honojs/hono@v4.5.8...v4.5.9

v4.5.8

Compare Source

Security Fix for CSRF Protection Middleware

Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including Content-Types with uppercase letters (e.g., Application/x-www-form-urlencoded) as potential attacks, allowing them to pass.

This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.

For more details, see the report here: GHSA-rpfr-3m35-5vx5

v4.5.7

Compare Source

What's Changed

• fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by @​usualoma in #​3294
• perf(jsx/dom): improve performance by @​usualoma in #​3288
• feat(jsx): improve a-tag types with well known values by @​ssssota in #​3287
• fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by @​uttk in #​3297
• feat(jsx): improve target and formtarget attribute types by @​ssssota in #​3299
• docs(README): change Twitter to X by @​nakasyou in #​3301
• fix(client): replace optional params to url correctly by @​yusukebe in #​3304
• feat(jsx): improve input attribute types based on react by @​ssssota in #​3302

New Contributors

• @​uttk made their first contribution in #​3297

Full Changelog: honojs/hono@v4.5.6...v4.5.7

v4.5.6

Compare Source

What's Changed

• fix(jsx): handle async component error explicitly and throw the error in the response by @​usualoma in #​3274
• fix(validator): support multipart headers without a separating space by @​Ernxst in #​3286
• fix(validator): Allow form data will mutliple values appended by @​nicksrandall in #​3273
• feat(jsx): improve meta-tag types with well known values by @​ssssota in #​3276

New Contributors

• @​Ernxst made their first contribution in #​3286
• @​ssssota made their first contribution in #​3276

Full Changelog: honojs/hono@v4.5.5...v4.5.6

v4.5.5

Compare Source

What's Changed

• fix(jsx): allow null, undefined, and boolean to be returned from function component by @​usualoma in #​3241
• feat(context): Add types for c.header by @​nakasyou in #​3221
• fix(jsx): fix draggable type to accept boolean by @​yasuaki640 in #​3253
• feat(context): add Context-Type types to c.header by @​nakasyou in #​3255
• fix(serve-static): supports directory contains . and not end / by @​yusukebe in #​3256

Full Changelog: honojs/hono@v4.5.4...v4.5.5

v4.5.4

Compare Source

What's Changed

• fix(jsx): corrects the type of 'draggable' attribute in intrinsic-elements.ts by @​yasuaki640 in #​3224
• feat(jsx): allow to merge CSSProperties declaration by @​jonasnobile in #​3228
• feat(client): Add WebSocket Provider Integration Tests and Enhance WebSocket Initialization by @​naporin0624 in #​3213
• fix(types): param in ValidationTargets supports optional param by @​yusukebe in #​3229

New Contributors

• @​jonasnobile made their first contribution in #​3228

Full Changelog: honojs/hono@v4.5.3...v4.5.4

v4.5.3

Compare Source

What's Changed

• fix(validator): Add double quotation marks to multipart checker regex by @​CPlusPatch in #​3195
• fix(validator): support application/json with a charset as JSON by @​yusukebe in #​3199
• fix(jsx): fix handling of SVG elements in JSX. by @​usualoma in #​3204
• fix(jsx/dom): fix performance issue with adding many new node listings by @​usualoma in #​3205
• fix(service-worker): refer to self.fetch correctly by @​yusukebe in #​3200

New Contributors

• @​CPlusPatch made their first contribution in #​3195

Full Changelog: honojs/hono@v4.5.2...v4.5.3

v4.5.2

Compare Source

What's Changed

• fix(helper/adapter): don't check navigator is undefined by @​yusukebe in #​3171
• fix(types): handle readonly array correctly by @​m-shaka in #​3172
• Revert "fix(helper/adapter): don't check navigator is undefined by @​yusukebe in #​3173
• fix(type): degradation of generic type handling by @​m-shaka in #​3138
• fix:(csrf) fix typo of csrf middleware by @​yasuaki640 in #​3178
• feat(secure-headers): remove "X-Powered-By" should be an option by @​EdamAme-x in #​3177

Full Changelog: honojs/hono@v4.5.1...v4.5.2

v4.5.1

Compare Source

What's Changed

• chore: remove rimraf and use bun shell by @​nakasyou in #​3146
• chore: moving the setup file of vitest by @​EdamAme-x in #​3157
• fix(middleware/jwt): Changed the jwt-secret type to SignatureKey by @​JulesVerner in #​3167
• feat(bearer-auth): Allow empty bearer-auth middleware prefixes by @​prevostc in #​3161
• chore(factory): remove @experimental from createApp by @​yusukebe in #​3164
• fix(client): support array values for query in ws by @​yusukebe in #​3169
• fix(validator): ignore content-type mismatches by @​yusukebe in #​3165

New Contributors

• @​JulesVerner made their first contribution in #​3167
• @​prevostc made their first contribution in #​3161

Full Changelog: honojs/hono@v4.5.0...v4.5.1

v4.5.0

Compare Source

Hono v4.5.0 is now available!

We have added three new built-in middleware. Now Hono is bringing 20 built-in middleware!

1. Basic Authentication
2. Bearer Authentication
3. Body Limit
4. Cache
5. Combine
6. Compress
7. CORS
8. CSRF Protection
9. ETag
10. IP Restriction
11. JSX Renderer
12. JWT
13. Logger
14. Method Override
15. Pretty JSON
16. Request ID
17. Secure Headers
18. Timeout
19. Timing
20. Trailing Slash

Amazing! These truly make Hono batteries-included framework.

Let's go through the new features in this release.

IP Restrict Middleware

Introducing IP Restrict Middleware. This middleware limits access to resources based on the IP address of the user.

import { Hono } from 'hono'
import { getConnInfo } from 'hono/bun'
import { ipRestriction } from 'hono/ip-restriction'

const app = new Hono()

app.use(
  '*',
  ipRestriction(getConnInfo, {
    denyList: [],
    allowList: ['127.0.0.1', '::1']
  })
)

Thanks @​nakasyou!

Combine Middleware

Introducing Combine Middleware. This middleware combines multiple middleware functions into a single middleware, allowing you to create complex access controls by combining it with middleware like IP Restriction.

import { Hono } from 'hono'
import { bearerAuth } from 'hono/bearer-auth'
import { getConnInfo } from 'hono/cloudflare-workers'
import { every, some } from 'hono/combine'
import { ipRestriction } from 'hono/ip-restriction'
import { rateLimit } from '@​/my-rate-limit'

const app = new Hono()

app.use(
  '*',
  some(
    every(ipRestriction(getConnInfo, { allowList: ['192.168.0.2'] }), bearerAuth({ token })),
    // If both conditions are met, rateLimit will not execute.
    rateLimit()
  )
)

app.get('/', (c) => c.text('Hello Hono!'))

Thanks @​usualoma!

Request ID Middleware

Introducing Request ID Middleware. This middleware generates a unique ID for each request, which you can use in your handlers.

import { Hono } from 'hono'
import { requestId } from 'hono/request-id'

const app = new Hono()

app.use('*', requestId())

app.get('/', (c) => {
  return c.text(`Your request id is ${c.get('requestId')}`)
})

Thanks @​ryuapp!

Service Worker Adapter

A Service Worker adapter has been added, making it easier to run Hono applications as Service Workers.

For example, the following code works perfectly in a browser!

import { Hono } from 'hono'
import { handle } from 'hono/service-worker'

const app = new Hono().basePath('/sw')
app.get('/', (c) => c.text('Hello World'))

self.addEventListener('fetch', handle(app))

Thanks @​nakasyou!

Cloudflare Pages Middleware

The Cloudflare Pages adapter now includes a handleMiddleware function, allowing many Hono middleware to run as Cloudflare Pages middleware.

For example, to apply basic authentication, you can use the built-in middleware as shown below.

// functions/_middleware.ts
import { handleMiddleware } from 'hono/cloudflare-pages'
import { basicAuth } from 'hono/basic-auth'

export const onRequest = handleMiddleware(
  basicAuth({
    username: 'hono',
    password: 'acoolproject'
  })
)

Thanks @​BarryThePenguin!

React 19 Compatibility

Hono JSX now supports React 19 compatible APIs.

For example, the following hooks have been added:

• useFormStatus()
• useActionState()
• useOptimistic()

Additionally, rendering metadata within the <head /> tag is now supported. You can include elements like <title>, <meta>, and <link> within your components.

import { Hono } from 'hono'
import { jsxRenderer } from 'hono/jsx-renderer'

const app = new Hono()

app.use(
  jsxRenderer(({ children }) => {
    return (
      <html>
        <head></head>
        <body>{children}</body>
      </html>
    )
  })
)

app.get('/top-page', (c) => {
  return c.render(
    <article>
      <title>Top Page!</title>
      <link rel="canonical" href="https://hono.dev/top-page" />
      <h1>Top Page</h1>
      <p>Hono is a great framework!</p>
    </article>
  )
})

The above will render the following HTML:

<!DOCTYPE html>
<html>
  <head>
    <title>Top Page!</title>
    <link rel="canonical" href="https://hono.dev/top-page" />
  </head>
  <body>
    <article>
      <h1>Top Page</h1>
      <p>Hono is a great framework!</p>
    </article>
  </body>
</html>

See all changes in this PR: #​2960

Thanks @​usualoma!

@hono/react-compat

Plus, with the new @hono/react-compat, you can alias the react or react-dom used in your project to hono/jsx without any configuration.

npm install react@npm:@​hono/react-compat react-dom@npm:@​hono/react-compat

Passing interface as Bindings/Variables

You can now pass interface to Bindings or Variables. This allows you to use the type definitions generated by the wrangler types command directly.

interface Env {
  MY_KV_NAMESPACE: KVNamespace
  MY_VAR: string
  MY_DB: D1Database
}

Previously, only type definitions using type could be passed to Bindings. Now, interfaces like the Env example above can be used with generics.

const app = new Hono<{
  Bindings: Env
}>()

Thanks @​ottomated!

Other features

• JWT - use Signed Cookie in JWT Middleware #​2989
• Vercel - add getConnInfo for Vercel Adapter #​3085
• Lambda@​Edge - add getConnInfo helper for Lambda@​Edge #​3099

All Updates

• feat(jsx/dom): export createRoot and hydrateRoot from jsx/dom/client as default by @​usualoma in #​2929
• feat(jsx/server): introduce jsx/dom/server module for compatibility with react-dom/server by @​usualoma in #​2930
• feat(jsx/dom): Improve compatibility React (useCallback, React.StrictMode) by @​usualoma in #​2944
• feat(jwt): Use Signed Cookie in JWT Middleware by @​newarifrh in #​2989
• React 19 compat by @​yusukebe in #​3048
• feat(adaptor): Remove unknown from AddressType by @​yasuaki640 in #​2958
• test(adapter/bun): fixed conninfo.test.ts by @​yusukebe in #​3059
• feat(jsx/dom): skip calculate children if props are the same by @​usualoma in #​3049
• feat(cloudflare-pages): Add Cloudflare Pages middleware handler by @​BarryThePenguin in #​3028
• fix(cloudflare-pages): Expose Cloudflare Pages type parameters by @​BarryThePenguin in #​3065
• fix(helper/conninfo): add undefined for AddressType by @​yusukebe in #​3112
• feat(middleware): Introduce IP Restriction Middleware by @​nakasyou in #​2813
• fix(ip-restriction): return the named function by @​yusukebe in #​3113
• feat(vercel): add getConnInfo for vercel adapter by @​promer94 in #​3085
• fix(vercel): remove deprecated address type by @​ryuapp in #​3115
• feat(lambda-edge): add getConnInfo helper for Lambda@​Edge by @​yasuaki640 in #​3099
• feat: Introduce Service Worker Adapter by @​nakasyou in #​3062
• feat(middleware): introduce Request ID middleware by @​ryuapp in #​3082
• feat(middleware/combine): Introduce combine middleware by @​usualoma in #​2941
• feat(types): allow passing interfaces as Bindings / Variables by @​ottomated in #​3136
• chore: update comments in codes by @​yusukebe in #​3145
• fix(types): use ContextVariableMap in Context<any> by @​yusukebe in #​3134
• feat(jsx): add global attributes to interface definition by @​yasuaki640 in #​3142
• fix(types): remove slow types by @​yusukebe in #​3147
• Next by @​yusukebe in #​3144

New Contributors

• @​newarifrh made their first contribution in #​2989
• @​BarryThePenguin made their first contribution in #​3028
• @​promer94 made their first contribution in #​3085
• @​ottomated made their first contribution in #​3136

Full Changelog: honojs/hono@v4.4.13...v4.5.0

v4.4.13

Compare Source

What's Changed

• chore: update benchmark by @​yusukebe in #​3102
• chore: replace tsx with Bun by @​nakasyou in #​3103
• refactor(http-status): remove unnecessary line of types and use common types by @​EdamAme-x in #​3110
• fix(jsx): redefine scope attribute as enum type by @​yasuaki640 in #​3118
• fix(types): allow string[] | File[] for RPC form value by @​yusukebe in #​3117
• fix(validator-types): type Alignment with Web Standards by @​EdamAme-x in #​3120
• fix(types): app.use(path, mw) return correct schema type by @​yusukebe in #​3128

Full Changelog: honojs/hono@v4.4.12...v4.4.13

v4.4.12

Compare Source

What's Changed

• fix(aws-lambda): set cookies with comma is bugged by @​NamesMT in #​3084
• fix(types): infer path when chaining after use by @​yusukebe in #​3087
• chore: update outdated links in JSDoc by @​ryuapp in #​3089
• fix(jsx): changes behavior when download attribute is set to a boolean value. by @​oon00b in #​3094
• chore: add the triage label by @​mvares in #​3092
• feat(types): improve JSONParsed by @​m-shaka in #​3074
• fix(helper/streaming): remove slow types by @​yusukebe in #​3100
• chore(utils/jwt): add @module docs by @​yusukebe in #​3101

New Contributors

• @​oon00b made their first contribution in #​3094

Full Changelog: honojs/hono@v4.4.11...v4.4.12

v4.4.11

Compare Source

What's Changed

• refactor: remove unnecessary async keyword from router tests by @​K-tecchan in #​3061
• fix(validator): don't return a FormData if formData is cached by @​yusukebe in #​3067
• fix(client): Add Query Parameter Support to WebSocket Client in hono/client by @​naporin0624 in #​3066
• refactor(types): move HandlerInterface's (path, handler)s overloads down by @​NamesMT in #​3072
• test(helper/dev): fix typo of test case name by @​yasuaki640 in #​3073
• fix(stream): Fixed a problem that onAbort() is called even if request is normally closed in deno by @​usualoma in #​3079

New Contributors

• @​K-tecchan made their first contribution in #​3061

Full Changelog: honojs/hono@v4.4.10...v4.4.11

v4.4.10

Compare Source

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}