chore(deps): update dependency hono to v4.12.7

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	4.11.3 → 4.12.7

---

Release Notes

honojs/hono (hono)

v4.12.7

Compare Source

v4.12.6

Compare Source

v4.12.5

Compare Source

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in #​4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in #​4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in #​4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in #​4781

New Contributors

• @​andrewdamelio made their first contribution in #​4723
• @​otoneko1102 made their first contribution in #​4752
• @​gaearon made their first contribution in #​4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Compare Source

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

---

Other changes

• fix(client): preserve route schema in ApplyGlobalResponse by @​agumy in #​4777
• fix(utils/url): specify the return type of tryDecodeURI by @​yusukebe in #​4779

New Contributors

• @​agumy made their first contribution in #​4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

Compare Source

What's Changed

• fix(validator): prevent type diff bug in form data parsing by @​EdamAme-x in #​4753
• fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @​EdamAme-x in #​4754
• fix(jwt): fix JwtVariables for ContextVariableMap by @​yusukebe in #​4764
• fix(types): remove DOM type dependencies from ClientResponse and request method by @​YevheniiKotyrlo in #​4768
• fix(types): correct middleware types by @​hmnd in #​4774
• fix(jwt): prevent memory leak by avoiding mutation of options object by @​EdamAme-x in #​4759

New Contributors

• @​YevheniiKotyrlo made their first contribution in #​4768
• @​hmnd made their first contribution in #​4774

Full Changelog: honojs/hono@v4.12.2...v4.12.3

v4.12.2

Compare Source

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

Thanks @​EdamAme-x

What's Changed

• fix(context): revert PR #​4707 by @​yusukebe in #​4757

Full Changelog: honojs/hono@v4.12.1...v4.12.2

v4.12.1

Compare Source

What's Changed

• fix(client): export ApplyGlobalResponse from hono/client by @​sushichan044 in #​4743

Full Changelog: honojs/hono@v4.12.0...v4.12.1

v4.12.0

Compare Source

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')

// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'

// With path parameters
const postPath = client.api.posts[':id'].$path({
  param: { id: '123' },
})
// => '/api/posts/123'

// With query parameters
const searchPath = client.api.posts.$path({
  query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @​ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))

type AppWithErrors = ApplyGlobalResponse<
  typeof app,
  {
    401: { json: { error: string; message: string } }
    500: { json: { error: string; message: string } }
  }
>

const client = hc<AppWithErrors>('http://api.example.com')
// Now client knows about both success and error responses
const res = await client.api.users.$get()
// InferResponseType includes { users: string[] } | { error: string; message: string }

Thanks @​mohankumarelec!

SSG Redirect Plugin

A new redirectPlugin for SSG generates static HTML redirect pages for HTTP redirect responses (301, 302, 303, 307, 308):

import { toSSG } from 'hono/ssg'
import { defaultPlugin, redirectPlugin } from 'hono/ssg'

const app = new Hono()
app.get('/old', (c) => c.redirect('/new'))
app.get('/new', (c) => c.html('New Page'))

// redirectPlugin must be placed before defaultPlugin
await toSSG(app, fs, {
  plugins: [redirectPlugin(), defaultPlugin()],
})

The generated redirect pages include a <meta http-equiv="refresh"> tag, a canonical link, and a robots noindex meta tag.

Thanks @​3w36zj6!

onAuthSuccess Callback for Basic Auth

The Basic Auth middleware now supports an onAuthSuccess callback that is invoked after successful authentication. This allows you to set context variables or perform logging without re-parsing the Authorization header:

app.use(
  '/auth/*',
  basicAuth({
    username: 'hono',
    password: 'ahotproject',
    onAuthSuccess: (c, username) => {
      c.set('user', { name: username, role: 'admin' })
      console.log(`User ${username} authenticated`)
    },
  })
)

The callback also works with async functions and the verifyUser mode.

Thanks @​AprilNEA!

getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify

getConnInfo() is now available for three additional adapters:

// AWS Lambda (supports API Gateway v1, v2, and ALB)
import { handle, getConnInfo } from 'hono/aws-lambda'

// Cloudflare Pages
import { handle, getConnInfo } from 'hono/cloudflare-pages'

// Netlify
import { handle, getConnInfo } from 'hono/netlify'

app.get('/', (c) => {
  const info = getConnInfo(c)
  return c.text(`Your IP: ${info.remote.address}`)
})

Thanks @​rokasta12!

alwaysRedirect Option for Trailing Slash Middleware

The trailing slash middleware now supports an alwaysRedirect option. When enabled, the middleware redirects before executing handlers, which fixes the issue where trailing slash handling doesn't work with wildcard routes:

app.use(trimTrailingSlash({ alwaysRedirect: true }))

app.get('/my-path/*', async (c) => {
  return c.text('wildcard')
})

// /my-path/something/ will be redirected to /my-path/something
// before the wildcard handler is executed

Progressive Locale Code Truncation

The normalizeLanguage function in the language middleware now supports RFC 4647 Lookup-based progressive truncation. Locale codes like ja-JP will match ja when only the base language is in supportedLanguages:

app.use(
  '/*',
  languageDetector({
    supportedLanguages: ['en', 'ja'],
    fallbackLanguage: 'en',
    order: ['cookie', 'header'],
  })
)

// Accept-Language: ja-JP → matches 'ja'
// Accept-Language: ko-KR → falls back to 'en'

Thanks @​sorafujitani!

exports Field for ExecutionContext

The ExecutionContext type now includes an exports property for Cloudflare Workers. You can use module augmentation to type it with Wrangler's generated types:

import 'hono'

declare module 'hono' {
  interface ExecutionContext {
    readonly exports: Cloudflare.Exports
  }
}

Thanks @​toreis-up!

Performance Improvements

TrieRouter 1.5x ~ 2.0x Faster

The TrieRouter has been significantly optimized with reduced spread syntax usage, O(1) hasChildren checks, lazy regular expression generation, and removal of redundant processes:

Route	Node.js	Deno	Bun
short static GET /user	1.70x	1.40x	1.34x
dynamic GET /user/lookup/username/hey	1.38x	1.69x	1.51x
wildcard GET /static/index.html	1.51x	1.72x	1.43x
all together	1.58x	1.60x	1.82x

Thanks @​EdamAme-x!

Fast Path for c.json()

c.json() now has the same fast path optimization as c.text(). When no custom status, headers, or finalized state exists, the Response is created directly without allocating a Headers object:

// This common pattern is now faster
return c.json({ message: 'Hello' })

Benchmark results:

Metric	Before	After	Change
Reqs/sec	92,268	95,244	+3.2%
Latency	5.42ms	5.25ms	-3.1%
Throughput	17.24MB/s	19.07MB/s	+10.6%

Thanks @​mgcrea!

New features

• feat(client): Add ApplyGlobalResponse type helper for RPC Client #​4556
• feat(ssg): add redirect plugin #​4599
• feat(client): $path #​4636
• feat(basic-auth): add context key and callback options #​4645
• feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify #​4649
• feat(trailing-slash): add alwaysRedirect option to support wildcard routes #​4658
• feat(language): add progressive locale code truncation to normalizeLanguage #​4717
• feat(types): Add exports field to ExecutionContext #​4719

Performance

• perf(context): add fast path to c.json() matching c.text() optimization #​4707
• perf(trie-router): improve performance (1.5x ~ 2.0x) #​4724
• perf(context): use createResponseInstance for new Response #​4733

All changes

• fix(jsx/dom): handle empty arrays in render children loop by @​mixelburg in #​4729
• perf(jsx/dom): flatten children once at the start to avoid repeated flattening by @​usualoma in #​4730
• fix(client): skip undefined values in form data serialization by @​aidenlx in #​4732
• feat(client): Add ApplyGlobalResponse type helper for RPC Client by @​mohankumarelec in #​4556
• feat(ssg): add redirect plugin by @​3w36zj6 in #​4599
• feat(client): $path by @​ShaMan123 in #​4636
• feat(basic-auth): add context key and callback options by @​AprilNEA in #​4645
• feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify by @​rokasta12 in #​4649
• feat(trailing-slash): add alwaysRedirect option to support wildcard routes by @​yusukebe in #​4658
• perf(context): add fast path to c.json() matching c.text() optimization by @​mgcrea in #​4707
• feat(language): add progressive locale code truncation to normalizeLanguage by @​sorafujitani in #​4717
• feat(types): Add exports field to ExecutionContext by @​toreis-up in #​4719
• perf(trie-router): improve performance (1.5x ~ 2.0x) by @​EdamAme-x in #​4724
• perf(context): use createResponseInstance for new Response by @​yusukebe in #​4733
• Next by @​yusukebe in #​4735

New Contributors

• @​mixelburg made their first contribution in #​4729
• @​aidenlx made their first contribution in #​4732
• @​mohankumarelec made their first contribution in #​4556
• @​ShaMan123 made their first contribution in #​4636
• @​rokasta12 made their first contribution in #​4649
• @​mgcrea made their first contribution in #​4707

Full Changelog: honojs/hono@v4.11.10...v4.12.0

v4.11.10

Compare Source

What's Changed

• fix: fixed to be more properly timing safe (Merge commit from fork 91def7c)

Full Changelog: honojs/hono@v4.11.9...v4.11.10

v4.11.9

Compare Source

v4.11.8

Compare Source

What's Changed

• fix(jsx): preserve context when using await before html helper by @​kaigritun in #​4662
• fix(bearer-auth): make auth-scheme case-insensitive by @​bytaesu in #​4659

New Contributors

• @​kaigritun made their first contribution in #​4662

Full Changelog: honojs/hono@v4.11.7...v4.11.8

v4.11.7

Compare Source

Security Release

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

Components

IP Restriction Middleware

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Cache Middleware

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Serve Static Middleware (Cloudflare Workers adapter)

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

hono/jsx ErrorBoundary

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Recommendation

Users are encouraged to upgrade to this release, especially if they:

• Use IP Restriction Middleware
• Use Cache Middleware on Deno, Bun, or Node.js
• Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
• Render untrusted data inside ErrorBoundary components

Security Advisories & CVEs

• IP Restriction Middleware – IPv4 address validation bypass

  • Advisory: GHSA-r354-f388-2fhh
  • CVE: CVE-2026-24398

• Cache Middleware ignores Cache-Control: private

  • Advisory: GHSA-6wqw-2p9w-4vw4
  • CVE: CVE-2026-24472

• Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read

  • Advisory: GHSA-w332-q679-j88p
  • CVE: CVE-2026-24473

• hono/jsx ErrorBoundary – Cross-Site Scripting (XSS)

  • Advisory: GHSA-9r54-q6cx-xmh5
  • CVE: Pending

---

Full Changelog: honojs/hono@v4.11.6...v4.11.7

v4.11.6

Compare Source

What's Changed

• refactor: use unique symbol for more accurate typing. by @​usualoma in #​4651
• docs: align CODE_OF_CONDUCT.md wording with Contributor Covenant by @​sano-suguru in #​4630
• fix(sse): handle \r and \r\n line endings in writeSSE by @​AprilNEA in #​4644
• feat(bun): export getBunServer by @​artemtam in #​4626

New Contributors

• @​sano-suguru made their first contribution in #​4630
• @​AprilNEA made their first contribution in #​4644
• @​artemtam made their first contribution in #​4626

Full Changelog: honojs/hono@v4.11.5...v4.11.6

v4.11.5

Compare Source

What's Changed

• fix(client): exclude $all from ClientRequest type by @​paveg in #​4611
• refactor(jwks): mark allowedAlgorithms, so the user can pass a `const… by @​nikeee in #​4641
• feat(jwt): export AlgorithmTypes by @​yusukebe in #​4642

New Contributors

• @​paveg made their first contribution in #​4611
• @​nikeee made their first contribution in #​4641

Full Changelog: honojs/hono@v4.11.4...v4.11.5

v4.11.4

Compare Source

Security

Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

JWT middleware

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

JWK/JWKS middleware

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

• GHSA-f67f-6cw9-8mq4
• GHSA-3vhc-576x-3qv4

What's Changed

• test(utils/jwt): add missing algorithm types in jwa.test.ts by @​flathill404 in #​4607
• chore: bump @hono/eslint-config and enable curly rule by @​yusukebe in #​4620
• docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @​Itsnotaka in #​4618
• test: support alg option for JWT middleware by @​yusukebe in #​4624

New Contributors

• @​flathill404 made their first contribution in #​4607
• @​Itsnotaka made their first contribution in #​4618

Full Changelog: honojs/hono@v4.11.3...v4.11.4

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🎨 今日のランダム画像

---

📸 Photo by @iro_iro_iroo
🔗 元の投稿を見る

---

PR作成お疲れ様です！

[github-actions]

Preview Deploy

Status: ✅ デプロイ完了

Preview URL: https://pr-128-blog.sh1ma.workers.dev

---

このプレビューはPRがクローズされるまで利用可能です。

[github-actions]

Visual Regression Test Results

Status: ❌ ビジュアルの差分を検出

差分画像

レポートを確認

---

これらの変更が意図的なものである場合、PRテンプレートの「スナップショットを更新する」にチェックを入れて再実行してください。