v4.10.8

What's Changed

• chore: bump linter and formatter by @ryuapp in #4568
• chore: bump github actions by @ryuapp in #4569
• fix(linear-router): incorrect path matching by @cromery in #4567
• docs(cookie): update outdated RFC links by @AyushCoder9 in #4557
• feat(csrf): Support async IsAllowedOriginHandler by @baseballyama in #4558
• feat(csrf): Support async IsAllowedSecFetchSiteHandler by @baseballyama in #4559

New Contributors

• @cromery made their first contribution in #4567
• @AyushCoder9 made their first contribution in #4557
• @baseballyama made their first contribution in #4558

Full Changelog: v4.10.7...v4.10.8

v4.10.7

What's Changed

• fix(validator): fix incomplete types and wrong tests by @EdamAme-x in #4521
• refactor(types): delete type NotSpecified and StrictVerifyOptions by @ysknsid25 in #4525
• fix: add JSX type for hono/jsx/dom by @ssssota in #4534
• fix(adapter/bun): fix TypeError: null is not an object (#4429) by @brenc in #4538
• chore: add config version to bun.lock by @yusukebe in #4548

New Contributors

• @ysknsid25 made their first contribution in #4525
• @brenc made their first contribution in #4538

Full Changelog: v4.10.6...v4.10.7

v4.10.6

Deperecated

bearer-auth options

The following options are deprecated and will be removed in a future version:

• noAuthenticationHeaderMessage => use noAuthenticationHeader.message
• invalidAuthenticationHeaderMessage => use invalidAuthenticationHeader.message
• invalidTokenMessage => use invalidToken.message

What's Changed

• feat(aws-lambda): handle AWS Lattice events by @anho in #4451
• feat(secure-headers): support CSP TrustedTypePolicy by @RosApr in #4500
• feat: Improve auth middlewares by @MathurAditya724 in #4485

New Contributors

• @anho made their first contribution in #4451

Full Changelog: v4.10.5...v4.10.6

v4.10.5

What's Changed

• docs(CONTRIBUTING): use bun instead of yarn in local development setup by @taichi-1 in #4503
• docs: grammar issue by @WuMingDao in #4508
• fix(utils/url): make _getQueryParam search behind question mark by @tuzi3040 in #4507
• fix(jsx): self-close wrapped empty tags by @jakelee8 in #4511
• chore: improve private field removal by @BlankParticle in #4513
• fix(middleware/cache): skip caching when Vary: * is present by @pHo9UBenaA in #4504

New Contributors

• @taichi-1 made their first contribution in #4503
• @WuMingDao made their first contribution in #4508
• @tuzi3040 made their first contribution in #4507
• @jakelee8 made their first contribution in #4511
• @pHo9UBenaA made their first contribution in #4504

Full Changelog: v4.10.4...v4.10.5

v4.10.4

What's Changed

• chore: add a monochrome logo image by @yusukebe in #4487
• chore: fix the monochrome logo by @yusukebe in #4488
• fix(secure-headers): proposed features typo spelling mistake by @RosApr in #4494
• fix(types): preserve handler response typing in createHandlers by @s-junio in #4492

New Contributors

• @RosApr made their first contribution in #4494
• @s-junio made their first contribution in #4492

Full Changelog: v4.10.3...v4.10.4

v4.10.3

Securiy Fix

A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.

What's Changed

• fix(aws-lambda): serve microsoft office files as binary in lambda handler by @matthiasfeist in #4469
• fix(request-id): validation accepts = by @ryuapp in #4478
• refactor(jwt): reduce the size of the code generated by minification by @usualoma in #4480

New Contributors

• @matthiasfeist made their first contribution in #4469

Full Changelog: v4.10.2...v4.10.3

v4.10.2

Security hardening improvement

If you are using JWT middleware, please read the following and consider applying the configuration.

Improper Authorization in Hono (JWT Audience Validation)

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

Recommended secure configuration

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret',
    verification: {
      // Require this API to only accept tokens with aud = 'service-a'
      aud: 'service-a',
    },
  })
)

What's Changed

• tests: Fix test case of handlers without a path by @IAmSSH in #4472

New Contributors

• @IAmSSH made their first contribution in #4472

Full Changelog: v4.10.1...v4.10.2

v4.10.1

What's Changed

• fix(types): cannot .use non-return mw from createMiddleware by @NamesMT in #4465

Full Changelog: v4.10.0...v4.10.1

v4.10.0

Release Notes

Hono v4.10.0 is now available!

This release brings improved TypeScript support and new utilities.

The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients.

Middleware Type Improvements

Imagine the following app:

import { Hono } from 'hono'

const app = new Hono()

const routes = app.get(
  '/',
  (c) => {
    return c.json({ errorMessage: 'Error!' }, 500)
  },
  (c) => {
    return c.json({ message: 'Success!' }, 200)
  }
)

The client with RPC:

import { hc } from 'hono/client'

const client = hc<typeof routes>('/')

const res = await client.index.$get()

if (res.status === 500) {
}

if (res.status === 200) {
}

Previously, it couldn't infer the responses from middleware, so a type error was thrown.

Now the responses are correctly typed.

---

This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true.

Thank you for the great work @slawekkolodziej!

cloneRawRequest Utility

The new cloneRawRequest utility allows you to clone the raw Request object after it has been consumed by validators or middleware.

import { cloneRawRequest } from 'hono/request'

app.post('/api', async (c) => {
  const body = await c.req.json()

  // Clone the consumed request
  const clonedRequest = cloneRawRequest(c.req)
  await externalLibrary.process(clonedRequest)
})

Thanks @kamaal111!

New features

• feat(types): passing middleware types #4393
• feat(ssg): add default plugin that defines the recommended behavior #4394
• feat(request): add cloneRawRequest utility for request cloning #4382

All changes

• feat(types): passing middleware types by @slawekkolodziej in #4393
• feat(ssg): add default plugin that defines the recommended behavior by @3w36zj6 in #4394
• feat(request): add cloneRawRequest utility for request cloning by @kamaal111 in #4382
• fix(proxy): Correct hop-by-hop header handling per RFC 9110 by @sugar-cat7 in #4459

New Contributors

• @slawekkolodziej made their first contribution in #4393
• @kamaal111 made their first contribution in #4382

Full Changelog: v4.9.12...v4.10.0

v4.9.12

What's Changed

• refactor: internal structure of PreparedRegExpRouter for optimization and added tests by @usualoma in #4456
• refactor: use protected methods instead of computed properties to allow tree shaking by @usualoma in #4458

Full Changelog: v4.9.11...v4.9.12