Skip to content

Releases: honojs/hono

v4.6.5

15 Oct 08:38
@yusukebe yusukebe
v4.6.5
89a0ac1
Compare
Choose a tag to compare
v4.6.5 Latest
Latest

Security fix for CSRF Protection Middleware

This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this hono package immediately.

Before this release, a request without a Content-Type header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wr

What's Changed

New Contributors

Full Changelog: v4.6.4...v4.6.5

Contributors

yusukebe, PatrickJS, and 3 other contributors
Assets 2
Loading

v4.6.4

11 Oct 08:30
@yusukebe yusukebe
v4.6.4
7c36339
Compare
Choose a tag to compare
v4.6.4

What's Changed

  • chore: upgrade dependencies by @yusukebe in #3446
  • chore: remove crypto-js from dev dependencies by @yusukebe in #3447
  • chore(test): suppress no-unused-vars "'x' is assigned a value but only used as type" by @exoego in #3451
  • chore(test): include bun coverage by @exoego in #3457
  • test(deno): remove duplicated app.get by @exoego in #3469
  • fix(types): add key to IntrinsicAttributes by @codehz in #3474
  • fix(factory): relax Bindings and Variables for createMiddleware by @yusukebe in #3498
  • fix(service-worker): bind fetch to globalThis by @sapphi-red in #3500
  • refactor(jsx): add override to toStringToBuffer in classes extending JSXNode by @yusukebe in #3505

New Contributors

Full Changelog: v4.6.3...v4.6.4

Contributors

yusukebe, exoego, and 2 other contributors
Assets 2
Loading

v4.6.3

24 Sep 03:36
@yusukebe yusukebe
v4.6.3
c34e602
Compare
Choose a tag to compare
v4.6.3

This release has many new features, but each feature is small, so we've released it as a patch release.

What's Changed

  • chore: rename runtime_tests to runtime-tests by @yusukebe in #3419
  • ci: Type check perf by @m-shaka in #3406
  • refactor(jsx/streaming): Clarified the type of renderToReadableStream. by @usualoma in #3434
  • perf(types): use homomorphic mapped type to reduce conditional branches by @m-shaka in #3440
  • ci: prettify type check result and rm a comment by @m-shaka in #3442
  • fix(types): useSyncExternalStore type by @codehz in #3437
  • fix(combine/every): make every middleware work with short-circuiting middlewares by @paolostyle in #3441
  • feat(secureHeader): add CSP Report-Only mode support by @isoppp in #3413
  • feat(jwt): make JwtVariables generic for improved type safety by @TinsFox in #3428
  • feat(request): Make request.ts available throught JSR for frameworks that need to instantiate HonoRequest by @Sorikairox in #3425
  • feat(jsx/precompile): Normalization and stringification of attribute values as renderToString by @usualoma in #3432
  • feat(serve-static): support absolute root by @yusukebe in #3420

New Contributors

Full Changelog: v4.6.2...v4.6.3

Contributors

yusukebe, usualoma, and 6 other contributors
Assets 2
Loading

v4.6.2

17 Sep 01:16
@yusukebe yusukebe
v4.6.2
b5c6285
Compare
Choose a tag to compare
v4.6.2

What's Changed

  • chore(lint): ESLint v9 by @yusukebe in #3393
  • perf(serve-static): performance optimization for precompressed feature by @usualoma in #3414
  • fix(serve-static): use application/octet-stream if the mime type is not detected by @usualoma in #3415

Full Changelog: v4.6.1...v4.6.2

Contributors

yusukebe and usualoma
Assets 2
Loading

v4.6.1

11 Sep 13:47
@yusukebe yusukebe
v4.6.1
e0d17a3
Compare
Choose a tag to compare
v4.6.1

What's Changed

  • fix(build): improve addExtension esbuild plugin by @kt3k in #3405

New Contributors

Full Changelog: v4.6.0...v4.6.1

Contributors

kt3k
Assets 2
Loading

v4.6.0

11 Sep 12:16
@yusukebe yusukebe
v4.6.0
73ff6c0
Compare
Choose a tag to compare
v4.6.0

Hono v4.6.0 is now available!

One of the highlights of this release is the Context Storage Middleware. Let's introduce it.

Context Storage Middleware

Many users may have been waiting for this feature. The Context Storage Middleware uses AsyncLocalStorage to allow handling of the current Context object even outside of handlers.

For example, let’s define a Hono app with a variable message: string.

type Env = {
  Variables: {
    message: string
  }
}

const app = new Hono<Env>()

To enable Context Storage Middleware, register contextStorage() as middleware at the top and set the message value.

import { contextStorage } from 'hono/context-storage'

//...

app.use(contextStorage())

app.use(async (c, next) => {
  c.set('message', 'Hello!')
  await next()
})

getContext() returns the current Context object, allowing you to get the value of the message variable outside the handler.

import { getContext } from 'hono/context-storage'

app.get('/', (c) => {
  return c.text(getMessage())
})

// Access the variable outside the handler.
const getMessage = () => {
  return getContext<Env>().var.message
}

In the case of Cloudflare Workers, you can also access the Bindings outside the handler by using this middleware.

type Env = {
  Bindings: {
    KV: KVNamespace
  }
}

const app = new Hono<Env>()

app.use(contextStorage())

const setKV = (value: string) => {
  return getContext<Env>().env.KV.put('key', value)
}

Thanks @marceloverdijk !

New features

  • feat(secureHeader): add Permissions-Policy header to secure headers middleware #3314
  • feat(cloudflare-pages): enable c.env.eventContext in handleMiddleware #3332
  • feat(websocket): Add generics type to WSContext #3337
  • feat(jsx-renderer): set Content-Encoding when stream is true #3355
  • feat(serveStatic): add precompressed option #3366
  • feat(helper/streaming): Support Promise<string> or (async) JSX.Element in streamSSE #3344
  • feat(context): make fetch Response headers mutable #3318
  • feat(serve-static): add onFound option #3396
  • feat(basic-auth): added custom response message option #3371
  • feat(bearer-auth): added custom response message options #3372

Other changes

  • chore(jsx-renderer): fix typo in JSDoc by @taga3s in #3378
  • chore(deno): use the latest jsr libraries for testing by @ryuapp in #3375
  • fix(secure-headers): optimize getPermissionsPolicyDirectives function by @kbkn3 in #3398
  • fix(bearer-auth): typo by @yusukebe in #3404

New Contributors

Full Changelog: v4.5.11...v4.6.0

Contributors

yusukebe, marceloverdijk, and 5 other contributors
Assets 2
Loading

v4.5.11

03 Sep 08:16
@yusukebe yusukebe
v4.5.11
3500404
Compare
Choose a tag to compare
v4.5.11

What's Changed

New Contributors

Full Changelog: v4.5.10...v4.5.11

Contributors

yusukebe, usualoma, and 2 other contributors
Assets 2
Loading

v4.5.10

31 Aug 02:34
@yusukebe yusukebe
v4.5.10
040b0d4
Compare
Choose a tag to compare
v4.5.10

What's Changed

New Contributors

Full Changelog: v4.5.9...v4.5.10

Contributors

marceloverdijk, ssssota, and 2 other contributors
Assets 2
Loading

v4.5.9

26 Aug 12:35
@yusukebe yusukebe
v4.5.9
f9349ec
Compare
Choose a tag to compare
v4.5.9

What's Changed

  • test(types): broken test in future versions of typescript by @m-shaka in #3310
  • fix(utils/color): Deno does not require permission for NO_COLOR by @ryuapp in #3306
  • feat(jsx): improve type (MIME) attribute types by @ssssota in #3305
  • feat(pretty-json): support custom query by @nakasyou in #3300

Full Changelog: v4.5.8...v4.5.9

Contributors

m-shaka, ssssota, and 2 other contributors
Assets 2
Loading

v4.5.8

22 Aug 07:14
@yusukebe yusukebe
v4.5.8
d1c7f6f
Compare
Choose a tag to compare
v4.5.8

Security Fix for CSRF Protection Middleware

Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including Content-Types with uppercase letters (e.g., Application/x-www-form-urlencoded) as potential attacks, allowing them to pass.

This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.

For more details, see the report here: GHSA-rpfr-3m35-5vx5

Assets 2
Loading