Summary
- normalize backslashes in serve-static
- export Context class publicly
- add compress contentTypeFilter option
Links
Resources
Recent
Latest Release Posts
Summary
- msgpack added as compressible type
- compression now respects Accept-Encoding
- mime charset set per MIME type
Summary
- app.mount percent-encoding fix
- IPv6 deny-bypass resolved
- Set-Cookie and JWT validation hardened
Summary
- route base path preserved
- jsx children typed as Child[]
- new contributor ashunar0
Summary
- typed bearer-auth verifyToken
- cache keys respect Vary headers
- node-server v2 improves stream abort handling
Summary
- Fixes cross-user cache leakage
- Prevents CSS declaration injection in JSX SSR
- Corrects JWT numeric-date validation
Summary
- Normalize SVG root attributes
- Add atom+xml and rss+xml mappings
- Make CORS origin optional
Summary
- HTML injection fix in hono/jsx
- bodyLimit() bypass fixed for chunked requests
- Upgrade to v4.12.16 recommended
Summary
- Supports single-line PEM keys
- Fixes JWT key parsing bug
- Patch release v4.12.15
Summary
- JSX attribute-name validation added
- Fix for invalid AWS Lambda header handling
- Upgrade to v4.12.14 recommended
Summary
- Type inference fixed for app.on handlers
- trailing-slash middleware gains skip option
- cache adds onCacheNotAvailable callback
Summary
- Serve Static bypass via repeated slashes fixed
- toSSG path traversal write-out patched
- Cookie-name and IPv4-mapped IPv6 IP fixes
Summary
- classNameSlug option added
- createCssContext customization
- first-time contributor @flow-pie
Summary
- select value applied after children render
- compress converts strong ETag to weak
- docs, tests, and JSDoc improvements
Summary
- TypeError fix in request body cache
- New PickResponseByStatusCode TypeScript type
- CORS now reflects origin when credentials=true
Summary
- Normalize MIME extension to lowercase
- Escape regex in bearer-auth prefix
- Patch release — no breaking changes
Summary
- Prototype pollution patch
- parseBody({ dot: true }) ignores __proto__
- Upgrade recommended for untrusted input
Summary
- ReDoS mitigation in accept parsing
- JSX renderer supports function-based options
- Avoid deprecation on Node.js 24 for lambda-edge
Summary
- param() returns string | undefined for any path
- JWT decode functions now validate token format
- Fix JSX controller already closed error
Summary
- SSE control field injection fixed
- Cookie attribute injection fixed
- Serve Static URL-decoding bypass fixed