Summary

Release v4.12.18 (2026-05-06T11:39:35.000Z) addresses three security vulnerabilities impacting Cache middleware, the JSX SSR renderer, and JWT claim validation. This is a security-only patch; users of the JWT helper, hono/jsx, or Cache middleware should upgrade promptly.

Key Points

• Cache middleware: fixed missing handling of Vary: Authorization and Vary: Cookie that could cause cross-user cache leakage. (Affected: Cache Middleware)
• JSX SSR (hono/jsx): fixed CSS declaration injection via style object values and property names by adding proper CSS-context escaping. Impact limited to CSS (no JS execution). (GHSA-qp7p-654g-cw7p)
• JWT verification (hono/utils/jwt): corrected improper validation of NumericDate claims (exp, nbf, iat) so falsy, non-finite, or non-numeric values no longer bypass time checks; now follows RFC 7519 expectations. (GHSA-hm8q-7f3q-5f36)

Recommended actions for engineers:

• Upgrade to v4.12.18 as soon as possible.
• If you cannot upgrade immediately, ensure your cache respects Vary headers for Authorization/Cookie, escape or sanitize style object inputs in server-rendered JSX, and validate JWT numeric-date claims strictly per RFC 7519.