Summary

v4.12.19 bundles several bug fixes, small features, and a dependency upgrade. Key items include CI pinning, making serveStatic options optional across adapters, returning the first cookie when duplicates exist, generic typing for bearerAuth.verifyToken, cache keying that respects configured Vary headers, a new request.bytes() helper, and an upgrade of @hono/node-server to v2 with improved abort handling.

Key Points

• ci: GitHub Actions workflows are now pinned to commit SHAs to improve reproducibility; maintainers should expect locked action versions.
• serveStatic: the options parameter is optional in all adapters—calling sites that passed undefined should continue to work.
• cookie: when multiple cookies share the same name, the first cookie is now returned—check code that relied on prior ordering.
• bearer-auth: verifyToken is now generic for typed context — TypeScript users can provide stronger context typing for auth flows.
• cache: entries are keyed by the configured Vary headers, which can change cache hit/miss behavior; verify caching for endpoints using Vary.
• request: added request.bytes() to read raw request bytes for binary payloads or custom parsing.
• stream/server: @hono/node-server upgraded to v2 and abort handling for streams was fixed—test streaming endpoints and client abort scenarios.

Upgrade guidance

• Run existing test suites for streaming, caching, and cookie-parsing flows.
• Update TypeScript typings where you use bearerAuth.verifyToken to take advantage of the new generics.
• Repo maintainers should be aware of pinned Actions SHAs when updating CI workflows.