要点だけを先に読めるように短く再構成したセクションです。
元記事Quick Digest
要点だけを先に読めるように短く再構成したセクションです。
Key Points
この記事は 2026-05-19 に公開された「v4.12.21」の内容を日本語で簡潔にまとめたものです。
Full Translation
原文の流れを保ったまま読める翻訳セクションです。
v4.12.21(原文タイトル)
公開日: 2026-05-19 翻訳生成に失敗したため、原文をそのまま保存しています。
honojs / hono Public Uh oh! There was an error while loading. Please reload this page . Notifications You must be signed in to change notification settings Fork 1.1k Star 30.5k Code Issues 260 Pull requests 103 Discussions Actions Security and quality 35 Insights Additional navigation options Code Issues Pull requests Discussions Actions Security and quality Insights Releases v4.12.21 v4.12.21 Latest Latest Compare Choose a tag to compare Sorry, something went wrong. Filter Loading Sorry, something went wrong. Uh oh! There was an error while loading. Please reload this page . No results found View all tags yusukebe released this 19 May 11:40 v4.12.21 a83ddb8 Security fixes This release includes fixes for the following security issues: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths Affects: app.mount() . Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3 IP Restriction bypasses static deny rules for non-canonical IPv6 Affects: hono/ip-restriction . Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5 Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection Affects: hono/cookie . Fixes missing validation of sameSite and priority options against injection characters ( ; , \r , \n ), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x JWT middleware accepts any Authorization scheme, not only Bearer Affects: hono/jwt , hono/jwk . Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474 Users who use app.mount() , hono/ip-restriction , hono/cookie , or hono/jwt / hono/jwk are encouraged to upgrade to this version. Assets 2 Loading Uh oh! There was an error while loading. Please reload this page . --> ❤️ 2 sant123 and pevdokimov1537 reacted with heart emoji 🚀 4 kfly8, orielhaim, meitrix8208, and maciejcieslar reacted with rocket emoji All reactions ❤️ 2 reactions 🚀 4 reactions 6 people reacted