What's Changed

• fix(client): exclude $all from ClientRequest type by @paveg in #4611
• refactor(jwks): mark allowedAlgorithms, so the user can pass a `const… by @nikeee in #4641
• feat(jwt): export AlgorithmTypes by @yusukebe in #4642

New Contributors

• @paveg made their first contribution in #4611
• @nikeee made their first contribution in #4641

Full Changelog: v4.11.4...v4.11.5

Security

Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

JWT middleware

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

JWK/JWKS middleware

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

• GHSA-f67f-6cw9-8mq4
• GHSA-3vhc-576x-3qv4

What's Changed

• test(utils/jwt): add missing algorithm types in jwa.test.ts by @flathill404 in #4607
• chore: bump @hono/eslint-config and enable curly rule by @yusukebe in #4620
• docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @Itsnotaka in #4618
• test: support alg option for JWT middleware by @yusukebe in #4624

New Contributors

• @flathill404 made their first contribution in #4607
• @Itsnotaka made their first contribution in #4618

Full Changelog: v4.11.3...v4.11.4

What's Changed

• fix(types): fix middleware union type merging in MergeMiddlewareResponse by @yusukebe in #4602

Full Changelog: v4.11.2...v4.11.3

What's Changed

• docs: improve grammar in contributing documentation by @Ishiezz in #4581
• fix(validator): preserve literal union types in input type inference by @yusukebe in #4583
• chore: bump typescript-go preview for accurate benchmarking by @sushichan044 in #4586
• refactor(hono-base): add type annotations by @yusukebe in #4591
• refactor(client): refactor HonoURL types by @yusukebe in #4592
• perf(types): reduce Simplify in ToSchema by @yusukebe in #4597
• perf(types): optimize MergeMiddlewareResponse type by @yusukebe in #4598

New Contributors

• @Ishiezz made their first contribution in #4581

Full Changelog: v4.11.1...v4.11.2

What's Changed

• fix(types): fix app.on method array type inference by @kosei28 in #4578

Full Changelog: v4.11.0...v4.11.1

Release Notes

Hono v4.11.0 is now available!

This release includes new features for the Hono client, middleware improvements, and an important type system fix.

Type System Fix for Middleware

We've fixed a bug in the type system for middleware. Previously, app did not have the correct type with pathless handlers:

const app = new Hono()
  .use(async (c, next) => {
    await next()
  })
  .get('/a', async (c, next) => {
    await next()
  })
  .get((c) => {
    return c.text('Hello')
  })

// app's type was incorrect

This has now been fixed.

Thanks @kosei28!

Typed URL for Hono Client

You can now pass the base URL as the second type parameter to hc to get more precise URL types:

const client = hc<typeof app, 'http://localhost:8787'>(
  'http://localhost:8787/'
)

const url = client.api.posts.$url()
// url is TypedURL with precise type information
// including protocol, host, and path

This is useful when you want to use the URL as a type-safe key for libraries like SWR.

Thanks @miyaji255!

Custom NotFoundResponse Type

You can now customize the NotFoundResponse type using module augmentation. This allows c.notFound() to return a typed response:

import { Hono, TypedResponse } from 'hono'

declare module 'hono' {
  interface NotFoundResponse
    extends Response,
      TypedResponse<{ error: string }, 404, 'json'> {}
}

const app = new Hono()
  .get('/posts/:id', async (c) => {
    const post = await getPost(c.req.param('id'))
    if (!post) {
      return c.notFound()
    }
    return c.json({ post }, 200)
  })
  .notFound((c) => c.json({ error: 'not found' }, 404))

Now the client can correctly infer the 404 response type.

Thanks @miyaji255!

tryGetContext Helper

The new tryGetContext() helper in the Context Storage middleware returns undefined instead of throwing an error when the context is not available:

import { tryGetContext } from 'hono/context-storage'

const context = tryGetContext<Env>()
if (context) {
  // Context is available
  console.log(context.var.message)
}

Thanks @AyushCoder9!

Custom Query Serializer

You can now customize how query parameters are serialized using the buildSearchParams option:

const client = hc<AppType>('http://localhost', {
  buildSearchParams: (query) => {
    const searchParams = new URLSearchParams()
    for (const [k, v] of Object.entries(query)) {
      if (v === undefined) continue
      if (Array.isArray(v)) {
        v.forEach((item) => searchParams.append(`${k}[]`, item))
      } else {
        searchParams.set(k, v)
      }
    }
    return searchParams
  },
})

Thanks @bolasblack!

New features

• feat(types): make Hono client's $url return the exact URL type #4502
• feat(types): enhance NotFoundHandler to support custom NotFoundResponse type #4518
• feat(timing): add wrapTime to simplify usage #4519
• feat(pretty-json): support force option #4531
• feat(client): add buildSearchParams option to customize query serialization #4535
• feat(context-storage): add optional tryGetContext helper #4539
• feat(secure-headers): add CSP report-to and report-uri directive support #4555
• fix(types): replace schema-based path tracking with CurrentPath parameter #4552

All changes

• chore: update esbuild to version 0.27.1 by @kosei28 in #4571
• fix(hono/jsx): display blank when children is nullish by @techfish-11 in #4573
• feat(types): make Hono client's $url return the exact URL type by @miyaji255 in #4502
• feat(types): enhance NotFoundHandler to support custom NotFoundResponse type by @miyaji255 in #4518
• feat(timing): add wrapTime to simplify usage by @PassiDel in #4519
• feat(pretty-json): support force option by @missinglink in #4531
• feat(context-storage): Add optional tryGetContext helper to context-storage middleware by @AyushCoder9 in #4539
• feat(client): add buildSearchParams option to customize query serialization by @bolasblack in #4535
• feat(secure-headers): Add CSP report-to and report-uri directive support by @cruzz77 in #4555
• fix(types): replace schema-based path tracking with CurrentPath parameter by @kosei28 in #4552
• Next by @yusukebe in #4574

New Contributors

• @missinglink made their first contribution in #4531
• @bolasblack made their first contribution in #4535
• @cruzz77 made their first contribution in #4555

Full Changelog: v4.10.8...v4.11.0

What's Changed

• chore: bump linter and formatter by @ryuapp in #4568
• chore: bump github actions by @ryuapp in #4569
• fix(linear-router): incorrect path matching by @cromery in #4567
• docs(cookie): update outdated RFC links by @AyushCoder9 in #4557
• feat(csrf): Support async IsAllowedOriginHandler by @baseballyama in #4558
• feat(csrf): Support async IsAllowedSecFetchSiteHandler by @baseballyama in #4559

New Contributors

• @cromery made their first contribution in #4567
• @AyushCoder9 made their first contribution in #4557
• @baseballyama made their first contribution in #4558

Full Changelog: v4.10.7...v4.10.8

What's Changed

• fix(validator): fix incomplete types and wrong tests by @EdamAme-x in #4521
• refactor(types): delete type NotSpecified and StrictVerifyOptions by @ysknsid25 in #4525
• fix: add JSX type for hono/jsx/dom by @ssssota in #4534
• fix(adapter/bun): fix TypeError: null is not an object (#4429) by @brenc in #4538
• chore: add config version to bun.lock by @yusukebe in #4548

New Contributors

• @ysknsid25 made their first contribution in #4525
• @brenc made their first contribution in #4538

Full Changelog: v4.10.6...v4.10.7

Deperecated

bearer-auth options

The following options are deprecated and will be removed in a future version:

• noAuthenticationHeaderMessage => use noAuthenticationHeader.message
• invalidAuthenticationHeaderMessage => use invalidAuthenticationHeader.message
• invalidTokenMessage => use invalidToken.message

What's Changed

• feat(aws-lambda): handle AWS Lattice events by @anho in #4451
• feat(secure-headers): support CSP TrustedTypePolicy by @RosApr in #4500
• feat: Improve auth middlewares by @MathurAditya724 in #4485

New Contributors

• @anho made their first contribution in #4451

Full Changelog: v4.10.5...v4.10.6

What's Changed

• docs(CONTRIBUTING): use bun instead of yarn in local development setup by @taichi-1 in #4503
• docs: grammar issue by @WuMingDao in #4508
• fix(utils/url): make _getQueryParam search behind question mark by @tuzi3040 in #4507
• fix(jsx): self-close wrapped empty tags by @jakelee8 in #4511
• chore: improve private field removal by @BlankParticle in #4513
• fix(middleware/cache): skip caching when Vary: * is present by @pHo9UBenaA in #4504

New Contributors

• @taichi-1 made their first contribution in #4503
• @WuMingDao made their first contribution in #4508
• @tuzi3040 made their first contribution in #4507
• @jakelee8 made their first contribution in #4511
• @pHo9UBenaA made their first contribution in #4504

Full Changelog: v4.10.4...v4.10.5