What's Changed

• fix(types): JSONParsed infer unknown values by @BarryThePenguin in #4405
• refactor(types): remove SimplifyDeepArray from json types by @BarryThePenguin in #4406
• refactor(types): fix the type definitions in hono-base by @yusukebe in #4407
• fix(request): return empty string for empty catch-all param by @amitksingh0880 in #4395

New Contributors

• @amitksingh0880 made their first contribution in #4395

Full Changelog: v4.9.7...v4.9.8

Security

• Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory

What's Changed

• fix(client): Fix parseResponse not parsing json in react native by @lr0pb in #4399
• chore: add .tool-versions file by @3w36zj6 in #4397
• chore: update bun install commands to use --frozen-lockfile by @3w36zj6 in #4398
• test(jwk): Add tests of JWK token verification by @buckett in #4402

New Contributors

• @lr0pb made their first contribution in #4399
• @buckett made their first contribution in #4402

Full Changelog: v4.9.6...v4.9.7

Security

Fixed a bug in URL path parsing (getPath) that could cause path confusion under malformed requests.

If you rely on reverse proxies (e.g. Nginx) for ACLs or restrict access to endpoints like /admin, please update immediately.

See advisory for details: GHSA-9hp6-4448-45g2

What's Changed

• chore: update packages in the router bench by @yusukebe in #4386
• chore(benchmarks): remove comment-out from router bench by @yusukebe in #4387

Full Changelog: v4.9.5...v4.9.6

What's Changed

• chore: replace supertest with undici by @BarryThePenguin in #4365
• fix(aws-lambda): preserve percent-encoded values in query strings by @yusukebe in #4372
• feat(cors): Allow async functions for origin and allowMethods by @jobrk in #4373
• feat(cors): Correct origin function return type asynchronously returning null or undefined for origin by @jobrk in #4375
• fix(service-worker): correct args for app.fetch in handle by @yusukebe in #4374
• fix(language-detector): Detect language from path after getPath changed by @iflamed in #4369

New Contributors

• @jobrk made their first contribution in #4373
• @iflamed made their first contribution in #4369

Full Changelog: v4.9.4...v4.9.5

What's Changed

• chore: add a type cast to run deno publish by @yusukebe in #4364

Full Changelog: v4.9.3...v4.9.4

What's Changed

• feat(csrf): Add modern CSRF protection with Fetch Metadata support by @meck93 in #4353
• tests: use vitest projects by @BarryThePenguin in #4359
• feat(proxy): add customFetch option to allow custom fetch function by @yusukebe in #4360
• chore: update typescript to 5.9.2 by @yusukebe in #4362
• chore: add packageManager field to package.json by @yusukebe in #4363

Full Changelog: v4.9.2...v4.9.3

What's Changed

• fix(jsx): 'plaintext-only' value for contenteditable attribute by @object1037 in #4349
• fix(client): handle query parameters in removeIndexString by @yusukebe in #4352

New Contributors

• @object1037 made their first contribution in #4349

Full Changelog: v4.9.1...v4.9.2

What's Changed

• feat(parseResponse): set DetailedError.name (+ error tests) by @NamesMT in #4344
• fix(parseResponse): should not include error responses in result by @NamesMT in #4348

Full Changelog: v4.9.0...v4.9.1

Release Notes

Hono v4.9.0 is now available!

This release introduces several enhancements and utilities.

The main highlight is the new parseResponse utility that makes it easier to work with RPC client responses.

parseResponse Utility

The new parseResponse utility provides a convenient way to parse responses from Hono RPC clients (hc). It automatically handles different response formats and throws structured errors for failed requests.

import { parseResponse, DetailedError } from 'hono/client'

// result contains the parsed response body (automatically parsed based on Content-Type)
const result = await parseResponse(client.hello.$get()).catch(
  // parseResponse automatically throws an error if response is not ok
  (e: DetailedError) => {
    console.error(e)
  }
)

This makes working with RPC client responses much more straightforward and type-safe.

Thanks @NamesMT!

New features

• feat(bun): allow importing upgradeWebSocket and websocket directly #4242
• feat(aws-lambda): specify content-type as binary #4250
• feat(jwt): add validation for the issuer (iss) claim #4253
• feat(jwk): add headerName to JWK middleware #4279
• feat(cookie): add generateCookie and generateSignedCookie helpers #4285
• feat(serve-static): use join to correct path resolution #4291
• feat(jwt): expose utility function verifyWithJwks for external use #4302
• feat: add parseResponse util to smartly parse hc's Response #4314
• feat(ssg): mark old hook options as deprecated #4331

All changes

• feat(aws-lambda): specify content-type as binary by @Kanahiro in #4250
• feat(jwt): added validation for the issuer (iss) claim by @yolocat-dev in #4253
• feat(jwk): Add custom headerName to JWK middleware by @JoaquinGimenez1 in #4279
• feat(cookie): generateCookie and generateSignedCookie helpers by @Soviut in #4285
• feat(serve-static): use join to correct path resolution by @yusukebe in #4291
• feat(jwt): Exposing utility function verifyWithJwks for external use by @Beyondo in #4302
• feat: add parseResponse util to smartly parse hc's Response by @NamesMT in #4314
• feat(ssg): mark old hook options as deprecated by @3w36zj6 in #4331
• fix(bun): exports functions related to websocket by @yusukebe in #4341
• Next by @yusukebe in #4340
• chore: enable skipLibCheck to resolve TypeScript compilation issues by @yusukebe in #4342

New Contributors

• @yolocat-dev made their first contribution in #4253
• @JoaquinGimenez1 made their first contribution in #4279
• @Soviut made their first contribution in #4285

Full Changelog: v4.8.12...v4.9.0

What's Changed

• fix(router): support /files/:name{.*} by @yusukebe in #4329

Full Changelog: v4.8.11...v4.8.12