Vendor profile
Web standards-first framework releases for edge and server runtimes.
Recent changes
What's Changed fix(jwt): support single-line PEM keys by @hiendv in #4889 New Contributors @hiendv made their first contribution in #4889 Full Changelog: v4.12.14...v4.12.15
Security fixes This release includes fixes for the following security issues: Improper handling of JSX attribute names in hono/jsx SSR Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which c…
What's Changed fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @T4ko0522 in #4865 feat(trailing-slash): add skip option by @yusukebe in #4862 feat(cache): add onCacheNotAvailable option by @yusukebe i…
Security fixes This release includes fixes for the following security issues: Middleware bypass via repeated slashes in serveStatic Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) coul…
What's Changed feat(css): add classNameSlug option to createCssContext by @flow-pie in #4834 New Contributors @flow-pie made their first contribution in #4834 Full Changelog: v4.12.10...v4.12.11
What's Changed test(router): fix Simple capturing group test by @yusukebe in #4838 docs: fix impaired -> inspired typo in benchmark READMEs by @Abhi3975 in #4843 fix(jsx/dom): apply select value after children are rendered by @usualoma in…
What's Changed fix(request): remove parseBody from bodyCache to prevent TypeError by @yusukebe in #4807 feat(client): add PickResponseByStatusCode type by @yusukebe in #4791 fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @yuintei in…
What's Changed fix(utils/mime): Normalize input extension to lowercase before MIME check by @TheEssem in #4800 fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @otoneko1102 in #4750 New Contributors @TheEssem m…
Security hardening Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns. Full Changelog: v4.12.6...v4.12.7
What's Changed fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in #4758 fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in #4792 chore(builld): tsconfig project references by @BarryThePenguin in #4797 c…
What's Changed fix(request): return string | undefined from param() when path type is any by @andrewdamelio in #4723 fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in #4752 fix(jsx): Fix "Invalid state…
