fix(deps): update dependencies (non-major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@hono/node-server	1.14.2 → 1.19.11
@prisma/credentials-store (source)	7.1.0 → 7.5.0
@​prisma/dev	0.18.0 → 0.23.1
@prisma/management-api-sdk (source)	1.13.0 → 1.21.0
@​prisma/studio-core-licensed	0.12.0 → 0.14.0
hono (source)	4.7.10 → 4.12.8
minimatch	6.2.0 → 6.2.3
openapi-fetch (source)	0.14.0 → 0.17.0
postgres	3.4.7 → 3.4.8
vscode-languageserver-textdocument (source)	1.0.11 → 1.0.12
zod (source)	3.24.3 → 3.25.76

---

Release Notes

honojs/node-server (@​hono/node-server)

v1.19.11

Compare Source

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in #​309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Compare Source

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

Compare Source

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in #​295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

Compare Source

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in #​292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in #​293

New Contributors

• @​TransparentLC made their first contribution in #​292
• @​otya128 made their first contribution in #​293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

Compare Source

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in #​290
• chore: add configVersion to bun.lock by @​yusukebe in #​291

New Contributors

• @​tshmieldev made their first contribution in #​290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

v1.19.6

Compare Source

v1.19.5

Compare Source

What's Changed

• fix: cancel a readable stream if a writable stream is closed before a readable stream is closed. by @​usualoma in #​280

Full Changelog: honojs/node-server@v1.19.4...v1.19.5

v1.19.4

Compare Source

What's Changed

• fix(serve-static): Add error handling in createStreamBody by @​thongdoan in #​278

New Contributors

• @​thongdoan made their first contribution in #​278

Full Changelog: honojs/node-server@v1.19.3...v1.19.4

v1.19.3

Compare Source

What's Changed

• fix: Refactor promise check for response handling by @​kay-is in #​277

New Contributors

• @​kay-is made their first contribution in #​277

Full Changelog: honojs/node-server@v1.19.2...v1.19.3

v1.19.2

Compare Source

What's Changed

• fix: better handle range parse to avoid NaN error by @​zwpaper in #​276

New Contributors

• @​zwpaper made their first contribution in #​276

Full Changelog: honojs/node-server@v1.19.1...v1.19.2

v1.19.1

Compare Source

What's Changed

• fix: Keep lightweight request even if accessing method, url or headers by @​usualoma in #​274
• chore: add packageManager field in package.json by @​yusukebe in #​275

Full Changelog: honojs/node-server@v1.19.0...v1.19.1

v1.19.0

Compare Source

What's Changed

• feat: add log when directory does not exists by @​Its-Just-Nans in #​273

New Contributors

• @​Its-Just-Nans made their first contribution in #​273

Full Changelog: honojs/node-server@v1.18.2...v1.19.0

v1.18.2

Compare Source

What's Changed

• fix: Skip content-length assignment when transfer-encoding is chunked. by @​usualoma in #​271

Full Changelog: honojs/node-server@v1.18.1...v1.18.2

v1.18.1

Compare Source

What's Changed

• fix(listener): Limit retries to a maximum of three. by @​usualoma in #​267

Full Changelog: honojs/node-server@v1.18.0...v1.18.1

v1.18.0

Compare Source

What's Changed

• feat: always respond res.body by @​usualoma in #​262
• ci: add Node.js v24 for CI by @​yusukebe in #​263
• fix(listener): In Node.js v24, some response bodies are not read to the end until the next task queue. by @​usualoma in #​265

Full Changelog: honojs/node-server@v1.17.1...v1.18.0

v1.17.1

Compare Source

What's Changed

• fix: handle client disconnection without canceling stream by @​yusukebe in #​258
• fix: improve serve-static function by @​usualoma in #​261

Full Changelog: honojs/node-server@v1.17.0...v1.17.1

v1.17.0

Compare Source

What's Changed

• docs: separate description of autoCleanupIncoming by @​usualoma in #​255
• chore: rename server_socket.test.ts to server-socket.test.ts by @​yusukebe in #​256
• feat(serve-static): support absolute path by @​yusukebe in #​257

Full Changelog: honojs/node-server@v1.16.0...v1.17.0

v1.16.0

Compare Source

What's Changed

• feat: Clean up the incoming object if the request is not completely finished. by @​usualoma in #​252

Full Changelog: honojs/node-server@v1.15.0...v1.16.0

v1.15.0

Compare Source

What's Changed

• feat(serve-static): pass context to rewriteRequestPath by @​yusukebe in #​247

Full Changelog: honojs/node-server@v1.14.4...v1.15.0

v1.14.4

Compare Source

What's Changed

• fix: flush headers before sending data via readable stream by @​usualoma in #​245

Full Changelog: honojs/node-server@v1.14.3...v1.14.4

v1.14.3

Compare Source

What's Changed

• fix: set RequestError name properly by @​yusukebe in #​243

Full Changelog: honojs/node-server@v1.14.2...v1.14.3

prisma/prisma (@​prisma/credentials-store)

v7.5.0

Compare Source

Today, we are excited to share the 7.5.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Features

• Added support for nested transaction rollbacks via savepoints (#​21678)

  Adds support for nested transaction rollback behavior for SQL databases: if an outer transaction fails, the inner nested transaction is rolled back as well. Implements this by tracking transaction ID + nesting depth so Prisma can reuse an existing open transaction in the underlying engine, and it also enables using $transaction from an interactive transaction client.

Bug fixes

Driver Adapters

• Made the adapter-mariadb use the binary MySQL protocol to fix an issue with lossy number conversions (#​29285)
• Made @types/pg a direct dependency of adapter-pg for better TypeScript experience out-of-the-box (#​29277)

Prisma Client

• Resolved Prisma.DbNull serializing as empty object in some bundled environments like Next.js (#​29286)
• Fixed DateTime fields returning Invalid Date with unixepoch-ms timestamps in some cases (#​29274)
• Fixed a cursor-based pagination issue with @db.Date columns (#​29327)

Schema Engine

• Manual partial indexes are now preserved when partialIndexes preview feature is disabled, preventing unnecessary drops and additions in migrations (#​5790, #​5795)
• Enhanced partial index predicate comparison to handle quoted vs unquoted identifiers correctly, eliminating needless recreate cycles (#​5788)
• Excluded partial unique indexes from DMMF uniqueFields and uniqueIndexes to prevent incorrect findUnique input type generation (#​5792)

Studio

With the launch of Prisma ORM v7, we also introduced a rebuilt version of Prisma Studio. With the feedback we’ve gathered since the release, we’ve added some high requested features to help make Studio a better experience.

Multi-cell Selection & Full Table Search

This release brings the ability to select multiple cells when viewing your database. In addition to being able to select multiple cells, you can also search across your database. You can search for a specific table or for specific cells within that table.

More intuitive filtering

Filtering is now easier to use, and includes an option for raw SQL filters.

And if you are using Studio in Console, you can use ai generated filters:

Cmd+k Command Palette

You can now use the keyboard to perform most actions in Studio with the new cmd+k command palette

Run raw SQL queries

Another feature we’ve included in Prisma Studio is the ability to run raw SQL queries against your data. There’s a new “SQL” tab in the sidebar that will bring you to page where you can perform any queries against your data. Below, we’re getting all the rows in the “Todo” table.

Open roles at Prisma

Interested in joining Prisma? We’re growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our [Careers page](https://www.prisma.io/careers#current) and find the role that’s right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

v7.4.2

Compare Source

Today, we are issuing a 7.4.2 patch release focused on bug fixes and quality improvements.

🛠 Fixes

Prisma Client

• Fix a case-insensitive IN and NOT IN filter regression (#​29243)
• Fix a query plan mutation issue that resulted in broken cursor queries (#​29262)
• Fix an array parameter wrapping issue in push operations (prisma/prisma-engines#5784)
• Fix Uint8Array serialization in nested JSON fields (#​29268)
• Fix an issue with MySQL joins that relied on non-strict equality (#​29251)

Driver Adapters

• @​prisma/adapter-mariadb: Update text column detection to check for a binary collation (#​29238)
• @​prisma/adapter-mariadb: Correct relationJoins compatibility check for MariaDB 8.x versions (#​29246)

Schema Engine

• Fix partial index predicate comparison on PostgreSQL and MSSQL (prisma/prisma-engines#5780)

🙏 Huge thanks to our community

Many of the fixes in this release were contributed by our amazing community members. We're grateful for your continued support and contributions that help make Prisma better for everyone!

v7.4.1

Compare Source

Today, we are issuing a 7.4.1 patch release focused on bug fixes and quality improvements.

🛠 Fixes

Prisma Client

• Fix cursor-based pagination regression with parameterised values (#​29184)
• Preserve Prisma.skip through query extension argument cloning (#​29198)
• Enable batching of multiple queries inside interactive transactions (#​25571)
• Add missing JSON value deserialization for JSONB parameter fields (#​29182)
• Apply result extensions correctly for nested and fluent relations (#​29218)
• Allow missing config datasource URL and validate only when needed (prisma/prisma-engines#5777)

Driver Adapters

• @​prisma/adapter-ppg: Handle null values in type parsers for nullable columns (#​29192)

Prisma Schema Language

• Support where argument on field-level @unique for partial indexes (prisma/prisma-engines#5774)
• Add object expression and object member support to schema reformatter (prisma/prisma-engines#5776)

🙏 Huge thanks to our community

Many of the fixes in this release were contributed by our amazing community members. We're grateful for your continued support and contributions that help make Prisma better for everyone!

v7.4.0

Compare Source

Today, we are excited to share the 7.4.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Caching in Prisma Client

Today’s release is a big one, as we introduce a new caching layer into Prisma ORM. But why the need for a caching layer?

In Prisma 7, the query compiler runs as a WebAssembly module directly on the JavaScript main thread. While this simplified the architecture by eliminating the separate engine process, it introduced a trade-off: every query now synchronously blocks the event loop during compilation.

For individual queries, compilation takes between 0.1ms and 1ms, which is barely noticeable in isolation. But under high concurrency this overhead adds up and creates event loop contention that affects overall application throughput.

For instance, say we have a query that is run over and over, but is a similar shape:

// These two queries have the same shape:
const alice = await prisma.user.findUnique({ where: { email: 'alice@prisma.io' } })
const bob = await prisma.user.findUnique({ where: { email: 'bob@prisma.io' } })

Prior to v7.4.0, this would be reevaluated ever time the query is run. Now, Prisma Client will extract the user-provided values and replaces them with typed placeholders, producing a normalized query shape:

prisma.user.findUnique({ where: { email: %1 } })   // cache key
                                         ↑
                              %1 = 'alice@prisma.io'  (or 'bob@prisma.io')

This normalized shape is used as a cache key. On the first call, the query is compiled as usual and the resulting plan is stored in an LRU cache. On every subsequent call with the same query shape, regardless of the actual values, the cached plan is reused instantly without invoking the compiler.

We have more details on the impact of this change and some deep dives into Prisma architecture in an upcoming blog post!

Partial Indexes (Filtered Indexes) Support

We're excited to announce Partial Indexes support in Prisma! This powerful community-contributed feature allows you to create indexes that only include rows matching specific conditions, significantly reducing index size and improving query performance.

Partial indexes are available behind the partialIndexes preview feature for PostgreSQL, SQLite, SQL Server, and CockroachDB, with full migration and introspection support.

Basic usage

Enable the preview feature in your schema:

generator client {
  provider        = "prisma-client-js"
  previewFeatures = ["partialIndexes"]
}

Raw SQL syntax

For maximum flexibility, use the raw() function with database-specific predicates:

model User {
  id       Int     @​id
  email    String
  status   String

  @​@​unique([email], where: raw("status = 'active'"))
  @​@​index([email], where: raw("deletedAt IS NULL"))
}

Type-safe object syntax

For better type safety, use the object literal syntax for simple conditions:

model Post {
  id        Int      @​id
  title     String
  published Boolean

  @​@​index([title], where: { published: true })
  @​@​unique([title], where: { published: { not: false } })
}

Bug Fixes

Most of these fixes are community contributions - thank you to our amazing contributors!

• prisma/prisma-engines#5767: Fixed an issue with PostgreSQL migration scripts that prevented usage of CREATE INDEX CONCURRENTLY in migrations
• prisma/prisma-engines#5752: Fixed BigInt precision loss in JSON aggregation for MySQL and CockroachDB by casting BigInt values to text (from community member polaz)
• prisma/prisma-engines#5750: Fixed connection failures with non-ASCII database names by properly URL-decoding database names in connection strings
• #​29155: Fixed silent transaction commit errors in PlanetScale adapter by ensuring COMMIT failures are properly propagated
• #​29141: Resolved race condition errors (EREQINPROG) in SQL Server adapter by serializing commit/rollback operations using mutex synchronization
• #​29158: Fixed MSSQL connection string parsing to properly handle curly brace escaping for passwords containing special characters

Open roles at Prisma

Interested in joining Prisma? We’re growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that’s right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

v7.3.0

Compare Source

Today, we are excited to share the 7.3.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

ORM

• #​28976: Fast and Small Query Compilers
  We've been working on various performance-related bugs since the initial ORM 7.0 release. With 7.3.0, we're introducing a new compilerBuild option for the client generator block in schema.prisma with two options: fast and small. This allows you to swap the underlying Query Compiler engine based on your selection, one built for speed (with an increase in size), and one built for size (with the trade off for speed). By default, the fast mode is used, but this can be set by the user:

generator client {
  provider = "prisma-client"
  output   = "../src/generated/prisma"
  compilerBuild = "fast" // "fast" | "small"
}

We still have more in progress for performance, but this new compilerBuild option is our first step toward addressing your concerns!

• #​29005: Bypass the Query Compiler for Raw Queries
  Raw queries ($executeRaw, $queryRaw) can now skip going through the query compiler and query interpreter infrastructure. They can be sent directly to the driver adapter, removing additional overhead.

• #​28965: Update MSSQL to v12.2.0
  This community PR updates the @prisma/adapter-mssql to use MSSQL v12.2.0. Thanks Jay-Lokhande!

• #​29001: Pin better-sqlite3 version to avoid SQLite bug
  An underlying bug in SQLite 3.51.0 has affected the better-sqlite3 adapter. We’ve bumped the version that powers @prisma/better-sqlite3 and have pinned the version to prevent any unexpected issues. If you are using @prisma/better-sqlite3 , please upgrade to v7.3.0.

• #​29002: Revert @map enums to v6.19.0 behavior
  In the initial release of v7.0, we made a change with Mapped Enums where the generated enum would get its value from the value passed to the @map function. This was a breaking change from v6 that caused issues for many users. We have reverted this change for the time being, as many different diverging approaches have emerged from the community discussion.

• prisma-engines#5745: Cast BigInt to text in JSON aggregation
  When using relationJoins with BigInt fields in Prisma 7, JavaScript's JSON.parse loses precision for integers larger than Number.MAX_SAFE_INTEGER (2^53 - 1). This happens because PostgreSQL's JSONB_BUILD_OBJECT returns BigInt values as JSON numbers, which JavaScript cannot represent precisely.

  // Original BigInt ID: 312590077454712834
  // After JSON.parse: 312590077454712830 (corrupted!)
  

  This PR cast BigInt columns to ::text inside JSONB_BUILD_OBJECT calls, similar to how MONEY is already cast to ::numeric.

  -- Before
  JSONB_BUILD_OBJECT('id', "id")
  
  -- After
  JSONB_BUILD_OBJECT('id', "id"::text)
  

This ensures BigInt values are returned as JSON strings, preserving full precision when parsed in JavaScript.

Open roles at Prisma

Interested in joining Prisma? We’re growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our [Careers page](https://www.prisma.io/careers#current) and find the role that’s right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

v7.2.0

Compare Source

Today, we are excited to share the 7.2.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

• #​28830: feat: add sqlcommenter-query-insights plugin
  • Adds a new SQL commenter plugin to support query insights metadata.
• #​28860: feat(migrate): add -url param for db pull, db push, migrate dev
  • Adds a -url flag to key migrate commands to make connection configuration more flexible.
• #​28895: feat(config): allow undefined URLs in e.g. prisma generate
  • Allows certain workflows (such as prisma generate) to proceed even when URLs are undefined.
• #​28903: feat(cli): customize prisma init based on the JS runtime (Bun vs others)
  • Makes prisma init tailor generated setup depending on whether the runtime is Bun or another JavaScript runtime.
• #​28846: fix(client-engine-runtime): make DataMapperError a UserFacingError
  • Ensures DataMapperError is surfaced as a user-facing error for clearer, more actionable error reporting.
• #​28849: fix(adapter-{pg,neon,ppg}): handle 22P02 error in Postgres
  • Improves Postgres adapter error handling for invalid-text-representation errors (22P02).
• #​28913: fix: fix byte upserts by removing legacy byte array representation
  • Fixes byte upsert behavior by removing a legacy byte-array representation path.
• #​28535: fix(client,internals,migrate,generator-helper): handle multibyte UTF-8 characters split across chunk boundaries in byline
  • Prevents issues when multibyte UTF-8 characters are split across chunk boundaries during line processing.
• #​28911: fix(cli): make prisma version --json emit JSON only to stdout
  • Ensures machine-readable JSON output is emitted cleanly to stdout without extra noise.

VS Code Extension

• #​1950: fix: TML-1670 studio connections
  • Resolves issues related to Studio connections, improving reliability for VS Code or language-server integrations.

Open roles at Prisma

Interested in joining Prisma? We’re growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our [Careers page](https://www.prisma.io/careers#current) and find the role that’s right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

prisma/pdp-control-plane (@​prisma/management-api-sdk)

v1.21.0

Compare Source

v1.20.1

Compare Source

v1.20.0

Compare Source

v1.19.0

Compare Source

v1.18.0

Compare Source

v1.17.0

Compare Source

v1.16.0

Compare Source

v1.15.0

Compare Source

v1.14.0

Compare Source

honojs/hono (hono)

v4.12.8

Compare Source

What's Changed

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @​TheEssem in #​4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @​otoneko1102 in #​4750

New Contributors

• @​TheEssem made their first contribution in #​4800

Full Changelog: honojs/hono@v4.12.7...v4.12.8

v4.12.7

Compare Source

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

Compare Source

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in #​4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in #​4792
• chore(builld): tsconfig project references by @​BarryThePenguin in #​4797
• chore: add tsconfig.spec.json by @​yusukebe in #​4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in #​4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in #​4782

New Contributors

• @​t0waxx made their first contribution in #​4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

Compare Source

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in #​4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in #​4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in #​4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in #​4781

New Contributors

• @​andrewdamelio made their first contribution in #​4723
• @​otoneko1102 made their first contribution in #​4752
• @​gaearon made their first contribution in #​4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Compare Source

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

---

Other changes

• fix(client): preserve route schema in ApplyGlobalResponse by @​agumy in #​4777
• fix(utils/url): specify the return type of tryDecodeURI by @​yusukebe in #​4779

New Contributors

• @​agumy made their first contribution in #​4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

Compare Source

What's Changed

• fix(validator): prevent type diff bug in form data parsing by @​EdamAme-x in #​4753
• fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @​EdamAme-x in #​4754
• fix(jwt): fix JwtVariables for ContextVariableMap by @​yusukebe in #​4764
• fix(types): remove DOM type dependencies from ClientResponse and request method by @​YevheniiKotyrlo in #​4768
• fix(types): correct middleware types by @​hmnd in #​4774
• fix(jwt): prevent memory leak by avoiding mutation of options object by @​EdamAme-x in #​4759

New Contributors

• @​YevheniiKotyrlo made their first contribution in #​4768
• @​hmnd made their first contribution in #​4774

Full Changelog: honojs/hono@v4.12.2...v4.12.3

v4.12.2

Compare Source

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

Thanks @​EdamAme-x

What's Changed

• fix(context): revert PR #​4707 by @​yusukebe in #​4757

Full Changelog: honojs/hono@v4.12.1...v4.12.2

v4.12.1

Compare Source

What's Changed

• fix(client): export ApplyGlobalResponse from hono/client by @​sushichan044 in #​4743

Full Changelog: honojs/hono@v4.12.0...v4.12.1

v4.12.0

Compare Source

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')

// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'

// With path parameters
const postPath = client.api.posts[':id'].$path({
  param: { id: '123' },
})
// => '/api/posts/123'

// With query parameters
const searchPath = client.api.posts.$path({
  query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @​ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))

type AppWithErrors = ApplyGlobalResponse<
  typeof app,
  {
    401: { json: { error: string; message: string } }
    500: { json: { error: string; message: string } }
  }
>

const client = hc<AppWithErrors>('http://api.example.com')
// Now client knows about both success and error responses
const res = await client.api.users.$get()
// InferResponseType includes { users: string[] } | { error: string; message: string }

Thanks @​mohankumarelec!

SSG Redirect Plugin

A new redirectPlugin for SSG generates static HTML redirect pages for HTTP redirect responses (301, 302, 303, 307, 308):

import { toSSG } from 'hono/ssg'
import { defaultPlugin, redirectPlugin } from 'hono/ssg'

const app = new Hono()
app.get('/old', (c) => c.redirect('/new'))
app.get('/new', (c) => c.html('New Page'))

// redirectPlugin must be placed before defaultPlugin
await toSSG(app, fs, {
  plugins: [redirectPlugin(), defaultPlugin()],
})

The generated redirect pages include a <meta http-equiv="refresh"> tag, a canonical link, and a robots noindex meta tag.

Thanks @​3w36zj6!

onAuthSuccess Callback for Basic Auth

The Basic Auth middleware now supports an onAuthSuccess callback that is invoked after successful authentication. This allows you to set context variables or perform logging without re-parsing the Authorization header:

app.use(
  '/auth/*',
  basicAuth({
    username: 'hono',
    password: 'ahotproject',
    onAuthSuccess: (c, username) => {
      c.set('user', { name: username, role: 'admin' })
      console.log(`User ${username} authenticated`)
    },
  })
)

The callback also works with async functions and the verifyUser mode.

Thanks @​AprilNEA!

getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify

getConnInfo() is now available for three additional adapters:

// AWS Lambda (supports API Gateway v1, v2, and ALB)
import { handle, getConnInfo } from 'hono/aws-lambda'

// Cloudflare Pages
import { handle, getConnInfo } from 'hono/cloudflare-pages'

// Netlify
import { handle, getConnInfo } from 'hono/netlify'

app.get('/', (c) => {
  const info = getConnInfo(c)
  return c.text(`Your IP: ${info.remote.address}`)
})

Thanks @​rokasta12!

alwaysRedirect Option for Trailing Slash Middleware

The trailing slash middleware now supports an alwaysRedirect option. When enabled, the middleware redirects before executing handlers, which fixes the issue where trailing slash handling doesn't work with wildcard routes:

app.use(trimTrailingSlash({ alwaysRedirect: true }))

app.get('/my-path/*', async (c) => {
  return c.text('wildcard')
})

// /my-path/something/ will be redirected to /my-path/something
// before the wildcard handler is executed

Progressive Locale Code Truncation

The normalizeLanguage function in the language middleware now supports RFC 4647 Lookup-based progressive truncation. Locale codes like ja-JP will match ja when only the base language is in supportedLanguages:

app.use(
  '/*',
  languageDetector({
    supportedLanguages: ['en', 'ja'],
    fallbackLanguage: 'en',
    order: ['cookie', 'header'],
  })
)

// Accept-Language: ja-JP → matches 'ja'
// Accept-Language: ko-KR → falls back to 'en'

Thanks @​sorafujitani!

exports Field for ExecutionContext

The ExecutionContext type now includes