Sourced from hono's releases.
v4.12.16
Security fixes
This release includes fixes for the following security issues:
Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
Affects: hono/jsx. Fixes missing validation of JSX tag names when using
jsx()orcreateElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432bodyLimit() can be bypassed for chunked / unknown-length requests
Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v
v4.12.15
What's Changed
- fix(jwt): support single-line PEM keys by
@hiendvin honojs/hono#4889New Contributors
@hiendvmade their first contribution in honojs/hono#4889Full Changelog: https://github.com/honojs/hono/compare/v4.12.14...v4.12.15
Sourced from hono's releases.
v4.12.18
Security fixes
This release includes fixes for the following security issues:
Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Affects: Cache Middleware. Fixes missing cache-skip handling for
Vary: AuthorizationandVary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rmCSS Declaration Injection via Style Object Values in JSX SSR
Affects: hono/jsx. Fixes a missing CSS-context escape for
styleobject values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7pImproper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Affects:
hono/utils/jwt. Fixes improper validation ofexp,nbf, andiatclaims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36
Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.
v4.12.17
What's Changed
- fix(jsx): normalize SVG attributes on the root element by
@kfly8in honojs/hono#4893- fix(ssg): add
atom+xmlandrss+xmltodefaultExtensionMapby@yuinteiin honojs/hono#4899- fix(cors): make origin optional in CORSOptions by
@truffle-devin honojs/hono#4905- fix(types): propagate middleware response types to app.on overloads by
@T4ko0522in honojs/hono#4906New Contributors
@kfly8made their first contribution in honojs/hono#4893@truffle-devmade their first contribution in honojs/hono#4905Full Changelog: https://github.com/honojs/hono/compare/v4.12.16...v4.12.17
f10dee8
4.12.18a5bd9eb
Merge commit from fork58d3d3a
Merge commit from fork568c2ec
Merge commit from forkff2b3d3
4.12.1752aaaf9
fix(types): propagate middleware response types to app.on overloads (#4906)76d5589
fix(cors): make origin optional in CORSOptions (#4905)8f027e5
fix(ssg): add atom+xml and rss+xml to
defaultExtensionMap (#4899)bfba97c
fix(jsx): normalize SVG attributes on the <svg> root element (#4893)Sourced from rollup's releases.
v4.60.2
4.60.2
2026-04-18
Bug Fixes
- Resolve a variable rendering bug when generating different formats from the same build (#6350)
Pull Requests
- #6327: docs: fix various typos in source and documentation (
@Abhi3975,@lukastaegert)- #6331: fix(deps): update minor/patch updates (
@renovate[bot])- #6332: chore(deps): update codecov/codecov-action action to v6 (
@renovate[bot])- #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (
@renovate[bot])- #6334: fix(deps): update rust crate swc_compiler_base to v51 (
@renovate[bot])- #6335: chore(deps): lock file maintenance (
@renovate[bot],@lukastaegert)- #6346: fix(deps): update minor/patch updates (
@renovate[bot])- #6347: chore(deps): update dependency lru-cache to v11 (
@renovate[bot])- #6348: fix(deps): update swc monorepo (major) (
@renovate[bot],@lukastaegert)- #6349: chore(deps): lock file maintenance (
@renovate[bot],@lukastaegert)- #6350: fix: reset variable render names between outputs in the same generate (
@barry3406,@lukastaegert)- #6351: chore(deps): update minor/patch updates (
@renovate[bot])- #6352: chore(deps): update cross-platform-actions/action action to v1 (
@renovate[bot])- #6353: chore(deps): update dependency lru-cache to v11 (
@renovate[bot],@lukastaegert)- #6354: chore(deps): lock file maintenance (
@renovate[bot])- #6355: chore(deps): lock file maintenance (
@renovate[bot])- #6356: chore(deps): lock file maintenance (
@renovate[bot])- #6358: chore: remove cross-env from devDeps (
@K-tecchan)v4.60.1
4.60.1
2026-03-30
Bug Fixes
- Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)
Pull Requests
- #6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (
@littlegrayss,@TrickyPi)- #6317: chore(deps): pin dependencies (
@renovate[bot],@lukastaegert)- #6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (
@renovate[bot],@lukastaegert)- #6319: chore(deps): update minor/patch updates (
@renovate[bot],@lukastaegert)- #6320: chore(deps): pin dependency typescript to v5 (
@renovate[bot],@lukastaegert)- #6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (
@renovate[bot],@lukastaegert)- #6322: fix(deps): update swc monorepo (major) (
@renovate[bot],@lukastaegert)- #6323: chore(deps): lock file maintenance (
@renovate[bot])- #6324: chore(deps): lock file maintenance (
@renovate[bot],@lukastaegert)
... (truncated)
Sourced from rollup's changelog.
4.60.3
2026-05-04
Bug Fixes
- Ensure nested "exports" variables are not renamed (#6360)
Pull Requests
- #6360: fix: do not rename nested "exports" bindings that do not conflict (
@tariqrafique,@lukastaegert)- #6364: chore(deps): update msys2/setup-msys2 digest to e989830 (
@renovate[bot])- #6365: fix(deps): update minor/patch updates (
@renovate[bot])- #6366: fix(deps): update swc monorepo (major) (
@renovate[bot])- #6367: chore(deps): lock file maintenance (
@renovate[bot],@lukastaegert)- #6368: docs: add missing backticks in
plugin-development(@lumirlumir,@lukastaegert)4.60.2
2026-04-18
Bug Fixes
- Resolve a variable rendering bug when generating different formats from the same build (#6350)
Pull Requests
- #6327: docs: fix various typos in source and documentation (
@Abhi3975,@lukastaegert)- #6331: fix(deps): update minor/patch updates (
@renovate[bot])- #6332: chore(deps): update codecov/codecov-action action to v6 (
@renovate[bot])- #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (
@renovate[bot])- #6334: fix(deps): update rust crate swc_compiler_base to v51 (
@renovate[bot])- #6335: chore(deps): lock file maintenance (
@renovate[bot],@lukastaegert)- #6346: fix(deps): update minor/patch updates (
@renovate[bot])- #6347: chore(deps): update dependency lru-cache to v11 (
@renovate[bot])- #6348: fix(deps): update swc monorepo (major) (
@renovate[bot],@lukastaegert)- #6349: chore(deps): lock file maintenance (
@renovate[bot],@lukastaegert)- #6350: fix: reset variable render names between outputs in the same generate (
@barry3406,@lukastaegert)- #6351: chore(deps): update minor/patch updates (
@renovate[bot])- #6352: chore(deps): update cross-platform-actions/action action to v1 (
@renovate[bot])- #6353: chore(deps): update dependency lru-cache to v11 (
@renovate[bot],@lukastaegert)- #6354: chore(deps): lock file maintenance (
@renovate[bot])- #6355: chore(deps): lock file maintenance (
@renovate[bot])- #6356: chore(deps): lock file maintenance (
@renovate[bot])- #6358: chore: remove cross-env from devDeps (
@K-tecchan)4.60.1
2026-03-30
... (truncated)
b47bdab
4.60.315c5f33
Add again some unneeded dev dependencies, to make some builds
succeed12195dc
fix: do not rename nested "exports" bindings that do not
conflict (#6360)b74aa39
Migrate instructions to AGENTS.mdaa5a377
fix(deps): update minor/patch updates (#6365)197e68b
chore(deps): update msys2/setup-msys2 digest to e989830 (#6364)cded70a
fix(deps): update swc monorepo (major) (#6366)bb2b8a5
docs: add missing backticks in plugin-development (#6368)20af1c4
chore(deps): lock file maintenance (#6367)a6be82b
4.60.2Sourced from next's releases.
v16.2.6
This release contains security fixes for the following advisories:
High:
- GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
- GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
- GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
- GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
- GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
- GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
- GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n
Moderate:
- GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
- GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
- GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
- GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses
Low:
- GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
- GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned
v16.2.5
This release contains security fixes for the following advisories:
High:
- GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
- GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
- GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
- GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
- GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
- GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n
Moderate:
- GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
- GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
- GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
- GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses
Low:
ee6e79b
v16.2.6afa053d
Turbopack: Match proxy matchers with webpack implementation (#93594)97a154e
Turbopack: Fix middleware matcher suffix (#93590)83899bc
[backport] Disable build caches for production/staging/force-preview
deploys ...7b222b9
[backport][test] Pin package manager to patch versions (#93595)a8dc24f
[backport] Turbopack: more strict vergen setup (#93587)766148f
v16.2.50dd9483
fix: add explicit checks for RSC header (#83) (#98)d166096
fix proxy matching for segment prefetch URLs (#89) (#96)9d50c0b
Strip next-resume header from incoming requests (#92)This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.
Sourced from hono's releases.
v4.12.18
Security fixes
This release includes fixes for the following security issues:
Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Affects: Cache Middleware. Fixes missing cache-skip handling for
Vary: AuthorizationandVary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rmCSS Declaration Injection via Style Object Values in JSX SSR
Affects: hono/jsx. Fixes a missing CSS-context escape for
styleobject values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7pImproper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Affects:
hono/utils/jwt. Fixes improper validation ofexp,nbf, andiatclaims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36
Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.
v4.12.17
What's Changed
- fix(jsx): normalize SVG attributes on the root element by
@kfly8in honojs/hono#4893- fix(ssg): add
atom+xmlandrss+xmltodefaultExtensionMapby@yuinteiin honojs/hono#4899- fix(cors): make origin optional in CORSOptions by
@truffle-devin honojs/hono#4905- fix(types): propagate middleware response types to app.on overloads by
@T4ko0522in honojs/hono#4906New Contributors
@kfly8made their first contribution in honojs/hono#4893@truffle-devmade their first contribution in honojs/hono#4905Full Changelog: https://github.com/honojs/hono/compare/v4.12.16...v4.12.17
v4.12.16
Security fixes
This release includes fixes for the following security issues:
Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
Affects: hono/jsx. Fixes missing validation of JSX tag names when using
jsx()orcreateElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432bodyLimit() can be bypassed for chunked / unknown-length requests
Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v
v4.12.15
What's Changed
- fix(jwt): support single-line PEM keys by
@hiendvin honojs/hono#4889
... (truncated)
f10dee8
4.12.18a5bd9eb
Merge commit from fork58d3d3a
Merge commit from fork568c2ec
Merge commit from forkff2b3d3
4.12.1752aaaf9
fix(types): propagate middleware response types to app.on overloads (#4906)76d5589
fix(cors): make origin optional in CORSOptions (#4905)8f027e5
fix(ssg): add atom+xml and rss+xml to
defaultExtensionMap (#4899)bfba97c
fix(jsx): normalize SVG attributes on the <svg> root element (#4893)90d4182
4.12.16Sourced from fast-uri's releases.
v3.1.2
⚠️ Security Release
What's Changed
- Handle malformed fragment decoding as a parse error by
@mcollinain fastify/fast-uri#171Full Changelog: https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2
v3.1.1
⚠️ Security Release
What's Changed
- build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by
@dependabot[bot] in fastify/fast-uri#148- build(deps): bump actions/checkout from 4 to 5 by
@dependabot[bot] in fastify/fast-uri#149- chore(.npmrc): ignore scripts by
@Fdawgsin fastify/fast-uri#150- build(deps-dev): remove
@fastify/pre-commitby@Fdawgsin fastify/fast-uri#151- build(deps): bump actions/setup-node from 4 to 5 by
@dependabot[bot] in fastify/fast-uri#152- ci(ci): add concurrency config by
@Fdawgsin fastify/fast-uri#153- build(deps): bump actions/setup-node from 5 to 6 by
@dependabot[bot] in fastify/fast-uri#154- build(deps): bump actions/checkout from 5 to 6 by
@dependabot[bot] in fastify/fast-uri#156- chore(license): standardise license notice by
@Fdawgsin fastify/fast-uri#159- style: remove trailing whitespace by
@Fdawgsin fastify/fast-uri#161- ci: remove unused github files by
@Tony133in fastify/fast-uri#162- chore: update readme by
@Tony133in fastify/fast-uri#164- build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by
@dependabot[bot] in fastify/fast-uri#165- build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by
@dependabot[bot] in fastify/fast-uri#166- build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by
@dependabot[bot] in fastify/fast-uri#167- ci: add lock-threads workflow by
@Fdawgsin fastify/fast-uri#169New Contributors
@Tony133made their first contribution in fastify/fast-uri#162Full Changelog: https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1
v3.1.0
What's Changed
- ci: remove master branch support by
@Fdawgsin fastify/fast-uri#126- chore(test) remove .gitkeep by
@Fdawgsin fastify/fast-uri#128- ci(ci): set job permissions by
@Fdawgsin fastify/fast-uri#129- ci: set permissions at workflow level by
@Fdawgsin fastify/fast-uri#131- ci: set workflow permissions to read-only by default by
@Fdawgsin fastify/fast-uri#132- ci(ci): restore job level permissions by
@Fdawgsin fastify/fast-uri#133- build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by
@dependabot[bot] in fastify/fast-uri#134- ci(ci): pin actions to commit-hash by
@Fdawgsin fastify/fast-uri#135- ci: add node 24 to test matrix by
@Fdawgsin fastify/fast-uri#136
... (truncated)
919dd8e
Bumped v3.1.2c65ba57
fixup: linting6c86c17
Merge commit from forka95158a
Handle malformed fragment decoding without throwing (#171)cea547c
Bumped v3.1.1876ce79
Merge commit from forkdcdf690
ci: add lock-threads workflow (#169)c860e65
build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)9b4c6dc
build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)85d09a9
build(deps): bump
fastify/workflows/.github/workflows/plugins-ci-package-mana...Sourced from @babel/plugin-transform-modules-systemjs's releases.
v7.29.4 (2026-05-05)
:bug: Bug Fix
babel-plugin-transform-modules-systemjsCommitters: 1
- Huáng Jùnliàng (
@JLHwung)v7.29.3 (2026-04-30)
:eyeglasses: Spec Compliance
:bug: Bug Fix
babel-helper-create-class-features-plugin,babel-plugin-proposal-decoratorsbabel-register
- #17915 Fix thread synchronization issues in
@babel/register(@liuxingbaoyu)babel-compat-data,babel-plugin-bugfix-safari-rest-destructuring-rhs-array,babel-preset-env:nail_care: Polish
:memo: Documentation
- #17847 Replace npmjs.com links with npmx.dev (
@nicolo-ribaudo):running_woman: Performance
babel-helper-import-to-platform-api,babel-plugin-proposal-import-wasm-source,babel-plugin-transform-json-modules
- #17818 Load async Wasm and JSON imports in parallel (
@nicolo-ribaudo)Committers: 4
- Babel Bot (
@babel-bot)- Huáng Jùnliàng (
@JLHwung)- Nicolò Ribaudo (
@nicolo-ribaudo)@liuxingbaoyuv7.29.2 (2026-03-16)
:eyeglasses: Spec Compliance
:bug: Bug Fix
babel-helpers,babel-plugin-transform-async-generator-functions,babel-preset-env,babel-runtime-corejs3
- #17805 [7.x backport] fix: Properly handle await in finally (
@liuxingbaoyu)babel-preset-env
... (truncated)
a458f66
v7.29.432ebd5a
[7.x backport]fix(systemjs): improve module string name support (#17974)aa8394e
v7.29.00053db6
Update polyfill packages (#17727)61647ae
v7.28.5a177d55
[Babel 8] Use t.traverseFast to replace some
path.traverse (#17518)eebd3a0
v7.27.1317e332
Enforce node protocol import (#17207)fdc0fb5
[Babel 8] Bump nodejs requirements to ^20.19.0 || >=
22.12.0 (#17204)cd24cc0
chore: Update TS 5.7 (#17053)This version was pushed to npm by GitHub Actions, a new
releaser for @babel/plugin-transform-modules-systemjs
since your current version.
Sourced from next's releases.
v15.5.18
This release contains security fixes for the following advisories:
High:
- GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
- GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
- GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
- GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
- GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
- GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
- GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n
Moderate:
- GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
- GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
- GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
- GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses
Low:
- GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
- GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned
v15.5.16
This release contains security fixes for the following advisories:
High:
- GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
- GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
- GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
- GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
- GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
- GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n
Moderate:
- GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
- GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
- GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
- GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses
Low:
9ff92ce
v15.5.1800ebe23
[backport] Disable build caches for production/staging/force-preview
deploys ...62c97ab
v15.5.17423623a
Turbopack: Match proxy matchers with webpack implementation (#93594)fa78739
Turbopack: Fix middleware matcher suffix (#93590)36e62c6
[backport] Turbopack: more strict vergen setup (#93588)36589b5
[backport][test] Pin package manager to patch versions (#93596)ad6fd4e
v15.5.1679d7dff
Ignore malformed CSP nonce headers (#103)c4f6908
router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.