Sourced from @​hono/node-server's releases.

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in honojs/node-server#292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in honojs/node-server#293

New Contributors

• @​TransparentLC made their first contribution in honojs/node-server#292
• @​otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in honojs/node-server#290
• chore: add configVersion to bun.lock by @​yusukebe in honojs/node-server#291

New Contributors

• @​tshmieldev made their first contribution in honojs/node-server#290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• 26f5e89 1.19.9
• 2d729e7 fix(globals): Stop overwriting global.fetch (#295)
• 9b72ddf 1.19.8
• 0b1229e fix(serve-static): Use Readable.toWeb in serveStatic (#293)
• 76d80e6 docs: add guide for listening to UNIX domain socket (#292)
• Additional commits viewable in compare view

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in honojs/hono#4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in honojs/hono#4792
• chore(builld): tsconfig project references by @​BarryThePenguin in honojs/hono#4797
• chore: add tsconfig.spec.json by @​yusukebe in honojs/hono#4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in honojs/hono#4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in honojs/hono#4782

New Contributors

• @​t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in honojs/hono#4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in honojs/hono#4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in honojs/hono#4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in honojs/hono#4781

New Contributors

• @​andrewdamelio made their first contribution in honojs/hono#4723
• @​otoneko1102 made their first contribution in honojs/hono#4752
• @​gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

• b0aba5b 4.12.7
• 1be3a53 ci: apply automated fixes
• ef90225 Merge commit from fork
• 3f88636 4.12.6
• 53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
• 58825a7 feat(jsx-renderer): support function-based options (#4780)
• 0e80acb chore: add tsconfig.spec.json (#4798)
• d69deb8 chore(builld): tsconfig project references (#4797)
• 8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
• 5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
• Additional commits viewable in compare view

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#82340)
• Turbopack: support pattern into exports field (#82757)
• NFT tracing fixes (#84155 and #85323)
• Turbopack: validate CSS without computing all paths (#83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• 6cef992 [backport] normalize CRLF line endings in jscodeshift tests on Windows (#8800...
• 7a94645 Apply needs for publishRelease
• bbfd4e3 v15.5.11
• Additional commits viewable in compare view

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#82340)
• Turbopack: support pattern into exports field (#82757)
• NFT tracing fixes (#84155 and #85323)
• Turbopack: validate CSS without computing all paths (#83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• 6cef992 [backport] normalize CRLF line endings in jscodeshift tests on Windows (#8800...
• 7a94645 Apply needs for publishRelease
• bbfd4e3 v15.5.11
• Additional commits viewable in compare view

Sourced from undici's releases.

v7.24.5

What's Changed

• Formdata tests by @​KhafraDev in nodejs/undici#4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in nodejs/undici#4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in nodejs/undici#4913

New Contributors

• @​metalix2 made their first contribution in nodejs/undici#4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in nodejs/undici#4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in nodejs/undici#4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

• fix fetch path logic by @​KhafraDev in nodejs/undici#4890
• remove maxDecompressedMessageSize by @​KhafraDev in nodejs/undici#4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

What's Changed

• fix: proto pollution by @​rahulyadav5524 in nodejs/undici#4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

... (truncated)

• 51fd661 Bumped v7.24.5 (#4915)
• 9077500 fix(cache): only apply 1-year deleteAt for immutable responses (#4913)
• 1c5dc1a test: add unexpected disconnect guards to more client test files (#4844)
• 2885361 Formdata tests (#4902)
• 4991f3e Bumped v7.24.4
• ea3a06d fix(fetch): preserve path for credentialed URLs (#4892)
• 9b96516 Bumped v7.24.3
• 7926660 Ignore .githuman
• 9eaa5af fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...
• a9bfe21 ignore .pi
• Additional commits viewable in compare view

Sourced from undici's releases.

v7.24.5

What's Changed

• Formdata tests by @​KhafraDev in nodejs/undici#4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in nodejs/undici#4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in nodejs/undici#4913

New Contributors

• @​metalix2 made their first contribution in nodejs/undici#4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in nodejs/undici#4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in nodejs/undici#4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

• fix fetch path logic by @​KhafraDev in nodejs/undici#4890
• remove maxDecompressedMessageSize by @​KhafraDev in nodejs/undici#4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

What's Changed

• fix: proto pollution by @​rahulyadav5524 in nodejs/undici#4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

... (truncated)

• 51fd661 Bumped v7.24.5 (#4915)
• 9077500 fix(cache): only apply 1-year deleteAt for immutable responses (#4913)
• 1c5dc1a test: add unexpected disconnect guards to more client test files (#4844)
• 2885361 Formdata tests (#4902)
• 4991f3e Bumped v7.24.4
• ea3a06d fix(fetch): preserve path for credentialed URLs (#4892)
• 9b96516 Bumped v7.24.3
• 7926660 Ignore .githuman
• 9eaa5af fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...
• a9bfe21 ignore .pi
• Additional commits viewable in compare view

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#82340)
• Turbopack: support pattern into exports field (#82757)
• NFT tracing fixes (#84155 and #85323)
• Turbopack: validate CSS without computing all paths (#83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• 6cef992 [backport] normalize CRLF line endings in jscodeshift tests on Windows (#8800...
• 7a94645 Apply needs for publishRelease
• bbfd4e3 v15.5.11
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.