npm hono 4.11.4
v4.11.4
on Node.js NPM

13 hours ago

Security

Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

JWT middleware

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

JWK/JWKS middleware

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

What's Changed

  • test(utils/jwt): add missing algorithm types in jwa.test.ts by @flathill404 in #4607
  • chore: bump @hono/eslint-config and enable curly rule by @yusukebe in #4620
  • docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @Itsnotaka in #4618
  • test: support alg option for JWT middleware by @yusukebe in #4624

New Contributors

Full Changelog: v4.11.3...v4.11.4

Check out latest releases or
releases around hono 4.11.4

Don't miss a new hono release

NewReleases is sending notifications on new releases.

Get notifications