hono 4.12.17 → 4.12.19

package/dist/adapter/bun/serve-static.js

@@ -2,7 +2,7 @@
 import { stat } from "node:fs/promises";
 import { join } from "node:path";
 import { serveStatic as baseServeStatic } from "../../middleware/serve-static/index.js";
-var serveStatic = (options) => {
+var serveStatic = (options = {}) => {
   return async function serveStatic2(c, next) {
     const getContent = async (path) => {
       const file = Bun.file(path);

package/dist/adapter/cloudflare-workers/serve-static.js

@@ -1,7 +1,7 @@
 // src/adapter/cloudflare-workers/serve-static.ts
 import { serveStatic as baseServeStatic } from "../../middleware/serve-static/index.js";
 import { getContentFromKVAsset } from "./utils.js";
-var serveStatic = (options) => {
+var serveStatic = (options = {}) => {
   return async function serveStatic2(c, next) {
     const getContent = async (path) => {
       return getContentFromKVAsset(path, {

package/dist/adapter/deno/serve-static.js

@@ -2,7 +2,7 @@
 import { join } from "node:path";
 import { serveStatic as baseServeStatic } from "../../middleware/serve-static/index.js";
 var { open, lstatSync, errors } = Deno;
-var serveStatic = (options) => {
+var serveStatic = (options = {}) => {
   return async function serveStatic2(c, next) {
     const getContent = async (path) => {
       try {

package/dist/cjs/adapter/bun/serve-static.js

@@ -23,7 +23,7 @@ module.exports = __toCommonJS(serve_static_exports);
 var import_promises = require("node:fs/promises");
 var import_node_path = require("node:path");
 var import_serve_static = require("../../middleware/serve-static");
-const serveStatic = (options) => {
+const serveStatic = (options = {}) => {
   return async function serveStatic2(c, next) {
     const getContent = async (path) => {
       const file = Bun.file(path);

package/dist/cjs/adapter/cloudflare-workers/serve-static.js

@@ -22,7 +22,7 @@ __export(serve_static_exports, {
 module.exports = __toCommonJS(serve_static_exports);
 var import_serve_static = require("../../middleware/serve-static");
 var import_utils = require("./utils");
-const serveStatic = (options) => {
+const serveStatic = (options = {}) => {
   return async function serveStatic2(c, next) {
     const getContent = async (path) => {
       return (0, import_utils.getContentFromKVAsset)(path, {

package/dist/cjs/adapter/deno/serve-static.js

@@ -23,7 +23,7 @@ module.exports = __toCommonJS(serve_static_exports);
 var import_node_path = require("node:path");
 var import_serve_static = require("../../middleware/serve-static");
 const { open, lstatSync, errors } = Deno;
-const serveStatic = (options) => {
+const serveStatic = (options = {}) => {
   return async function serveStatic2(c, next) {
     const getContent = async (path) => {
       try {

package/dist/cjs/jsx/utils.js

@@ -90,15 +90,105 @@ const isValidAttributeName = (name) => {
   cacheValidName(validAttributeNameCache, validAttributeNameCacheMax, name);
   return true;
 };
+const invalidStylePropertyNameCharRe = /[\s"'():;\\/\[\]{}\x00-\x1f\x7f-\x9f]/;
+const validStylePropertyNameCache = /* @__PURE__ */ new Set();
+const validStylePropertyNameCacheMax = 1024;
+const isValidStylePropertyName = (name) => {
+  if (validStylePropertyNameCache.has(name)) {
+    return true;
+  }
+  const len = name.length;
+  if (len === 0) {
+    return false;
+  }
+  for (let i = 0; i < len; i++) {
+    const c = name.charCodeAt(i);
+    if (!(c >= 97 && c <= 122 || // a-z
+    c >= 65 && c <= 90 || // A-Z
+    c >= 48 && c <= 57 || // 0-9
+    c === 45 || // -
+    c === 95)) {
+      if (!invalidStylePropertyNameCharRe.test(name)) {
+        cacheValidName(validStylePropertyNameCache, validStylePropertyNameCacheMax, name);
+        return true;
+      } else {
+        return false;
+      }
+    }
+  }
+  cacheValidName(validStylePropertyNameCache, validStylePropertyNameCacheMax, name);
+  return true;
+};
+const unsafeStyleValueCharRe = /[;"'\\/\[\](){}]/;
+const hasUnsafeStyleValue = (value) => {
+  if (!unsafeStyleValueCharRe.test(value)) {
+    return false;
+  }
+  let quote = 0;
+  const blockStack = [];
+  for (let i = 0, len = value.length; i < len; i++) {
+    const c = value.charCodeAt(i);
+    if (c === 92) {
+      if (i === len - 1) {
+        return true;
+      }
+      i++;
+    } else if (quote !== 0) {
+      if (c === 10 || c === 12 || c === 13) {
+        return true;
+      }
+      if (c === quote) {
+        quote = 0;
+      }
+    } else if (c === 47 && value.charCodeAt(i + 1) === 42) {
+      const end = value.indexOf("*/", i + 2);
+      if (end === -1) {
+        return true;
+      }
+      i = end + 1;
+    } else if (c === 34 || c === 39) {
+      quote = c;
+    } else if (c === 40) {
+      blockStack.push(41);
+    } else if (c === 91) {
+      blockStack.push(93);
+    } else if (c === 123 || c === 125) {
+      return true;
+    } else if (c === 41 || c === 93) {
+      if (blockStack[blockStack.length - 1] !== c) {
+        return true;
+      }
+      blockStack.pop();
+    } else if (c === 59 && blockStack.length === 0) {
+      return true;
+    }
+  }
+  return quote !== 0 || blockStack.length !== 0;
+};
 const styleObjectForEach = (style, fn) => {
   for (const [k, v] of Object.entries(style)) {
     const key = k[0] === "-" || !/[A-Z]/.test(k) ? k : k.replace(/[A-Z]/g, (m) => `-${m.toLowerCase()}`);
-    fn(
-      key,
-      v == null ? null : typeof v === "number" ? !key.match(
+    if (!isValidStylePropertyName(key)) {
+      continue;
+    }
+    if (v == null) {
+      fn(key, null);
+      continue;
+    }
+    let value;
+    if (typeof v === "number") {
+      value = !key.match(
         /^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/
-      ) ? `${v}px` : `${v}` : v
-    );
+      ) ? `${v}px` : `${v}`;
+    } else if (typeof v === "string") {
+      if (hasUnsafeStyleValue(v)) {
+        continue;
+      }
+      value = v;
+    } else {
+      continue;
+    }
+    fn(key, value);
   }
 };
 // Annotate the CommonJS export names for ESM import in node:

package/dist/cjs/middleware/cache/index.js

@@ -21,20 +21,14 @@ __export(cache_exports, {
 });
 module.exports = __toCommonJS(cache_exports);
 const defaultCacheableStatusCodes = [200];
-const shouldSkipCache = (res) => {
-  const vary = res.headers.get("Vary");
-  if (vary && vary.includes("*")) {
-    return true;
+const shouldSkipCacheControl = (cacheControl) => !!cacheControl && /(?:^|,\s*)(?:private|no-(?:store|cache))(?:\s*(?:=|,|$))/i.test(cacheControl);
+const parseVaryDirectives = (vary) => {
+  if (vary == null) {
+    return [];
   }
-  const cacheControl = res.headers.get("Cache-Control");
-  if (cacheControl && /(?:^|,\s*)(?:private|no-(?:store|cache))(?:\s*(?:=|,|$))/i.test(cacheControl)) {
-    return true;
-  }
-  if (res.headers.has("Set-Cookie")) {
-    return true;
-  }
-  return false;
+  return (Array.isArray(vary) ? vary : vary.split(",")).map((directive) => directive.trim().toLowerCase()).filter(Boolean);
 };
+const shouldSkipCache = (res, optionsVaryDirectives, responseVary) => responseVary.length && (!optionsVaryDirectives || responseVary.some((name) => !optionsVaryDirectives.has(name))) || shouldSkipCacheControl(res.headers.get("Cache-Control")) || res.headers.has("Set-Cookie");
 const cache = (options) => {
   if (!globalThis.caches) {
     if (options.onCacheNotAvailable === false) {
@@ -49,8 +43,9 @@ const cache = (options) => {
     options.wait = false;
   }
   const cacheControlDirectives = options.cacheControl?.split(",").map((directive) => directive.toLowerCase());
-  const varyDirectives = Array.isArray(options.vary) ? options.vary : options.vary?.split(",").map((directive) => directive.trim());
-  if (options.vary?.includes("*")) {
+  const optionsVaryList = parseVaryDirectives(options.vary);
+  const varyDirectives = optionsVaryList.length ? new Set(optionsVaryList) : void 0;
+  if (varyDirectives?.has("*")) {
     throw new Error(
       'Middleware vary configuration cannot include "*", as it disallows effective caching.'
     );
@@ -58,7 +53,7 @@ const cache = (options) => {
   const cacheableStatusCodes = new Set(
     options.cacheableStatusCodes ?? defaultCacheableStatusCodes
   );
-  const addHeader = (c) => {
+  const addHeader = (c, responseVary) => {
     if (cacheControlDirectives) {
       const existingDirectives = c.res.headers.get("Cache-Control")?.split(",").map((d) => d.trim().split("=", 1)[0]) ?? [];
       for (const directive of cacheControlDirectives) {
@@ -70,24 +65,36 @@ const cache = (options) => {
       }
     }
     if (varyDirectives) {
-      const existingDirectives = c.res.headers.get("Vary")?.split(",").map((d) => d.trim()) ?? [];
-      const vary = Array.from(
-        new Set(
-          [...existingDirectives, ...varyDirectives].map((directive) => directive.toLowerCase())
-        )
-      ).sort();
-      if (vary.includes("*")) {
-        c.header("Vary", "*");
+      if (responseVary.length === 0) {
+        c.header("Vary", Array.from(varyDirectives).join(", "));
       } else {
-        c.header("Vary", vary.join(", "));
+        const merged = new Set(varyDirectives);
+        for (const directive of responseVary) {
+          merged.add(directive);
+        }
+        if (merged.has("*")) {
+          c.header("Vary", "*");
+        } else {
+          c.header("Vary", Array.from(merged).join(", "));
+        }
       }
     }
   };
   return async function cache2(c, next) {
+    if (c.req.method !== "GET" || c.req.raw.headers.has("Authorization")) {
+      await next();
+      return;
+    }
     let key = c.req.url;
     if (options.keyGenerator) {
       key = await options.keyGenerator(c);
     }
+    if (varyDirectives) {
+      for (const directive of varyDirectives) {
+        const value = c.req.raw.headers.get(directive) ?? "";
+        key += `::${directive}=${encodeURIComponent(value)}`;
+      }
+    }
     const cacheName = typeof options.cacheName === "function" ? await options.cacheName(c) : options.cacheName;
     const cache3 = await caches.open(cacheName);
     const response = await cache3.match(key);
@@ -98,8 +105,9 @@ const cache = (options) => {
     if (!cacheableStatusCodes.has(c.res.status)) {
       return;
     }
-    addHeader(c);
-    if (shouldSkipCache(c.res)) {
+    const responseVary = parseVaryDirectives(c.res.headers.get("Vary"));
+    addHeader(c, responseVary);
+    if (shouldSkipCache(c.res, varyDirectives, responseVary)) {
       return;
     }
     const res = c.res.clone();

package/dist/cjs/request.js

@@ -169,6 +169,21 @@ class HonoRequest {
   arrayBuffer() {
     return this.#cachedBody("arrayBuffer");
   }
+  /**
+   * `.bytes()` parses the request body as a `Uint8Array`.
+   *
+   * @see {@link https://hono.dev/docs/api/request#bytes}
+   *
+   * @example
+   * ```ts
+   * app.post('/entry', async (c) => {
+   *   const body = await c.req.bytes()
+   * })
+   * ```
+   */
+  bytes() {
+    return this.#cachedBody("arrayBuffer").then((buffer) => new Uint8Array(buffer));
+  }
   /**
    * Parses the request body as a `Blob`.
    * @example

package/dist/cjs/utils/cookie.js

@@ -72,14 +72,14 @@ const parse = (cookie, name) => {
     return {};
   }
   const pairs = cookie.split(";");
-  const parsedCookie = {};
+  const parsedCookie = /* @__PURE__ */ Object.create(null);
   for (const pairStr of pairs) {
     const valueStartPos = pairStr.indexOf("=");
     if (valueStartPos === -1) {
       continue;
     }
     const cookieName = trimCookieWhitespace(pairStr.substring(0, valueStartPos));
-    if (name && name !== cookieName || !validCookieNameRegEx.test(cookieName)) {
+    if (name && name !== cookieName || !validCookieNameRegEx.test(cookieName) || cookieName in parsedCookie) {
       continue;
     }
     let cookieValue = trimCookieWhitespace(pairStr.substring(valueStartPos + 1));
@@ -96,7 +96,7 @@ const parse = (cookie, name) => {
   return parsedCookie;
 };
 const parseSigned = async (cookie, secret, name) => {
-  const parsedCookie = {};
+  const parsedCookie = /* @__PURE__ */ Object.create(null);
   const secretKey = await getCryptoKey(secret);
   for (const [key, value] of Object.entries(parse(cookie, name))) {
     const signatureStartPos = value.lastIndexOf(".");

package/dist/cjs/utils/jwt/jwt.js

@@ -81,14 +81,20 @@ const verify = async (token, publicKey, algOrOptions) => {
     throw new import_types.JwtAlgorithmMismatch(alg, header.alg);
   }
   const now = Math.floor(Date.now() / 1e3);
-  if (nbf && payload.nbf && payload.nbf > now) {
-    throw new import_types.JwtTokenNotBefore(token);
+  if (nbf && payload.nbf !== void 0) {
+    if (typeof payload.nbf !== "number" || !Number.isFinite(payload.nbf) || payload.nbf > now) {
+      throw new import_types.JwtTokenNotBefore(token);
+    }
   }
-  if (exp && payload.exp && payload.exp <= now) {
-    throw new import_types.JwtTokenExpired(token);
+  if (exp && payload.exp !== void 0) {
+    if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp) || payload.exp <= now) {
+      throw new import_types.JwtTokenExpired(token);
+    }
   }
-  if (iat && payload.iat && now < payload.iat) {
-    throw new import_types.JwtTokenIssuedAt(now, payload.iat);
+  if (iat && payload.iat !== void 0) {
+    if (typeof payload.iat !== "number" || !Number.isFinite(payload.iat) || now < payload.iat) {
+      throw new import_types.JwtTokenIssuedAt(now, payload.iat);
+    }
   }
   if (iss) {
     if (!payload.iss) {

package/dist/cjs/utils/stream.js

@@ -48,7 +48,9 @@ class StreamingApi {
         done ? controller.close() : controller.enqueue(value);
       },
       cancel: () => {
-        this.abort();
+        if (!this.closed) {
+          this.abort();
+        }
       }
     });
   }
@@ -70,11 +72,11 @@ class StreamingApi {
     return new Promise((res) => setTimeout(res, ms));
   }
   async close() {
+    this.closed = true;
     try {
       await this.writer.close();
     } catch {
     }
-    this.closed = true;
   }
   async pipe(body) {
     this.writer.releaseLock();

package/dist/jsx/utils.js

@@ -66,15 +66,105 @@ var isValidAttributeName = (name) => {
   cacheValidName(validAttributeNameCache, validAttributeNameCacheMax, name);
   return true;
 };
+var invalidStylePropertyNameCharRe = /[\s"'():;\\/\[\]{}\x00-\x1f\x7f-\x9f]/;
+var validStylePropertyNameCache = /* @__PURE__ */ new Set();
+var validStylePropertyNameCacheMax = 1024;
+var isValidStylePropertyName = (name) => {
+  if (validStylePropertyNameCache.has(name)) {
+    return true;
+  }
+  const len = name.length;
+  if (len === 0) {
+    return false;
+  }
+  for (let i = 0; i < len; i++) {
+    const c = name.charCodeAt(i);
+    if (!(c >= 97 && c <= 122 || // a-z
+    c >= 65 && c <= 90 || // A-Z
+    c >= 48 && c <= 57 || // 0-9
+    c === 45 || // -
+    c === 95)) {
+      if (!invalidStylePropertyNameCharRe.test(name)) {
+        cacheValidName(validStylePropertyNameCache, validStylePropertyNameCacheMax, name);
+        return true;
+      } else {
+        return false;
+      }
+    }
+  }
+  cacheValidName(validStylePropertyNameCache, validStylePropertyNameCacheMax, name);
+  return true;
+};
+var unsafeStyleValueCharRe = /[;"'\\/\[\](){}]/;
+var hasUnsafeStyleValue = (value) => {
+  if (!unsafeStyleValueCharRe.test(value)) {
+    return false;
+  }
+  let quote = 0;
+  const blockStack = [];
+  for (let i = 0, len = value.length; i < len; i++) {
+    const c = value.charCodeAt(i);
+    if (c === 92) {
+      if (i === len - 1) {
+        return true;
+      }
+      i++;
+    } else if (quote !== 0) {
+      if (c === 10 || c === 12 || c === 13) {
+        return true;
+      }
+      if (c === quote) {
+        quote = 0;
+      }
+    } else if (c === 47 && value.charCodeAt(i + 1) === 42) {
+      const end = value.indexOf("*/", i + 2);
+      if (end === -1) {
+        return true;
+      }
+      i = end + 1;
+    } else if (c === 34 || c === 39) {
+      quote = c;
+    } else if (c === 40) {
+      blockStack.push(41);
+    } else if (c === 91) {
+      blockStack.push(93);
+    } else if (c === 123 || c === 125) {
+      return true;
+    } else if (c === 41 || c === 93) {
+      if (blockStack[blockStack.length - 1] !== c) {
+        return true;
+      }
+      blockStack.pop();
+    } else if (c === 59 && blockStack.length === 0) {
+      return true;
+    }
+  }
+  return quote !== 0 || blockStack.length !== 0;
+};
 var styleObjectForEach = (style, fn) => {
   for (const [k, v] of Object.entries(style)) {
     const key = k[0] === "-" || !/[A-Z]/.test(k) ? k : k.replace(/[A-Z]/g, (m) => `-${m.toLowerCase()}`);
-    fn(
-      key,
-      v == null ? null : typeof v === "number" ? !key.match(
+    if (!isValidStylePropertyName(key)) {
+      continue;
+    }
+    if (v == null) {
+      fn(key, null);
+      continue;
+    }
+    let value;
+    if (typeof v === "number") {
+      value = !key.match(
         /^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/
-      ) ? `${v}px` : `${v}` : v
-    );
+      ) ? `${v}px` : `${v}`;
+    } else if (typeof v === "string") {
+      if (hasUnsafeStyleValue(v)) {
+        continue;
+      }
+      value = v;
+    } else {
+      continue;
+    }
+    fn(key, value);
   }
 };
 export {

package/dist/middleware/cache/index.js

@@ -1,19 +1,13 @@
 // src/middleware/cache/index.ts
 var defaultCacheableStatusCodes = [200];
-var shouldSkipCache = (res) => {
-  const vary = res.headers.get("Vary");
-  if (vary && vary.includes("*")) {
-    return true;
+var shouldSkipCacheControl = (cacheControl) => !!cacheControl && /(?:^|,\s*)(?:private|no-(?:store|cache))(?:\s*(?:=|,|$))/i.test(cacheControl);
+var parseVaryDirectives = (vary) => {
+  if (vary == null) {
+    return [];
   }
-  const cacheControl = res.headers.get("Cache-Control");
-  if (cacheControl && /(?:^|,\s*)(?:private|no-(?:store|cache))(?:\s*(?:=|,|$))/i.test(cacheControl)) {
-    return true;
-  }
-  if (res.headers.has("Set-Cookie")) {
-    return true;
-  }
-  return false;
+  return (Array.isArray(vary) ? vary : vary.split(",")).map((directive) => directive.trim().toLowerCase()).filter(Boolean);
 };
+var shouldSkipCache = (res, optionsVaryDirectives, responseVary) => responseVary.length && (!optionsVaryDirectives || responseVary.some((name) => !optionsVaryDirectives.has(name))) || shouldSkipCacheControl(res.headers.get("Cache-Control")) || res.headers.has("Set-Cookie");
 var cache = (options) => {
   if (!globalThis.caches) {
     if (options.onCacheNotAvailable === false) {
@@ -28,8 +22,9 @@ var cache = (options) => {
     options.wait = false;
   }
   const cacheControlDirectives = options.cacheControl?.split(",").map((directive) => directive.toLowerCase());
-  const varyDirectives = Array.isArray(options.vary) ? options.vary : options.vary?.split(",").map((directive) => directive.trim());
-  if (options.vary?.includes("*")) {
+  const optionsVaryList = parseVaryDirectives(options.vary);
+  const varyDirectives = optionsVaryList.length ? new Set(optionsVaryList) : void 0;
+  if (varyDirectives?.has("*")) {
     throw new Error(
       'Middleware vary configuration cannot include "*", as it disallows effective caching.'
     );
@@ -37,7 +32,7 @@ var cache = (options) => {
   const cacheableStatusCodes = new Set(
     options.cacheableStatusCodes ?? defaultCacheableStatusCodes
   );
-  const addHeader = (c) => {
+  const addHeader = (c, responseVary) => {
     if (cacheControlDirectives) {
       const existingDirectives = c.res.headers.get("Cache-Control")?.split(",").map((d) => d.trim().split("=", 1)[0]) ?? [];
       for (const directive of cacheControlDirectives) {
@@ -49,24 +44,36 @@ var cache = (options) => {
       }
     }
     if (varyDirectives) {
-      const existingDirectives = c.res.headers.get("Vary")?.split(",").map((d) => d.trim()) ?? [];
-      const vary = Array.from(
-        new Set(
-          [...existingDirectives, ...varyDirectives].map((directive) => directive.toLowerCase())
-        )
-      ).sort();
-      if (vary.includes("*")) {
-        c.header("Vary", "*");
+      if (responseVary.length === 0) {
+        c.header("Vary", Array.from(varyDirectives).join(", "));
       } else {
-        c.header("Vary", vary.join(", "));
+        const merged = new Set(varyDirectives);
+        for (const directive of responseVary) {
+          merged.add(directive);
+        }
+        if (merged.has("*")) {
+          c.header("Vary", "*");
+        } else {
+          c.header("Vary", Array.from(merged).join(", "));
+        }
       }
     }
   };
   return async function cache2(c, next) {
+    if (c.req.method !== "GET" || c.req.raw.headers.has("Authorization")) {
+      await next();
+      return;
+    }
     let key = c.req.url;
     if (options.keyGenerator) {
       key = await options.keyGenerator(c);
     }
+    if (varyDirectives) {
+      for (const directive of varyDirectives) {
+        const value = c.req.raw.headers.get(directive) ?? "";
+        key += `::${directive}=${encodeURIComponent(value)}`;
+      }
+    }
     const cacheName = typeof options.cacheName === "function" ? await options.cacheName(c) : options.cacheName;
     const cache3 = await caches.open(cacheName);
     const response = await cache3.match(key);
@@ -77,8 +84,9 @@ var cache = (options) => {
     if (!cacheableStatusCodes.has(c.res.status)) {
       return;
     }
-    addHeader(c);
-    if (shouldSkipCache(c.res)) {
+    const responseVary = parseVaryDirectives(c.res.headers.get("Vary"));
+    addHeader(c, responseVary);
+    if (shouldSkipCache(c.res, varyDirectives, responseVary)) {
       return;
     }
     const res = c.res.clone();

package/dist/request.js

@@ -147,6 +147,21 @@ var HonoRequest = class {
   arrayBuffer() {
     return this.#cachedBody("arrayBuffer");
   }
+  /**
+   * `.bytes()` parses the request body as a `Uint8Array`.
+   *
+   * @see {@link https://hono.dev/docs/api/request#bytes}
+   *
+   * @example
+   * ```ts
+   * app.post('/entry', async (c) => {
+   *   const body = await c.req.bytes()
+   * })
+   * ```
+   */
+  bytes() {
+    return this.#cachedBody("arrayBuffer").then((buffer) => new Uint8Array(buffer));
+  }
   /**
    * Parses the request body as a `Blob`.
    * @example