hono 4.12.9 → 4.12.18

package/dist/cjs/middleware/cache/index.js

@@ -22,8 +22,7 @@ __export(cache_exports, {
 module.exports = __toCommonJS(cache_exports);
 const defaultCacheableStatusCodes = [200];
 const shouldSkipCache = (res) => {
-  const vary = res.headers.get("Vary");
-  if (vary && vary.includes("*")) {
+  if (res.headers.has("Vary")) {
     return true;
   }
   const cacheControl = res.headers.get("Cache-Control");
@@ -37,7 +36,12 @@ const shouldSkipCache = (res) => {
 };
 const cache = (options) => {
   if (!globalThis.caches) {
-    console.log("Cache Middleware is not enabled because caches is not defined.");
+    if (options.onCacheNotAvailable === false) {
+    } else if (options.onCacheNotAvailable) {
+      options.onCacheNotAvailable();
+    } else {
+      console.log("Cache Middleware is not enabled because caches is not defined.");
+    }
     return async (_c, next) => await next();
   }
   if (options.wait === void 0) {
@@ -79,6 +83,10 @@ const cache = (options) => {
     }
   };
   return async function cache2(c, next) {
+    if (c.req.method !== "GET" || c.req.raw.headers.has("Authorization")) {
+      await next();
+      return;
+    }
     let key = c.req.url;
     if (options.keyGenerator) {
       key = await options.keyGenerator(c);

package/dist/cjs/middleware/compress/index.js

@@ -45,6 +45,10 @@ const compress = (options) => {
     ctx.res = new Response(ctx.res.body.pipeThrough(stream), ctx.res);
     ctx.res.headers.delete("Content-Length");
     ctx.res.headers.set("Content-Encoding", encoding);
+    const etag = ctx.res.headers.get("ETag");
+    if (etag && !etag.startsWith("W/")) {
+      ctx.res.headers.set("ETag", `W/${etag}`);
+    }
   };
 };
 const shouldCompress = (res) => {

package/dist/cjs/middleware/cors/index.js

@@ -21,14 +21,11 @@ __export(cors_exports, {
 });
 module.exports = __toCommonJS(cors_exports);
 const cors = (options) => {
-  const defaults = {
+  const opts = {
     origin: "*",
     allowMethods: ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH"],
     allowHeaders: [],
-    exposeHeaders: []
-  };
-  const opts = {
-    ...defaults,
+    exposeHeaders: [],
     ...options
   };
   const findAllowOrigin = ((optsOrigin) => {

package/dist/cjs/middleware/ip-restriction/index.js

@@ -40,12 +40,17 @@ const buildMatcher = (rules) => {
         if (type2 === void 0) {
           throw new TypeError(`Invalid rule: ${rule}`);
         }
-        const isIPv4 = type2 === "IPv4";
-        const prefix = parseInt(separatedRule[1]);
+        let isIPv4 = type2 === "IPv4";
+        let prefix = parseInt(separatedRule[1]);
         if (isIPv4 ? prefix === 32 : prefix === 128) {
           rule = addrStr;
         } else {
-          const addr = (isIPv4 ? import_ipaddr.convertIPv4ToBinary : import_ipaddr.convertIPv6ToBinary)(addrStr);
+          let addr = (isIPv4 ? import_ipaddr.convertIPv4ToBinary : import_ipaddr.convertIPv6ToBinary)(addrStr);
+          if (type2 === "IPv6" && (0, import_ipaddr.isIPv4MappedIPv6)(addr) && prefix >= 96) {
+            isIPv4 = true;
+            addr = (0, import_ipaddr.convertIPv4MappedIPv6ToIPv4)(addr);
+            prefix -= 96;
+          }
           const mask = (1n << BigInt(prefix)) - 1n << BigInt((isIPv4 ? 32 : 128) - prefix);
           cidrRules.push([isIPv4, addr & mask, mask]);
           continue;
@@ -55,21 +60,38 @@ const buildMatcher = (rules) => {
       if (type === void 0) {
         throw new TypeError(`Invalid rule: ${rule}`);
       }
-      staticRules.add(
-        type === "IPv4" ? rule : (0, import_ipaddr.convertIPv6BinaryToString)((0, import_ipaddr.convertIPv6ToBinary)(rule))
-        // normalize IPv6 address (e.g. 0000:0000:0000:0000:0000:0000:0000:0001 => ::1)
-      );
+      if (type === "IPv4") {
+        staticRules.add(rule);
+        staticRules.add(`::ffff:${rule}`);
+      } else {
+        const ipv6binary = (0, import_ipaddr.convertIPv6ToBinary)(rule);
+        const ipv6Addr = (0, import_ipaddr.convertIPv6BinaryToString)(ipv6binary);
+        staticRules.add(ipv6Addr);
+        if ((0, import_ipaddr.isIPv4MappedIPv6)(ipv6binary)) {
+          staticRules.add(ipv6Addr.substring(7));
+        }
+      }
     }
   }
   return (remote) => {
     if (staticRules.has(remote.addr)) {
       return true;
     }
+    const remoteAddr = remote.binaryAddr ||= (remote.isIPv4 ? import_ipaddr.convertIPv4ToBinary : import_ipaddr.convertIPv6ToBinary)(remote.addr);
+    const remoteIPv4Addr = remote.isIPv4 || (0, import_ipaddr.isIPv4MappedIPv6)(remoteAddr) ? remote.isIPv4 ? remoteAddr : (0, import_ipaddr.convertIPv4MappedIPv6ToIPv4)(remoteAddr) : void 0;
     for (const [isIPv4, addr, mask] of cidrRules) {
-      if (isIPv4 !== remote.isIPv4) {
+      if (isIPv4) {
+        if (remoteIPv4Addr === void 0) {
+          continue;
+        }
+        if ((remoteIPv4Addr & mask) === addr) {
+          return true;
+        }
+        continue;
+      }
+      if (remote.isIPv4) {
         continue;
       }
-      const remoteAddr = remote.binaryAddr ||= (isIPv4 ? import_ipaddr.convertIPv4ToBinary : import_ipaddr.convertIPv6ToBinary)(remote.addr);
       if ((remoteAddr & mask) === addr) {
         return true;
       }

package/dist/cjs/middleware/method-override/index.js

@@ -49,7 +49,7 @@ const methodOverride = (options) => async function methodOverride2(c, next) {
         return app.fetch(request, c.env, getExecutionCtx(c));
       }
     }
-    if (contentType === "application/x-www-form-urlencoded") {
+    if (contentType?.startsWith("application/x-www-form-urlencoded")) {
       const params = await (0, import_body.parseBody)(clonedRequest);
       const method = params[methodFormName];
       if (method) {

package/dist/cjs/middleware/serve-static/index.js

@@ -45,7 +45,7 @@ const serveStatic = (options) => {
     } else {
       try {
         filename = (0, import_url.tryDecodeURI)(c.req.path);
-        if (/(?:^|[\/\\])\.\.(?:$|[\/\\])/.test(filename)) {
+        if (/(?:^|[\/\\])\.{1,2}(?:$|[\/\\])|[\/\\]{2,}/.test(filename)) {
           throw new Error();
         }
       } catch {

package/dist/cjs/middleware/trailing-slash/index.js

@@ -41,14 +41,14 @@ const trimTrailingSlash = (options) => {
 const appendTrailingSlash = (options) => {
   return async function appendTrailingSlash2(c, next) {
     if (options?.alwaysRedirect) {
-      if ((c.req.method === "GET" || c.req.method === "HEAD") && c.req.path.at(-1) !== "/") {
+      if ((c.req.method === "GET" || c.req.method === "HEAD") && c.req.path.at(-1) !== "/" && !options.skip?.(c.req.path)) {
         const url = new URL(c.req.url);
         url.pathname += "/";
         return c.redirect(url.toString(), 301);
       }
     }
     await next();
-    if (!options?.alwaysRedirect && c.res.status === 404 && (c.req.method === "GET" || c.req.method === "HEAD") && c.req.path.at(-1) !== "/") {
+    if (!options?.alwaysRedirect && c.res.status === 404 && (c.req.method === "GET" || c.req.method === "HEAD") && c.req.path.at(-1) !== "/" && !options?.skip?.(c.req.path)) {
       const url = new URL(c.req.url);
       url.pathname += "/";
       c.res = c.redirect(url.toString(), 301);

package/dist/cjs/utils/cookie.js

@@ -48,23 +48,41 @@ const verifySignature = async (base64Signature, value, secret) => {
 };
 const validCookieNameRegEx = /^[\w!#$%&'*.^`|~+-]+$/;
 const validCookieValueRegEx = /^[ !#-:<-[\]-~]*$/;
+const trimCookieWhitespace = (value) => {
+  let start = 0;
+  let end = value.length;
+  while (start < end) {
+    const charCode = value.charCodeAt(start);
+    if (charCode !== 32 && charCode !== 9) {
+      break;
+    }
+    start++;
+  }
+  while (end > start) {
+    const charCode = value.charCodeAt(end - 1);
+    if (charCode !== 32 && charCode !== 9) {
+      break;
+    }
+    end--;
+  }
+  return start === 0 && end === value.length ? value : value.slice(start, end);
+};
 const parse = (cookie, name) => {
   if (name && cookie.indexOf(name) === -1) {
     return {};
   }
-  const pairs = cookie.trim().split(";");
+  const pairs = cookie.split(";");
   const parsedCookie = {};
-  for (let pairStr of pairs) {
-    pairStr = pairStr.trim();
+  for (const pairStr of pairs) {
     const valueStartPos = pairStr.indexOf("=");
     if (valueStartPos === -1) {
       continue;
     }
-    const cookieName = pairStr.substring(0, valueStartPos).trim();
+    const cookieName = trimCookieWhitespace(pairStr.substring(0, valueStartPos));
     if (name && name !== cookieName || !validCookieNameRegEx.test(cookieName)) {
       continue;
     }
-    let cookieValue = pairStr.substring(valueStartPos + 1).trim();
+    let cookieValue = trimCookieWhitespace(pairStr.substring(valueStartPos + 1));
     if (cookieValue.startsWith('"') && cookieValue.endsWith('"')) {
       cookieValue = cookieValue.slice(1, -1);
     }
@@ -96,6 +114,9 @@ const parseSigned = async (cookie, secret, name) => {
   return parsedCookie;
 };
 const _serialize = (name, value, opt = {}) => {
+  if (!validCookieNameRegEx.test(name)) {
+    throw new Error("Invalid cookie name");
+  }
   let cookie = `${name}=${value}`;
   if (name.startsWith("__Secure-") && !opt.secure) {
     throw new Error("__Secure- Cookie must have Secure attributes");

package/dist/cjs/utils/ipaddr.js

@@ -18,11 +18,13 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var ipaddr_exports = {};
 __export(ipaddr_exports, {
   convertIPv4BinaryToString: () => convertIPv4BinaryToString,
+  convertIPv4MappedIPv6ToIPv4: () => convertIPv4MappedIPv6ToIPv4,
   convertIPv4ToBinary: () => convertIPv4ToBinary,
   convertIPv6BinaryToString: () => convertIPv6BinaryToString,
   convertIPv6ToBinary: () => convertIPv6ToBinary,
   distinctRemoteAddr: () => distinctRemoteAddr,
-  expandIPv6: () => expandIPv6
+  expandIPv6: () => expandIPv6,
+  isIPv4MappedIPv6: () => isIPv4MappedIPv6
 });
 module.exports = __toCommonJS(ipaddr_exports);
 const expandIPv6 = (ipV6) => {
@@ -81,9 +83,11 @@ const convertIPv4BinaryToString = (ipV4) => {
   }
   return sections.join(".");
 };
+const isIPv4MappedIPv6 = (ipv6binary) => ipv6binary >> 32n === 0xffffn;
+const convertIPv4MappedIPv6ToIPv4 = (ipv6binary) => ipv6binary & 0xffffffffn;
 const convertIPv6BinaryToString = (ipV6) => {
-  if (ipV6 >> 32n === 0xffffn) {
-    return `::ffff:${convertIPv4BinaryToString(ipV6 & 0xffffffffn)}`;
+  if (isIPv4MappedIPv6(ipV6)) {
+    return `::ffff:${convertIPv4BinaryToString(convertIPv4MappedIPv6ToIPv4(ipV6))}`;
   }
   const sections = [];
   for (let i = 0; i < 8; i++) {
@@ -121,9 +125,11 @@ const convertIPv6BinaryToString = (ipV6) => {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   convertIPv4BinaryToString,
+  convertIPv4MappedIPv6ToIPv4,
   convertIPv4ToBinary,
   convertIPv6BinaryToString,
   convertIPv6ToBinary,
   distinctRemoteAddr,
-  expandIPv6
+  expandIPv6,
+  isIPv4MappedIPv6
 });

package/dist/cjs/utils/jwt/jws.js

@@ -36,7 +36,7 @@ async function verifying(publicKey, alg, signature, data) {
   return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
 }
 function pemToBinary(pem) {
-  return (0, import_encode.decodeBase64)(pem.replace(/-+(BEGIN|END).*/g, "").replace(/\s/g, ""));
+  return (0, import_encode.decodeBase64)(pem.replace(/-+(BEGIN|END).*?-+/g, "").replace(/\s/g, ""));
 }
 async function importPrivateKey(key, alg) {
   if (!crypto.subtle || !crypto.subtle.importKey) {

package/dist/cjs/utils/jwt/jwt.js

@@ -81,14 +81,20 @@ const verify = async (token, publicKey, algOrOptions) => {
     throw new import_types.JwtAlgorithmMismatch(alg, header.alg);
   }
   const now = Math.floor(Date.now() / 1e3);
-  if (nbf && payload.nbf && payload.nbf > now) {
-    throw new import_types.JwtTokenNotBefore(token);
+  if (nbf && payload.nbf !== void 0) {
+    if (typeof payload.nbf !== "number" || !Number.isFinite(payload.nbf) || payload.nbf > now) {
+      throw new import_types.JwtTokenNotBefore(token);
+    }
   }
-  if (exp && payload.exp && payload.exp <= now) {
-    throw new import_types.JwtTokenExpired(token);
+  if (exp && payload.exp !== void 0) {
+    if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp) || payload.exp <= now) {
+      throw new import_types.JwtTokenExpired(token);
+    }
   }
-  if (iat && payload.iat && now < payload.iat) {
-    throw new import_types.JwtTokenIssuedAt(now, payload.iat);
+  if (iat && payload.iat !== void 0) {
+    if (typeof payload.iat !== "number" || !Number.isFinite(payload.iat) || now < payload.iat) {
+      throw new import_types.JwtTokenIssuedAt(now, payload.iat);
+    }
   }
   if (iss) {
     if (!payload.iss) {

package/dist/helper/css/common.js

@@ -21,6 +21,23 @@ var toHash = (str) => {
   }
   return "css-" + out;
 };
+var normalizeLabel = (label) => {
+  return label.trim().replace(/\s+/g, "-");
+};
+var isValidClassName = (name) => /^-?[_a-zA-Z][_a-zA-Z0-9-]*$/.test(name);
+var RESERVED_KEYFRAME_NAMES = /* @__PURE__ */ new Set([
+  "default",
+  "inherit",
+  "initial",
+  "none",
+  "revert",
+  "revert-layer",
+  "unset"
+]);
+var isValidKeyframeName = (name) => isValidClassName(name) && !RESERVED_KEYFRAME_NAMES.has(name.toLowerCase());
+var defaultOnInvalidSlug = (slug) => {
+  console.warn(`Invalid slug: ${slug}`);
+};
 var cssStringReStr = [
   '"(?:(?:\\\\[\\s\\S]|[^"\\\\])*)"',
   // double quoted string
@@ -107,13 +124,26 @@ var buildStyleString = (strings, values) => {
   }
   return [label, minify(styleString), selectors, externalClassNames];
 };
-var cssCommon = (strings, values) => {
+var cssCommon = (strings, values, classNameSlug, onInvalidSlug) => {
   let [label, thisStyleString, selectors, externalClassNames] = buildStyleString(strings, values);
   const isPseudoGlobal = isPseudoGlobalSelectorRe.exec(thisStyleString);
   if (isPseudoGlobal) {
     thisStyleString = isPseudoGlobal[1];
   }
-  const selector = (isPseudoGlobal ? PSEUDO_GLOBAL_SELECTOR : "") + toHash(label + thisStyleString);
+  const hash = toHash(label + thisStyleString);
+  let customSlug;
+  if (classNameSlug) {
+    const slug = classNameSlug(hash, normalizeLabel(label), thisStyleString);
+    if (slug) {
+      if (isValidClassName(slug)) {
+        customSlug = slug;
+      } else {
+        ;
+        (onInvalidSlug || defaultOnInvalidSlug)(slug);
+      }
+    }
+  }
+  const selector = (isPseudoGlobal ? PSEUDO_GLOBAL_SELECTOR : "") + (customSlug || hash);
   const className = (isPseudoGlobal ? selectors.map((s) => s[CLASS_NAME]) : [selector, ...externalClassNames]).join(" ");
   return {
     [SELECTOR]: selector,
@@ -138,24 +168,43 @@ var cxCommon = (args) => {
   }
   return args;
 };
-var keyframesCommon = (strings, ...values) => {
+var keyframesCommon = (strings, values, classNameSlug, onInvalidSlug) => {
   const [label, styleString] = buildStyleString(strings, values);
+  const hash = toHash(label + styleString);
+  let customSlug;
+  if (classNameSlug) {
+    const slug = classNameSlug(hash, normalizeLabel(label), styleString);
+    if (slug) {
+      if (isValidKeyframeName(slug)) {
+        customSlug = slug;
+      } else {
+        ;
+        (onInvalidSlug || defaultOnInvalidSlug)(slug);
+      }
+    }
+  }
   return {
     [SELECTOR]: "",
-    [CLASS_NAME]: `@keyframes ${toHash(label + styleString)}`,
+    [CLASS_NAME]: `@keyframes ${customSlug || hash}`,
     [STYLE_STRING]: styleString,
     [SELECTORS]: [],
     [EXTERNAL_CLASS_NAMES]: []
   };
 };
 var viewTransitionNameIndex = 0;
-var viewTransitionCommon = ((strings, values) => {
+var viewTransitionCommon = ((strings, values, classNameSlug, onInvalidSlug) => {
   if (!strings) {
     strings = [`/* h-v-t ${viewTransitionNameIndex++} */`];
   }
-  const content = Array.isArray(strings) ? cssCommon(strings, values) : strings;
+  const content = Array.isArray(strings) ? cssCommon(strings, values, classNameSlug, onInvalidSlug) : strings;
   const transitionName = content[CLASS_NAME];
-  const res = cssCommon(["view-transition-name:", ""], [transitionName]);
+  const res = cssCommon(
+    ["view-transition-name:", ""],
+    // eslint-disable-line @typescript-eslint/no-explicit-any
+    [transitionName],
+    classNameSlug,
+    onInvalidSlug
+  );
   content[CLASS_NAME] = PSEUDO_GLOBAL_SELECTOR + content[CLASS_NAME];
   content[STYLE_STRING] = content[STYLE_STRING].replace(
     /(?<=::view-transition(?:[a-z-]*)\()(?=\))/g,

package/dist/helper/css/index.js

@@ -15,7 +15,11 @@ import {
   viewTransitionCommon
 } from "./common.js";
 import { rawCssString } from "./common.js";
-var createCssContext = ({ id }) => {
+var createCssContext = ({
+  id,
+  classNameSlug,
+  onInvalidSlug
+}) => {
   const [cssJsxDomObject, StyleRenderToDom] = createCssJsxDomObjects({ id });
   const contextMap = /* @__PURE__ */ new WeakMap();
   const nonceMap = /* @__PURE__ */ new WeakMap();
@@ -78,15 +82,18 @@ var createCssContext = ({ id }) => {
     return promise;
   };
   const css2 = (strings, ...values) => {
-    return newCssClassNameObject(cssCommon(strings, values));
+    return newCssClassNameObject(cssCommon(strings, values, classNameSlug, onInvalidSlug));
   };
   const cx2 = (...args) => {
     args = cxCommon(args);
     return css2(Array(args.length).fill(""), ...args);
   };
-  const keyframes2 = keyframesCommon;
+  const keyframes2 = (strings, ...values) => keyframesCommon(strings, values, classNameSlug, onInvalidSlug);
   const viewTransition2 = ((strings, ...values) => {
-    return newCssClassNameObject(viewTransitionCommon(strings, values));
+    return newCssClassNameObject(
+      viewTransitionCommon(strings, values, classNameSlug, onInvalidSlug)
+      // eslint-disable-line @typescript-eslint/no-explicit-any
+    );
   });
   const Style2 = ({ children, nonce } = {}) => raw(
     `<style id="${id}"${nonce ? ` nonce="${nonce}"` : ""}>${children ? children[STYLE_STRING] : ""}</style>`,

package/dist/helper/ssg/ssg.js

@@ -4,22 +4,30 @@ import { createPool } from "../../utils/concurrent.js";
 import { getExtension } from "../../utils/mime.js";
 import { SSG_CONTEXT, X_HONO_DISABLE_SSG_HEADER_KEY } from "./middleware.js";
 import { defaultPlugin } from "./plugins.js";
-import { dirname, filterStaticGenerateRoutes, isDynamicRoute, joinPaths } from "./utils.js";
+import {
+  dirname,
+  ensureWithinOutDir,
+  filterStaticGenerateRoutes,
+  isDynamicRoute,
+  joinPaths
+} from "./utils.js";
 var DEFAULT_CONCURRENCY = 2;
 var DEFAULT_CONTENT_TYPE = "text/plain";
 var DEFAULT_OUTPUT_DIR = "./static";
 var generateFilePath = (routePath, outDir, mimeType, extensionMap) => {
   const extension = determineExtension(mimeType, extensionMap);
+  let filePath;
   if (routePath.endsWith(`.${extension}`)) {
-    return joinPaths(outDir, routePath);
+    filePath = joinPaths(outDir, routePath);
+  } else if (routePath === "/") {
+    filePath = joinPaths(outDir, `index.${extension}`);
+  } else if (routePath.endsWith("/")) {
+    filePath = joinPaths(outDir, routePath, `index.${extension}`);
+  } else {
+    filePath = joinPaths(outDir, `${routePath}.${extension}`);
   }
-  if (routePath === "/") {
-    return joinPaths(outDir, `index.${extension}`);
-  }
-  if (routePath.endsWith("/")) {
-    return joinPaths(outDir, routePath, `index.${extension}`);
-  }
-  return joinPaths(outDir, `${routePath}.${extension}`);
+  ensureWithinOutDir(outDir, filePath);
+  return filePath;
 };
 var parseResponseContent = async (response) => {
   const contentType = response.headers.get("Content-Type");
@@ -39,6 +47,8 @@ var defaultExtensionMap = {
   "text/html": "html",
   "text/xml": "xml",
   "application/xml": "xml",
+  "application/atom+xml": "xml",
+  "application/rss+xml": "xml",
   "application/yaml": "yaml"
 };
 var determineExtension = (mimeType, userExtensionMap) => {

package/dist/helper/ssg/utils.js

@@ -51,8 +51,16 @@ var filterStaticGenerateRoutes = (hono) => {
 var isDynamicRoute = (path) => {
   return path.split("/").some((segment) => segment.startsWith(":") || segment.includes("*"));
 };
+var ensureWithinOutDir = (outDir, filePath) => {
+  const normalizedOutDir = joinPaths("/", outDir);
+  const normalizedFilePath = joinPaths("/", filePath);
+  if (normalizedFilePath !== normalizedOutDir && !normalizedFilePath.startsWith(`${normalizedOutDir}/`)) {
+    throw new Error(`Path traversal detected: "${filePath}" is outside the output directory`);
+  }
+};
 export {
   dirname,
+  ensureWithinOutDir,
   filterStaticGenerateRoutes,
   isDynamicRoute,
   joinPaths

package/dist/jsx/base.js

@@ -5,7 +5,12 @@ import { DOM_RENDERER, DOM_MEMO } from "./constants.js";
 import { createContext, globalContexts, useContext } from "./context.js";
 import { domRenderers } from "./intrinsic-element/common.js";
 import * as intrinsicElementTags from "./intrinsic-element/components.js";
-import { normalizeIntrinsicElementKey, styleObjectForEach } from "./utils.js";
+import {
+  isValidAttributeName,
+  isValidTagName,
+  normalizeIntrinsicElementKey,
+  styleObjectForEach
+} from "./utils.js";
 var nameSpaceContext = void 0;
 var getNameSpaceContext = () => nameSpaceContext;
 var toSVGAttributeName = (key) => /[A-Z]/.test(key) && // Presentation attributes are findable in style object. "clip-path", "font-size", "stroke-width", etc.
@@ -85,6 +90,9 @@ var JSXNode = class {
   isEscaped = true;
   localContexts;
   constructor(tag, props, children) {
+    if (typeof tag !== "function" && !isValidTagName(tag)) {
+      throw new Error(`Invalid JSX tag name: ${tag}`);
+    }
     this.tag = tag;
     this.props = props;
     this.children = children;
@@ -116,9 +124,12 @@ var JSXNode = class {
     const props = this.props;
     let { children } = this;
     buffer[0] += `<${tag}`;
-    const normalizeKey = nameSpaceContext && useContext(nameSpaceContext) === "svg" ? (key) => toSVGAttributeName(normalizeIntrinsicElementKey(key)) : (key) => normalizeIntrinsicElementKey(key);
+    const normalizeKey = tag === "svg" || nameSpaceContext && useContext(nameSpaceContext) === "svg" ? (key) => toSVGAttributeName(normalizeIntrinsicElementKey(key)) : (key) => normalizeIntrinsicElementKey(key);
     for (let [key, v] of Object.entries(props)) {
       key = normalizeKey(key);
+      if (!isValidAttributeName(key)) {
+        continue;
+      }
       if (key === "children") {
       } else if (key === "style" && typeof v === "object") {
         let styleStr = "";

package/dist/jsx/dom/css.js

@@ -100,22 +100,29 @@ var createCssJsxDomObjects = ({ id }) => {
   });
   return [cssObject, Style2];
 };
-var createCssContext = ({ id }) => {
+var createCssContext = ({
+  id,
+  classNameSlug,
+  onInvalidSlug
+}) => {
   const [cssObject, Style2] = createCssJsxDomObjects({ id });
   const newCssClassNameObject = (cssClassName) => {
     cssClassName.toString = cssObject.toString;
     return cssClassName;
   };
   const css2 = (strings, ...values) => {
-    return newCssClassNameObject(cssCommon(strings, values));
+    return newCssClassNameObject(cssCommon(strings, values, classNameSlug, onInvalidSlug));
   };
   const cx2 = (...args) => {
     args = cxCommon(args);
     return css2(Array(args.length).fill(""), ...args);
   };
-  const keyframes2 = keyframesCommon;
+  const keyframes2 = (strings, ...values) => keyframesCommon(strings, values, classNameSlug, onInvalidSlug);
   const viewTransition2 = ((strings, ...values) => {
-    return newCssClassNameObject(viewTransitionCommon(strings, values));
+    return newCssClassNameObject(
+      viewTransitionCommon(strings, values, classNameSlug, onInvalidSlug)
+      // eslint-disable-line @typescript-eslint/no-explicit-any
+    );
   });
   return {
     css: css2,