hono 4.9.2 → 4.9.3

package/dist/cjs/helper/proxy/index.js

@@ -62,13 +62,13 @@ const preprocessRequestInit = (requestInit) => {
   return requestInit;
 };
 const proxy = async (input, proxyInit) => {
-  const { raw, ...requestInit } = proxyInit instanceof Request ? { raw: proxyInit } : proxyInit ?? {};
+  const { raw, customFetch, ...requestInit } = proxyInit instanceof Request ? { raw: proxyInit } : proxyInit ?? {};
   const req = new Request(input, {
     ...buildRequestInitFromRequest(raw),
     ...preprocessRequestInit(requestInit)
   });
   req.headers.delete("accept-encoding");
-  const res = await fetch(req);
+  const res = await (customFetch || fetch)(req);
   const resHeaders = new Headers(res.headers);
   hopByHopHeaders.forEach((header) => {
     resHeaders.delete(header);

package/dist/cjs/middleware/csrf/index.js

@@ -22,10 +22,12 @@ __export(csrf_exports, {
 });
 module.exports = __toCommonJS(csrf_exports);
 var import_http_exception = require("../../http-exception");
+const secFetchSiteValues = ["same-origin", "same-site", "none", "cross-site"];
+const isSecFetchSite = (value) => secFetchSiteValues.includes(value);
 const isSafeMethodRe = /^(GET|HEAD)$/;
 const isRequestedByFormElementRe = /^\b(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)\b/i;
 const csrf = (options) => {
-  const handler = ((optsOrigin) => {
+  const originHandler = ((optsOrigin) => {
     if (!optsOrigin) {
       return (origin, c) => origin === new URL(c.req.url).origin;
     } else if (typeof optsOrigin === "string") {
@@ -40,13 +42,31 @@ const csrf = (options) => {
     if (origin === void 0) {
       return false;
     }
-    return handler(origin, c);
+    return originHandler(origin, c);
+  };
+  const secFetchSiteHandler = ((optsSecFetchSite) => {
+    if (!optsSecFetchSite) {
+      return (secFetchSite) => secFetchSite === "same-origin";
+    } else if (typeof optsSecFetchSite === "string") {
+      return (secFetchSite) => secFetchSite === optsSecFetchSite;
+    } else if (typeof optsSecFetchSite === "function") {
+      return optsSecFetchSite;
+    } else {
+      return (secFetchSite) => optsSecFetchSite.includes(secFetchSite);
+    }
+  })(options?.secFetchSite);
+  const isAllowedSecFetchSite = (secFetchSite, c) => {
+    if (secFetchSite === void 0) {
+      return false;
+    }
+    if (!isSecFetchSite(secFetchSite)) {
+      return false;
+    }
+    return secFetchSiteHandler(secFetchSite, c);
   };
   return async function csrf2(c, next) {
-    if (!isSafeMethodRe.test(c.req.method) && isRequestedByFormElementRe.test(c.req.header("content-type") || "text/plain") && !isAllowedOrigin(c.req.header("origin"), c)) {
-      const res = new Response("Forbidden", {
-        status: 403
-      });
+    if (!isSafeMethodRe.test(c.req.method) && isRequestedByFormElementRe.test(c.req.header("content-type") || "text/plain") && !isAllowedSecFetchSite(c.req.header("sec-fetch-site"), c) && !isAllowedOrigin(c.req.header("origin"), c)) {
+      const res = new Response("Forbidden", { status: 403 });
       throw new import_http_exception.HTTPException(403, { res });
     }
     await next();

package/dist/cjs/middleware/etag/digest.js

@@ -25,7 +25,9 @@ const mergeBuffers = (buffer1, buffer2) => {
   if (!buffer1) {
     return buffer2;
   }
-  const merged = new Uint8Array(buffer1.byteLength + buffer2.byteLength);
+  const merged = new Uint8Array(
+    new ArrayBuffer(buffer1.byteLength + buffer2.byteLength)
+  );
   merged.set(new Uint8Array(buffer1), 0);
   merged.set(buffer2, buffer1.byteLength);
   return merged;

package/dist/helper/proxy/index.js

@@ -40,13 +40,13 @@ var preprocessRequestInit = (requestInit) => {
   return requestInit;
 };
 var proxy = async (input, proxyInit) => {
-  const { raw, ...requestInit } = proxyInit instanceof Request ? { raw: proxyInit } : proxyInit ?? {};
+  const { raw, customFetch, ...requestInit } = proxyInit instanceof Request ? { raw: proxyInit } : proxyInit ?? {};
   const req = new Request(input, {
     ...buildRequestInitFromRequest(raw),
     ...preprocessRequestInit(requestInit)
   });
   req.headers.delete("accept-encoding");
-  const res = await fetch(req);
+  const res = await (customFetch || fetch)(req);
   const resHeaders = new Headers(res.headers);
   hopByHopHeaders.forEach((header) => {
     resHeaders.delete(header);

package/dist/middleware/csrf/index.js

@@ -1,9 +1,11 @@
 // src/middleware/csrf/index.ts
 import { HTTPException } from "../../http-exception.js";
+var secFetchSiteValues = ["same-origin", "same-site", "none", "cross-site"];
+var isSecFetchSite = (value) => secFetchSiteValues.includes(value);
 var isSafeMethodRe = /^(GET|HEAD)$/;
 var isRequestedByFormElementRe = /^\b(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)\b/i;
 var csrf = (options) => {
-  const handler = ((optsOrigin) => {
+  const originHandler = ((optsOrigin) => {
     if (!optsOrigin) {
       return (origin, c) => origin === new URL(c.req.url).origin;
     } else if (typeof optsOrigin === "string") {
@@ -18,13 +20,31 @@ var csrf = (options) => {
     if (origin === void 0) {
       return false;
     }
-    return handler(origin, c);
+    return originHandler(origin, c);
+  };
+  const secFetchSiteHandler = ((optsSecFetchSite) => {
+    if (!optsSecFetchSite) {
+      return (secFetchSite) => secFetchSite === "same-origin";
+    } else if (typeof optsSecFetchSite === "string") {
+      return (secFetchSite) => secFetchSite === optsSecFetchSite;
+    } else if (typeof optsSecFetchSite === "function") {
+      return optsSecFetchSite;
+    } else {
+      return (secFetchSite) => optsSecFetchSite.includes(secFetchSite);
+    }
+  })(options?.secFetchSite);
+  const isAllowedSecFetchSite = (secFetchSite, c) => {
+    if (secFetchSite === void 0) {
+      return false;
+    }
+    if (!isSecFetchSite(secFetchSite)) {
+      return false;
+    }
+    return secFetchSiteHandler(secFetchSite, c);
   };
   return async function csrf2(c, next) {
-    if (!isSafeMethodRe.test(c.req.method) && isRequestedByFormElementRe.test(c.req.header("content-type") || "text/plain") && !isAllowedOrigin(c.req.header("origin"), c)) {
-      const res = new Response("Forbidden", {
-        status: 403
-      });
+    if (!isSafeMethodRe.test(c.req.method) && isRequestedByFormElementRe.test(c.req.header("content-type") || "text/plain") && !isAllowedSecFetchSite(c.req.header("sec-fetch-site"), c) && !isAllowedOrigin(c.req.header("origin"), c)) {
+      const res = new Response("Forbidden", { status: 403 });
       throw new HTTPException(403, { res });
     }
     await next();

package/dist/middleware/etag/digest.js

@@ -3,7 +3,9 @@ var mergeBuffers = (buffer1, buffer2) => {
   if (!buffer1) {
     return buffer2;
   }
-  const merged = new Uint8Array(buffer1.byteLength + buffer2.byteLength);
+  const merged = new Uint8Array(
+    new ArrayBuffer(buffer1.byteLength + buffer2.byteLength)
+  );
   merged.set(new Uint8Array(buffer1), 0);
   merged.set(buffer2, buffer1.byteLength);
   return merged;

package/dist/types/adapter/lambda-edge/handler.d.ts

@@ -82,6 +82,6 @@ interface CloudFrontResult {
     bodyEncoding?: "text" | "base64";
 }
 export declare const handle: (app: Hono<any>) => ((event: CloudFrontEdgeEvent, context?: CloudFrontContext, callback?: Callback) => Promise<CloudFrontResult>);
-export declare const createBody: (method: string, requestBody: CloudFrontRequest["body"]) => string | Uint8Array | undefined;
+export declare const createBody: (method: string, requestBody: CloudFrontRequest["body"]) => string | Uint8Array<ArrayBuffer> | undefined;
 export declare const isContentTypeBinary: (contentType: string) => boolean;
 export {};

package/dist/types/context.d.ts

@@ -9,7 +9,7 @@ type HeaderRecord = Record<"Content-Type", BaseMime> | Record<ResponseHeader, st
 /**
  * Data type can be a string, ArrayBuffer, Uint8Array (buffer), or ReadableStream.
  */
-export type Data = string | ArrayBuffer | ReadableStream | Uint8Array;
+export type Data = string | ArrayBuffer | ReadableStream | Uint8Array<ArrayBuffer>;
 /**
  * Interface for the execution context in a web worker or similar environment.
  */

package/dist/types/helper/adapter/index.d.ts

@@ -6,7 +6,7 @@ import type { Context } from '../../context';
 export type Runtime = "node" | "deno" | "bun" | "workerd" | "fastly" | "edge-light" | "other";
 export declare const env: <T extends Record<string, unknown>, C extends Context = Context<{
     Bindings: T;
-}, any, {}>>(c: T extends Record<string, unknown> ? Context : C, runtime?: Runtime) => T & C["env"];
+}>>(c: T extends Record<string, unknown> ? Context : C, runtime?: Runtime) => T & C["env"];
 export declare const knownUserAgents: Partial<Record<Runtime, string>>;
 export declare const getRuntimeKey: () => Runtime;
 export declare const checkUserAgentEquals: (platform: string) => boolean;

package/dist/types/helper/proxy/index.d.ts

@@ -9,6 +9,7 @@ interface ProxyRequestInit extends Omit<RequestInit, "headers"> {
         string,
         string
     ][] | Record<RequestHeader, string | undefined> | Record<string, string | undefined>;
+    customFetch?: (request: Request) => Promise<Response>;
 }
 interface ProxyFetch {
     (input: string | URL | Request, init?: ProxyRequestInit): Promise<Response>;

package/dist/types/helper/websocket/index.d.ts

@@ -49,7 +49,7 @@ export interface SendOptions {
  */
 export declare class WSContext<T = unknown> {
     constructor(init: WSContextInit<T>);
-    send(source: string | ArrayBuffer | Uint8Array, options?: SendOptions): void;
+    send(source: string | ArrayBuffer | Uint8Array<ArrayBuffer>, options?: SendOptions): void;
     raw?: T;
     binaryType: BinaryType;
     get readyState(): WSReadyState;

package/dist/types/middleware/csrf/index.d.ts

@@ -5,44 +5,78 @@
 import type { Context } from '../../context';
 import type { MiddlewareHandler } from '../../types';
 type IsAllowedOriginHandler = (origin: string, context: Context) => boolean;
+declare const secFetchSiteValues: readonly [
+    "same-origin",
+    "same-site",
+    "none",
+    "cross-site"
+];
+type SecFetchSite = (typeof secFetchSiteValues)[number];
+type IsAllowedSecFetchSiteHandler = (secFetchSite: SecFetchSite, context: Context) => boolean;
 interface CSRFOptions {
     origin?: string | string[] | IsAllowedOriginHandler;
+    secFetchSite?: SecFetchSite | SecFetchSite[] | IsAllowedSecFetchSiteHandler;
 }
 /**
  * CSRF Protection Middleware for Hono.
  *
+ * Protects against Cross-Site Request Forgery attacks by validating request origins
+ * and sec-fetch-site headers. The request is allowed if either validation passes.
+ *
  * @see {@link https://hono.dev/docs/middleware/builtin/csrf}
  *
  * @param {CSRFOptions} [options] - The options for the CSRF protection middleware.
- * @param {string|string[]|(origin: string, context: Context) => boolean} [options.origin] - Specify origins.
+ * @param {string|string[]|(origin: string, context: Context) => boolean} [options.origin] -
+ *   Allowed origins for requests.
+ *   - string: Single allowed origin (e.g., 'https://example.com')
+ *   - string[]: Multiple allowed origins
+ *   - function: Custom validation logic
+ *   - Default: Only same origin as the request URL
+ * @param {string|string[]|(secFetchSite: string, context: Context) => boolean} [options.secFetchSite] -
+ *   Sec-Fetch-Site header validation. Standard values include 'same-origin', 'same-site', 'cross-site', 'none'.
+ *   - string: Single allowed value (e.g., 'same-origin')
+ *   - string[]: Multiple allowed values (e.g., ['same-origin', 'same-site'])
+ *   - function: Custom validation with access to context
+ *   - Default: Only allows 'same-origin'
  * @returns {MiddlewareHandler} The middleware handler function.
  *
  * @example
  * ```ts
  * const app = new Hono()
  *
- * app.use(csrf())
- *
- * // Specifying origins with using `origin` option
- * // string
- * app.use(csrf({ origin: 'myapp.example.com' }))
- *
- * // string[]
- * app.use(
- *   csrf({
- *     origin: ['myapp.example.com', 'development.myapp.example.com'],
- *   })
- * )
- *
- * // Function
- * // It is strongly recommended that the protocol be verified to ensure a match to `$`.
- * // You should *never* do a forward match.
- * app.use(
- *   '*',
- *   csrf({
- *     origin: (origin) => /https:\/\/(\w+\.)?myapp\.example\.com$/.test(origin),
- *   })
- * )
+ * // Default: both origin and sec-fetch-site validation
+ * app.use('*', csrf())
+ *
+ * // Allow specific origins
+ * app.use('*', csrf({ origin: 'https://example.com' }))
+ * app.use('*', csrf({ origin: ['https://app.com', 'https://api.com'] }))
+ *
+ * // Allow specific sec-fetch-site values
+ * app.use('*', csrf({ secFetchSite: 'same-origin' }))
+ * app.use('*', csrf({ secFetchSite: ['same-origin', 'same-site'] }))
+ *
+ * // Dynamic sec-fetch-site validation
+ * app.use('*', csrf({
+ *   secFetchSite: (secFetchSite, c) => {
+ *     // Always allow same-origin
+ *     if (secFetchSite === 'same-origin') return true
+ *     // Allow cross-site for webhook endpoints
+ *     if (secFetchSite === 'cross-site' && c.req.path.startsWith('/webhook/')) {
+ *       return true
+ *     }
+ *     return false
+ *   }
+ * }))
+ *
+ * // Dynamic origin validation
+ * app.use('*', csrf({
+ *   origin: (origin, c) => {
+ *     // Allow same origin
+ *     if (origin === new URL(c.req.url).origin) return true
+ *     // Allow specific trusted domains
+ *     return ['https://app.example.com', 'https://admin.example.com'].includes(origin)
+ *   }
+ * }))
  * ```
  */
 export declare const csrf: (options?: CSRFOptions) => MiddlewareHandler;

package/dist/types/middleware/etag/digest.d.ts

@@ -1 +1 @@
-export declare const generateDigest: (stream: ReadableStream<Uint8Array> | null, generator: (body: Uint8Array) => ArrayBuffer | Promise<ArrayBuffer>) => Promise<string | null>;
+export declare const generateDigest: (stream: ReadableStream<Uint8Array<ArrayBuffer>> | null, generator: (body: Uint8Array<ArrayBuffer>) => ArrayBuffer | Promise<ArrayBuffer>) => Promise<string | null>;

package/dist/types/middleware/etag/index.d.ts

@@ -6,7 +6,7 @@ import type { MiddlewareHandler } from '../../types';
 type ETagOptions = {
     retainedHeaders?: string[];
     weak?: boolean;
-    generateDigest?: (body: Uint8Array) => ArrayBuffer | Promise<ArrayBuffer>;
+    generateDigest?: (body: Uint8Array<ArrayBuffer>) => ArrayBuffer | Promise<ArrayBuffer>;
 };
 /**
  * Default headers to pass through on 304 responses. From the spec:

package/dist/types/request.d.ts

@@ -1,3 +1,4 @@
+import { GET_MATCH_RESULT } from './request/constants';
 import type { Result } from './router';
 import type { Input, InputToDataByTarget, ParamKeyToRecord, ParamKeys, RemoveQuestion, RouterRoute, ValidationTargets } from './types';
 import type { BodyData, ParseBodyOptions } from './utils/body';
@@ -14,6 +15,10 @@ type BodyCache = Partial<Body & {
     parsedBody: BodyData;
 }>;
 export declare class HonoRequest<P extends string = "/", I extends Input["out"] = {}> {
+    [GET_MATCH_RESULT]: Result<[
+        unknown,
+        RouterRoute
+    ]>;
     /**
      * `.raw` can get the raw Request object.
      *

package/dist/types/utils/encode.d.ts

@@ -2,7 +2,7 @@
  * @module
  * Encode utility.
  */
-export declare const decodeBase64Url: (str: string) => Uint8Array;
+export declare const decodeBase64Url: (str: string) => Uint8Array<ArrayBuffer>;
 export declare const encodeBase64Url: (buf: ArrayBufferLike) => string;
 export declare const encodeBase64: (buf: ArrayBufferLike) => string;
-export declare const decodeBase64: (str: string) => Uint8Array;
+export declare const decodeBase64: (str: string) => Uint8Array<ArrayBuffer>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hono",
-  "version": "4.9.2",
+  "version": "4.9.3",
   "description": "Web framework built on Web Standards",
   "main": "dist/cjs/index.js",
   "type": "module",
@@ -10,16 +10,16 @@
     "dist"
   ],
   "scripts": {
-    "test": "tsc --noEmit && vitest --run && vitest -c .vitest.config/jsx-runtime-default.ts --run && vitest -c .vitest.config/jsx-runtime-dom.ts --run",
+    "test": "tsc --noEmit && vitest --run",
     "test:watch": "vitest --watch",
     "test:deno": "deno test --allow-read --allow-env --allow-write --allow-net -c runtime-tests/deno/deno.json runtime-tests/deno && deno test --no-lock -c runtime-tests/deno-jsx/deno.precompile.json runtime-tests/deno-jsx && deno test --no-lock -c runtime-tests/deno-jsx/deno.react-jsx.json runtime-tests/deno-jsx",
     "test:bun": "bun test --jsx-import-source ../../src/jsx runtime-tests/bun/*",
-    "test:fastly": "vitest --run --config ./runtime-tests/fastly/vitest.config.ts",
-    "test:node": "vitest --run --config ./runtime-tests/node/vitest.config.ts",
-    "test:workerd": "vitest --run --config ./runtime-tests/workerd/vitest.config.ts",
-    "test:lambda": "vitest --run --config ./runtime-tests/lambda/vitest.config.ts",
-    "test:lambda-edge": "vitest --run --config ./runtime-tests/lambda-edge/vitest.config.ts",
-    "test:all": "bun run test && bun test:deno && bun test:bun && bun test:fastly && bun test:node && bun test:workerd && bun test:lambda && bun test:lambda-edge",
+    "test:fastly": "vitest --run --project fastly",
+    "test:node": "vitest --run --project node",
+    "test:workerd": "vitest --run --project workerd",
+    "test:lambda": "vitest --run --project lambda",
+    "test:lambda-edge": "vitest --run --project lambda-edge",
+    "test:all": "bun run test && bun test:deno && bun test:bun",
     "lint": "eslint src runtime-tests build perf-measures benchmarks",
     "lint:fix": "eslint src runtime-tests build perf-measures benchmarks --fix",
     "format": "prettier --check --cache \"src/**/*.{js,ts,tsx}\" \"runtime-tests/**/*.{js,ts,tsx}\" \"build/**/*.{js,ts,tsx}\" \"perf-measures/**/*.{js,ts,tsx}\" \"benchmarks/**/*.{js,ts,tsx}\"",
@@ -658,14 +658,14 @@
   "devDependencies": {
     "@hono/eslint-config": "^2.0.3",
     "@hono/node-server": "^1.13.5",
-    "@types/glob": "^8.1.0",
+    "@types/glob": "^9.0.0",
     "@types/jsdom": "^21.1.7",
-    "@types/node": "^22.0.0",
-    "@types/supertest": "^2.0.16",
+    "@types/node": "^24.3.0",
+    "@types/supertest": "^6.0.3",
     "@typescript/native-preview": "7.0.0-dev.20250523.1",
-    "@vitest/coverage-v8": "^3.0.5",
+    "@vitest/coverage-v8": "^3.2.4",
     "arg": "^5.0.2",
-    "bun-types": "^1.1.39",
+    "bun-types": "^1.2.20",
     "editorconfig-checker": "^6.1.0",
     "esbuild": "^0.15.18",
     "eslint": "^9.10.0",
@@ -677,13 +677,14 @@
     "prettier": "^2.6.2",
     "publint": "^0.1.16",
     "supertest": "^6.3.4",
-    "typescript": "^5.3.3",
+    "typescript": "^5.9.2",
     "vite-plugin-fastly-js-compute": "^0.4.2",
-    "vitest": "^3.0.5",
+    "vitest": "^3.2.4",
     "wrangler": "4.12.0",
     "ws": "^8.18.0",
     "zod": "^3.23.8"
   },
+  "packageManager": "bun@1.2.20",
   "engines": {
     "node": ">=16.9.0"
   }