chore(hono): Update [DEV] minor & patch dependencies to ^4.12.23

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	^4.12.15 → ^4.12.23

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

honojs/hono (hono)

v4.12.23

Compare Source

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in #​4962
• feat(context): export the Context class publicly by @​BlankParticle in #​4543
• docs(contribution): add AI Usage Policy by @​yusukebe in #​4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in #​4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in #​4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

Compare Source

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in #​4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in #​4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in #​4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in #​4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in #​4957

New Contributors

• @​renatograsso10 made their first contribution in #​4912
• @​LeSingh1 made their first contribution in #​4951
• @​ATOM00blue made their first contribution in #​4955
• @​na-trium-144 made their first contribution in #​4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Compare Source

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

Compare Source

What's Changed

• fix(route): preserve the base path of the mounted route() app by @​usualoma in #​4942
• fix(jsx): widen jsx and jsxFn children to Child[] by @​ashunar0 in #​4947

New Contributors

• @​ashunar0 made their first contribution in #​4947

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

Compare Source

What's Changed

• ci: pin GitHub Actions to SHAs by @​yusukebe in #​4932
• fix(serveStatic): make options parameter optional in all adapters by @​mixelburg in #​4934
• fix(cookie): return the first cookie when there are multiple cookies with the same name by @​usualoma in #​4922
• feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @​justinnais in #​4913
• feat(cache): key cache entries by configured vary headers by @​usualoma in #​4915
• feat(request): add bytes() by @​yusukebe in #​4921
• fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @​yusukebe in #​4940

New Contributors

• @​justinnais made their first contribution in #​4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

v4.12.18

Compare Source

v4.12.17

Compare Source

v4.12.16

Compare Source

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

---

Configuration

📅 Schedule: (in timezone GMT)

• Branch creation
  • "before 7am on the first day of the week"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 7, 2026 1:16am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2876377

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8574

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8574

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8574

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8574

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8574

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8574

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8574

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8574

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8574

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8574

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8574

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8574

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8574

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8574

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8574

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8574

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8574

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8574

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8574

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8574

commit: 2876377

[github-actions]

Break Check: no API changes detected across the tracked packages.

_{Last ran on 2876377. Pushes that change no tracked declarations (no API surface change vs. base) are skipped and don't update this comment.}