[Snyk] Upgrade hono from 4.8.8 to 4.9.8

[rnmeow]

Snyk has created this PR to upgrade hono from 4.8.8 to 4.9.8.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 13 versions ahead of your current version.

• The recommended version was released 25 days ago.

Release notes

Package name: hono

• 4.9.8 - 2025-09-18
  

  What's Changed

  • fix(types): JSONParsed infer unknown values by @ BarryThePenguin in #4405
  • refactor(types): remove SimplifyDeepArray from json types by @ BarryThePenguin in #4406
  • refactor(types): fix the type definitions in hono-base by @ yusukebe in #4407
  • fix(request): return empty string for empty catch-all param by @ amitksingh0880 in #4395

  New Contributors

  • @ amitksingh0880 made their first contribution in #4395

  Full Changelog: v4.9.7...v4.9.8

• 4.9.7 - 2025-09-12
  

  Security

  • Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory

  What's Changed

  • fix(client): Fix parseResponse not parsing json in react native by @ lr0pb in #4399
  • chore: add .tool-versions file by @ 3w36zj6 in #4397
  • chore: update bun install commands to use --frozen-lockfile by @ 3w36zj6 in #4398
  • test(jwk): Add tests of JWK token verification by @ buckett in #4402

  New Contributors

  • @ lr0pb made their first contribution in #4399
  • @ buckett made their first contribution in #4402

  Full Changelog: v4.9.6...v4.9.7

• 4.9.6 - 2025-09-03
  

  Security

  Fixed a bug in URL path parsing (getPath) that could cause path confusion under malformed requests.

  If you rely on reverse proxies (e.g. Nginx) for ACLs or restrict access to endpoints like /admin, please update immediately.

  See advisory for details: GHSA-9hp6-4448-45g2

  What's Changed

  • chore: update packages in the router bench by @ yusukebe in #4386
  • chore(benchmarks): remove comment-out from router bench by @ yusukebe in #4387

  Full Changelog: v4.9.5...v4.9.6

• 4.9.5 - 2025-08-29
  

  What's Changed

  • chore: replace supertest with undici by @ BarryThePenguin in #4365
  • fix(aws-lambda): preserve percent-encoded values in query strings by @ yusukebe in #4372
  • feat(cors): Allow async functions for origin and allowMethods by @ jobrk in #4373
  • feat(cors): Correct origin function return type asynchronously returning null or undefined for origin by @ jobrk in #4375
  • fix(service-worker): correct args for app.fetch in handle by @ yusukebe in #4374
  • fix(language-detector): Detect language from path after getPath changed by @ iflamed in #4369

  New Contributors

  • @ jobrk made their first contribution in #4373
  • @ iflamed made their first contribution in #4369

  Full Changelog: v4.9.4...v4.9.5

• 4.9.4 - 2025-08-22
  

  What's Changed

  • chore: add a type cast to run deno publish by @ yusukebe in #4364

  Full Changelog: v4.9.3...v4.9.4

• 4.9.3 - 2025-08-22
  

  What's Changed

  • feat(csrf): Add modern CSRF protection with Fetch Metadata support by @ meck93 in #4353
  • tests: use vitest projects by @ BarryThePenguin in #4359
  • feat(proxy): add customFetch option to allow custom fetch function by @ yusukebe in #4360
  • chore: update typescript to 5.9.2 by @ yusukebe in #4362
  • chore: add packageManager field to package.json by @ yusukebe in #4363

  Full Changelog: v4.9.2...v4.9.3

• 4.9.2 - 2025-08-15
  

  What's Changed

  • fix(jsx): 'plaintext-only' value for contenteditable attribute by @ object1037 in #4349
  • fix(client): handle query parameters in removeIndexString by @ yusukebe in #4352

  New Contributors

  • @ object1037 made their first contribution in #4349

  Full Changelog: v4.9.1...v4.9.2

• 4.9.1 - 2025-08-12
  

  What's Changed

  • feat(parseResponse): set DetailedError.name (+ error tests) by @ NamesMT in #4344
  • fix(parseResponse): should not include error responses in result by @ NamesMT in #4348

  Full Changelog: v4.9.0...v4.9.1

• 4.9.0 - 2025-08-07
  

  Release Notes

  Hono v4.9.0 is now available!

  This release introduces several enhancements and utilities.

  The main highlight is the new parseResponse utility that makes it easier to work with RPC client responses.

  parseResponse Utility

  The new parseResponse utility provides a convenient way to parse responses from Hono RPC clients (hc). It automatically handles different response formats and throws structured errors for failed requests.

  import { parseResponse, DetailedError } from 'hono/client'

  // result contains the parsed response body (automatically parsed based on Content-Type)
  const result = await parseResponse(client.hello.$get()).catch(
  // parseResponse automatically throws an error if response is not ok
  (e: DetailedError) => {
  console.error(e)
  }
  )

  This makes working with RPC client responses much more straightforward and type-safe.

  Thanks @ NamesMT!

  New features

  • feat(bun): allow importing upgradeWebSocket and websocket directly #4242
  • feat(aws-lambda): specify content-type as binary #4250
  • feat(jwt): add validation for the issuer (iss) claim #4253
  • feat(jwk): add headerName to JWK middleware #4279
  • feat(cookie): add generateCookie and generateSignedCookie helpers #4285
  • feat(serve-static): use join to correct path resolution #4291
  • feat(jwt): expose utility function verifyWithJwks for external use #4302
  • feat: add parseResponse util to smartly parse hc's Response #4314
  • feat(ssg): mark old hook options as deprecated #4331

  All changes

  • feat(aws-lambda): specify content-type as binary by @ Kanahiro in #4250
  • feat(jwt): added validation for the issuer (iss) claim by @ yolocat-dev in #4253
  • feat(jwk): Add custom headerName to JWK middleware by @ JoaquinGimenez1 in #4279
  • feat(cookie): generateCookie and generateSignedCookie helpers by @ Soviut in #4285
  • feat(serve-static): use join to correct path resolution by @ yusukebe in #4291
  • feat(jwt): Exposing utility function verifyWithJwks for external use by @ Beyondo in #4302
  • feat: add parseResponse util to smartly parse hc's Response by @ NamesMT in #4314
  • feat(ssg): mark old hook options as deprecated by @ 3w36zj6 in #4331
  • fix(bun): exports functions related to websocket by @ yusukebe in #4341
  • Next by @ yusukebe in #4340
  • chore: enable skipLibCheck to resolve TypeScript compilation issues by @ yusukebe in #4342

  New Contributors

  • @ yolocat-dev made their first contribution in #4253
  • @ JoaquinGimenez1 made their first contribution in #4279
  • @ Soviut made their first contribution in #4285

  Full Changelog: v4.8.12...v4.9.0

• 4.8.12 - 2025-08-02
  

  What's Changed

  • fix(router): support /files/:name{.*} by @ yusukebe in #4329

  Full Changelog: v4.8.11...v4.8.12

• 4.8.11 - 2025-08-01
• 4.8.10 - 2025-07-29
• 4.8.9 - 2025-07-26
• 4.8.8 - 2025-07-25

from hono GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs