Skip to content

chore(deps): update all non-major dependencies#254

Open
renovate[bot] wants to merge 1 commit intotrunkfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#254
renovate[bot] wants to merge 1 commit intotrunkfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 2, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@commitlint/cli (source) 20.4.120.4.2 age confidence
@commitlint/config-conventional (source) 20.4.120.4.2 age confidence
eslint (source) 9.32.09.39.3 age confidence
hono (source) 4.11.104.12.2 age confidence
knip (source) 5.83.15.85.0 age confidence

Release Notes

conventional-changelog/commitlint (@​commitlint/cli)

v20.4.2

Compare Source

Note: Version bump only for package @​commitlint/cli

conventional-changelog/commitlint (@​commitlint/config-conventional)

v20.4.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

eslint/eslint (eslint)

v9.39.3

Compare Source

Bug Fixes

  • 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

v9.39.2

Compare Source

v9.39.1

Compare Source

v9.39.0

Compare Source

v9.38.0

Compare Source

Features

  • ce40f74 feat: update complexity rule to only highlight function header (#​20048) (Atul Nair)
  • e37e590 feat: correct no-loss-of-precision false positives with e notation (#​20187) (Francesco Trotta)

Bug Fixes

  • 50c3dfd fix: improve type support for isolated dependencies in pnpm (#​20201) (Francesco Trotta)
  • a1f06a3 fix: correct SourceCode typings (#​20114) (Pixel998)

Documentation

  • 462675a docs: improve web accessibility by hiding non-semantic character (#​20205) (루밀LuMir)
  • c070e65 docs: correct formatting in no-irregular-whitespace rule documentation (#​20203) (루밀LuMir)
  • b39e71a docs: Update README (GitHub Actions Bot)
  • cd39983 docs: move custom-formatters type descriptions to nodejs-api (#​20190) (Percy Ma)

Chores

v9.37.0

Compare Source

Features

  • 39f7fb4 feat: preserve-caught-error should recognize all static "cause" keys (#​20163) (Pixel998)
  • f81eabc feat: support TS syntax in no-restricted-imports (#​19562) (Nitin Kumar)

Bug Fixes

Documentation

  • b950359 docs: fix typos across the docs (#​20182) (루밀LuMir)
  • 42498a2 docs: improve ToC accessibility by hiding non-semantic character (#​20181) (Percy Ma)
  • 29ea092 docs: Update README (GitHub Actions Bot)
  • 5c97a04 docs: show availableUntil in deprecated rule banner (#​20170) (Pixel998)
  • 90a71bf docs: update README files to add badge and instructions (#​20115) (루밀LuMir)
  • 1603ae1 docs: update references from master to main (#​20153) (루밀LuMir)

Chores

  • afe8a13 chore: update @eslint/js dependency to version 9.37.0 (#​20183) (Francesco Trotta)
  • abee4ca chore: package.json update for @​eslint/js release (Jenkins)
  • fc9381f chore: fix typos in comments (#​20175) (overlookmotel)
  • e1574a2 chore: unpin jiti (#​20173) (renovate[bot])
  • e1ac05e refactor: mark ESLint.findConfigFile() as async, add missing docs (#​20157) (Pixel998)
  • 347906d chore: update eslint (#​20149) (renovate[bot])
  • 0cb5897 test: remove tmp dir created for circular fixes in multithread mode test (#​20146) (Milos Djermanovic)
  • bb99566 ci: pin jiti to version 2.5.1 (#​20151) (Pixel998)
  • 177f669 perf: improve worker count calculation for "auto" concurrency (#​20067) (Francesco Trotta)
  • 448b57b chore: Mark deprecated formatting rules as available until v11.0.0 (#​20144) (Milos Djermanovic)

v9.36.0

Compare Source

Features

  • 47afcf6 feat: correct preserve-caught-error edge cases (#​20109) (Francesco Trotta)

Bug Fixes

Documentation

  • b73ab12 docs: update examples to use defineConfig (#​20131) (sethamus)
  • 31d9392 docs: fix typos (#​20118) (Pixel998)
  • c7f861b docs: Update README (GitHub Actions Bot)
  • 6b0c08b docs: Update README (GitHub Actions Bot)
  • 91f97c5 docs: Update README (GitHub Actions Bot)

Chores

  • 12411e8 chore: upgrade @​eslint/js@​9.36.0 (#​20139) (Milos Djermanovic)
  • 488cba6 chore: package.json update for @​eslint/js release (Jenkins)
  • bac82a2 ci: simplify renovate configuration (#​19907) (唯然)
  • c00bb37 ci: bump actions/labeler from 5 to 6 (#​20090) (dependabot[bot])
  • fee751d refactor: use defaultOptions in rules (#​20121) (Pixel998)
  • 1ace67d chore: update example to use defineConfig (#​20111) (루밀LuMir)
  • 4821963 test: add missing loc information to error objects in rule tests (#​20112) (루밀LuMir)
  • b42c42e chore: disallow use of deprecated type property in core rule tests (#​20094) (Milos Djermanovic)
  • 7bb498d test: remove deprecated type property from core rule tests (#​20093) (Pixel998)
  • e10cf2a ci: bump actions/setup-node from 4 to 5 (#​20089) (dependabot[bot])
  • 5cb0ce4 refactor: use meta.defaultOptions in preserve-caught-error (#​20080) (Pixel998)
  • f9f7cb5 chore: package.json update for eslint-config-eslint release (Jenkins)
  • 81764b2 chore: update eslint peer dependency in eslint-config-eslint (#​20079) (Milos Djermanovic)

v9.35.0

Compare Source

Features

  • 42761fa feat: implement suggestions for no-empty-function (#​20057) (jaymarvelz)
  • 102f444 feat: implement suggestions for no-empty-static-block (#​20056) (jaymarvelz)
  • e51ffff feat: add preserve-caught-error rule (#​19913) (Amnish Singh Arora)

Bug Fixes

  • 10e7ae2 fix: update uncloneable options error message (#​20059) (soda-sorcery)
  • bfa4601 fix: ignore empty switch statements with comments in no-empty rule (#​20045) (jaymarvelz)
  • dfd11de fix: add before and after to test case types (#​20049) (Francesco Trotta)
  • dabbe95 fix: correct types for no-restricted-imports rule (#​20034) (Milos Djermanovic)
  • ea789c7 fix: no-loss-of-precision false positive with uppercase exponent (#​20032) (sethamus)

Documentation

  • d265515 docs: improve phrasing - "if" → "even if" from getting-started section (#​20074) (jjangga0214)
  • a355a0e docs: invert comparison logic for example in no-var doc page (#​20064) (OTonGitHub)
  • 5082fc2 docs: Update README (GitHub Actions Bot)
  • 99cfd7e docs: add missing "the" in rule deprecation docs (#​20050) (Josh Goldberg ✨)
  • 6ad8973 docs: update --no-ignore and --ignore-pattern documentation (#​20036) (Francesco Trotta)
  • 8033b19 docs: add documentation for --no-config-lookup (#​20033) (Francesco Trotta)

Chores

v9.34.0

Compare Source

Features

  • 0bb777a feat: multithread linting (#​19794) (Francesco Trotta)
  • 43a5f9e feat: add eslint-plugin-regexp to eslint-config-eslint base config (#​19951) (Pixel998)

Bug Fixes

  • 9b89903 fix: default value of accessor-pairs option in rule.d.ts file (#​20024) (Tanuj Kanti)
  • 6c07420 fix: fix spurious failure in neostandard integration test (#​20023) (Kirk Waiblinger)
  • 676f4ac fix: allow scientific notation with trailing zeros matching exponent (#​20002) (Sweta Tanwar)

Documentation

  • 0b4a590 docs: make rulesdir deprecation clearer (#​20018) (Domenico Gemoli)
  • 327c672 docs: Update README (GitHub Actions Bot)
  • bf26229 docs: Fix typo in core-concepts/index.md (#​20009) (Tobias Hernstig)
  • 2309327 docs: fix typo in the "Configuring Rules" section (#​20001) (ghazi-git)
  • 2b87e21 docs: [no-else-return] clarify sample code. (#​19991) (Yuki Takada (Yukinosuke Takada))
  • c36570c docs: Update README (GitHub Actions Bot)

Chores

v9.33.0

Compare Source

Features

  • e07820e feat: add global object access detection to no-restricted-globals (#​19939) (sethamus)
  • 90b050e feat: support explicit resource management in one-var (#​19941) (Sweta Tanwar)

Bug Fixes

  • 732433c fix: allow any type for meta.docs.recommended in custom rules (#​19995) (Francesco Trotta)
  • e8a6914 fix: Fixed potential bug in check-emfile-handling.js (#​19975) (諏訪原慶斗)

Documentation

  • 34f0723 docs: playground button for TypeScript code example (#​19671) (Tanuj Kanti)
  • dc942a4 docs: Update README (GitHub Actions Bot)
  • 5a4b6f7 docs: Update no-multi-assign.md (#​19979) (Yuki Takada (Yukinosuke Takada))
  • 247e156 docs: add missing let declarations in no-plusplus (#​19980) (Yuki Takada (Yukinosuke Takada))
  • 0d17242 docs: Update README (GitHub Actions Bot)
  • fa20b9d docs: Clarify when to open an issue for a PR (#​19974) (Nicholas C. Zakas)

Build Related

  • 27fa865 build: use ESLint class to generate formatter examples (#​19972) (Milos Djermanovic)

Chores

honojs/hono (hono)

v4.12.2

Compare Source

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

Thanks @​EdamAme-x

What's Changed

Full Changelog: honojs/hono@v4.12.1...v4.12.2

v4.12.1

Compare Source

What's Changed

Full Changelog: honojs/hono@v4.12.0...v4.12.1

v4.12.0

Compare Source

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')

// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'

// With path parameters
const postPath = client.api.posts[':id'].$path({
  param: { id: '123' },
})
// => '/api/posts/123'

// With query parameters
const searchPath = client.api.posts.$path({
  query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @​ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))

type AppWithErrors = ApplyGlobalResponse<
  typeof app,
  {
    401: { json: { error: string; message: string } }
    500: { json: { error: string; message: string } }
  }
>

const client = hc<AppWithErrors>('http://api.example.com')
// Now client knows about both success and error responses
const res = await client.api.users.$get()
// InferResponseType includes { users: string[] } | { error: string; message: string }

Thanks @​mohankumarelec!

SSG Redirect Plugin

A new redirectPlugin for SSG generates static HTML redirect pages for HTTP redirect responses (301, 302, 303, 307, 308):

import { toSSG } from 'hono/ssg'
import { defaultPlugin, redirectPlugin } from 'hono/ssg'

const app = new Hono()
app.get('/old', (c) => c.redirect('/new'))
app.get('/new', (c) => c.html('New Page'))

// redirectPlugin must be placed before defaultPlugin
await toSSG(app, fs, {
  plugins: [redirectPlugin(), defaultPlugin()],
})

The generated redirect pages include a <meta http-equiv="refresh"> tag, a canonical link, and a robots noindex meta tag.

Thanks @​3w36zj6!

onAuthSuccess Callback for Basic Auth

The Basic Auth middleware now supports an onAuthSuccess callback that is invoked after successful authentication. This allows you to set context variables or perform logging without re-parsing the Authorization header:

app.use(
  '/auth/*',
  basicAuth({
    username: 'hono',
    password: 'ahotproject',
    onAuthSuccess: (c, username) => {
      c.set('user', { name: username, role: 'admin' })
      console.log(`User ${username} authenticated`)
    },
  })
)

The callback also works with async functions and the verifyUser mode.

Thanks @​AprilNEA!

getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify

getConnInfo() is now available for three additional adapters:

// AWS Lambda (supports API Gateway v1, v2, and ALB)
import { handle, getConnInfo } from 'hono/aws-lambda'

// Cloudflare Pages
import { handle, getConnInfo } from 'hono/cloudflare-pages'

// Netlify
import { handle, getConnInfo } from 'hono/netlify'

app.get('/', (c) => {
  const info = getConnInfo(c)
  return c.text(`Your IP: ${info.remote.address}`)
})

Thanks @​rokasta12!

alwaysRedirect Option for Trailing Slash Middleware

The trailing slash middleware now supports an alwaysRedirect option. When enabled, the middleware redirects before executing handlers, which fixes the issue where trailing slash handling doesn't work with wildcard routes:

app.use(trimTrailingSlash({ alwaysRedirect: true }))

app.get('/my-path/*', async (c) => {
  return c.text('wildcard')
})

// /my-path/something/ will be redirected to /my-path/something
// before the wildcard handler is executed

Progressive Locale Code Truncation

The normalizeLanguage function in the language middleware now supports RFC 4647 Lookup-based progressive truncation. Locale codes like ja-JP will match ja when only the base language is in supportedLanguages:

app.use(
  '/*',
  languageDetector({
    supportedLanguages: ['en', 'ja'],
    fallbackLanguage: 'en',
    order: ['cookie', 'header'],
  })
)

// Accept-Language: ja-JP → matches 'ja'
// Accept-Language: ko-KR → falls back to 'en'

Thanks @​sorafujitani!

exports Field for ExecutionContext

The ExecutionContext type now includes an exports property for Cloudflare Workers. You can use module augmentation to type it with Wrangler's generated types:

import 'hono'

declare module 'hono' {
  interface ExecutionContext {
    readonly exports: Cloudflare.Exports
  }
}

Thanks @​toreis-up!

Performance Improvements

TrieRouter 1.5x ~ 2.0x Faster

The TrieRouter has been significantly optimized with reduced spread syntax usage, O(1) hasChildren checks, lazy regular expression generation, and removal of redundant processes:

Route Node.js Deno Bun
short static GET /user 1.70x 1.40x 1.34x
dynamic GET /user/lookup/username/hey 1.38x 1.69x 1.51x
wildcard GET /static/index.html 1.51x 1.72x 1.43x
all together 1.58x 1.60x 1.82x

Thanks @​EdamAme-x!

Fast Path for c.json()

c.json() now has the same fast path optimization as c.text(). When no custom status, headers, or finalized state exists, the Response is created directly without allocating a Headers object:

// This common pattern is now faster
return c.json({ message: 'Hello' })

Benchmark results:

Metric Before After Change
Reqs/sec 92,268 95,244 +3.2%
Latency 5.42ms 5.25ms -3.1%
Throughput 17.24MB/s 19.07MB/s +10.6%

Thanks @​mgcrea!

New features

  • feat(client): Add ApplyGlobalResponse type helper for RPC Client #​4556
  • feat(ssg): add redirect plugin #​4599
  • feat(client): $path #​4636
  • feat(basic-auth): add context key and callback options #​4645
  • feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify #​4649
  • feat(trailing-slash): add alwaysRedirect option to support wildcard routes #​4658
  • feat(language): add progressive locale code truncation to normalizeLanguage #​4717
  • feat(types): Add exports field to ExecutionContext #​4719

Performance

  • perf(context): add fast path to c.json() matching c.text() optimization #​4707
  • perf(trie-router): improve performance (1.5x ~ 2.0x) #​4724
  • perf(context): use createResponseInstance for new Response #​4733

All changes

New Contributors

Full Changelog: honojs/hono@v4.11.10...v4.12.0

webpro-nl/knip (knip)

v5.85.0: Release 5.85.0

Compare Source

v5.84.1: Release 5.84.1

Compare Source

v5.84.0: Release 5.84.0

Compare Source

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

@socket-security
Copy link

socket-security bot commented Mar 2, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​commitlint/​cli@​20.4.1 ⏵ 20.4.21001007395 -1100
Updatedeslint@​9.32.0 ⏵ 9.39.38910010097100
Updated@​commitlint/​config-conventional@​20.4.1 ⏵ 20.4.210010010095 -1100
Updatedknip@​5.83.1 ⏵ 5.85.099 +110095 +195100
Updatedhono@​4.11.10 ⏵ 4.12.299 +110097 +196100

View full report

@socket-security
Copy link

socket-security bot commented Mar 2, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@renovate renovate bot force-pushed the renovate/all-minor-patch branch from d80c30a to f6a55f4 Compare March 2, 2026 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants