chore(deps): bump the npm_and_yarn group across 4 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
@hono/node-server	1.14.2	1.19.13
hono	4.11.9	4.12.18
ai	4.3.19	5.0.52
elysia	1.4.12	1.4.27
next	16.1.1	16.2.6
yaml	2.8.2	2.8.3

Bumps the npm_and_yarn group with 1 update in the /examples/ai-and-user-generated-actors-freestyle/template directory: hono.
Bumps the npm_and_yarn group with 2 updates in the /examples/next-js directory: @hono/node-server and next.
Bumps the npm_and_yarn group with 2 updates in the /examples/react-vercel directory: @hono/node-server and hono.

Updates @hono/node-server from 1.14.2 to 1.19.13

Release notes

Sourced from @​hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in honojs/node-server#292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in honojs/node-server#293

New Contributors

• @​TransparentLC made their first contribution in honojs/node-server#292
• @​otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in honojs/node-server#290

... (truncated)

Commits

• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• Additional commits viewable in compare view

Updates hono from 4.11.9 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

... (truncated)

Commits

• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• 58d3d3a Merge commit from fork
• 568c2ec Merge commit from fork
• ff2b3d3 4.12.17
• 52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
• 76d5589 fix(cors): make origin optional in CORSOptions (#4905)
• 8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
• bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
• 90d4182 4.12.16
• Additional commits viewable in compare view

Updates ai from 4.3.19 to 5.0.52

Changelog

Sourced from ai's changelog.

5.0.52

Patch Changes

• c56822d: fix(ai): update uiMessageChunkSchema to satisfy the UIMessageChunk type
• 930399b: fix(ai): download files when intermediate file cannot be downloaded
• Updated dependencies [7ca78f1]
  • @​ai-sdk/gateway@​1.0.29

5.0.51

Patch Changes

• 27645bb: Export parseJsonEventStream and uiMessageChunkSchema from "ai" package
• Updated dependencies [322901b]
  • @​ai-sdk/gateway@​1.0.28

5.0.50

Patch Changes

• Updated dependencies [c5f403a]
  • @​ai-sdk/gateway@​1.0.27

5.0.49

Patch Changes

• Updated dependencies [e304478]
  • @​ai-sdk/gateway@​1.0.26

5.0.48

Patch Changes

• Updated dependencies [4d3ff64]
  • @​ai-sdk/gateway@​1.0.25

5.0.47

Patch Changes

• Updated dependencies [c86e0f7]
• Updated dependencies [6bbae01]
  • @​ai-sdk/gateway@​1.0.24

5.0.46

Patch Changes

... (truncated)

Commits

• 63d5f66 Version Packages (#8895)
• 930399b Backport: fix(ai): download files when intermediate file cannot be downloaded...
• 85909a9 Backport: chore(ai): update test message (#8875)
• c56822d Backport: fix(ai): update uiMessageChunkSchema to satisfy the `UIMessageChu...
• 6bd07df Version Packages (#8853)
• 27645bb Backport: Export parseJsonEventStream and uiMessageChunkSchema from "ai" ...
• 8b7f0d2 Version Packages (#8843)
• 9eef198 Version Packages (#8831)
• 20bca65 Version Packages (#8799)
• 4254096 Version Packages (#8753)
• Additional commits viewable in compare view

Updates elysia from 1.4.12 to 1.4.27

Release notes

Sourced from elysia's releases.

1.4.27

What's changed

Bug fix:

• getSchemaValidator: handle TypeBox as sub type
• handle cookie prototype pollution when parsing cookie

Improvement:

• conditional async on getSchemaValidator when schema is Standard Schema
• use Response.json on Bun
• export AnySchema, UnwrapSchema, ModelsToTypes from root

Full Changelog: elysiajs/elysia@1.4.26...1.4.27

1.4.26

What's changed

Bug fix:

• #1755 deduplicate local handler from global event
• #1752 system router with trailing path doesn't match with non-trailing
• url format redos
• #1747 parsing request from mount hang

Full Changelog: elysiajs/elysia@1.4.25...1.4.26

1.4.25

What's changed

Feature:

• export ElysiaStatus

Bug fix:

• macro with conflict literal value per status
• recursive macro with conflict value per status

Full Changelog: elysiajs/elysia@1.4.24...1.4.25

1.4.24

What's Changed

Feature:

• graceful unsigned cookie transition

Bug fix:

• #1733 preserve multiple set-cookie headers in mounted handlers by @​cipher416
• object cookie with secret doesn't deserialized after parsed

New Contributors

• @​cipher416 made their first contribution in elysiajs/elysia#1733

Full Changelog: elysiajs/elysia@1.4.23...1.4.24

... (truncated)

Changelog

Sourced from elysia's changelog.

1.4.27 - 1 Mar 2026

Bug fix:

• getSchemaValidator: handle TypeBox as sub type
• handle cookie prototype pollution when parsing cookie

Improvement:

• conditional async on getSchemaValidator when schema is Standard Schema
• use Response.json on Bun

1.4.26 - 25 Feb 2026

Bug fix:

• #1755 deduplicate local handler from global event
• #1752 system router with trailing path doesn't match with non-trailing
• url format redos
• #1747 parsing request from mount hang

1.4.25 - 12 Feb 2026

Feature:

• export ElysiaStatus

Bug fix:

• macro with conflict literal value per status
• recursive macro with conflict value per status

1.4.24 - 11 Feb 2026

Feature:

• graceful unsigned cookie transition

Bug fix:

• #1733 preserve multiple set-cookie headers in mounted handlers
• object cookie with secret doesn't deserialized after parsed

1.4.23 - 9 Feb 2026

Feature:

• #1719 add t.Union/t.Intersection handling in property enumerations/checks
• #1697 extend complex formdata support to StandardSchema
• #1656 serialize custom array-like custom class with array sub class

Bug fix:

• #1721 Promise with response schema
• #1700 distinct union object
• #1683 response validation returns 500 instead of 422 for nested schemas in dynamic mode
• #1679 preserve headers when throwing from AsyncGenerator
• #1595 stream reference should point to teed value
• fix can't modify immutable headers error

Change:

• update exact-mirror to 0.2.7

1.4.22 - 14 Jan 2026

... (truncated)

Commits

• cc9159b 🎉 feat: 1.4.27
• e9d6b17 🎉 feat: 1.4.27
• 21dce4c 🎉 feat: use Response.json on Bun
• 6b44646 🔧 fix(getSchemaValidator): handle TypeBox as sub type
• bbaf6b7 🎉 feat: 1.4.26
• e596dab 🔧 fix: #1747 parsing request from mount hang
• 6561d61 🔧 fix: #1752 system router with trailing path doesn't match with non-t...
• 3c9dabc 🔧 fix: #1752 system router with trailing path doesn't match with non-t...
• d17a7aa 🔧 fix: #1755 deduplicate local handler from global event
• e5c9449 🔧 fix: recursive macro with conflict value per status
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for elysia since your current version.

Updates next from 16.1.1 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• 9424dee chore: Refresh lockfile
• d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
• 4321509 ci: Drop the branch filter from GitHub PR actions
• 47207d0 chore: Update docs-slate
• 5212fae chore: Update docs-slate
• See full diff in compare view

Updates hono from 4.11.9 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

... (truncated)

Commits

• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• 58d3d3a Merge commit from fork
• 568c2ec Merge commit from fork
• ff2b3d3 4.12.17
• 52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
• 76d5589 fix(cors): make origin optional in CORSOptions (#4905)
• 8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
• bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
• 90d4182 4.12.16
• Additional commits viewable in compare view

Updates @hono/node-server from 1.14.2 to 1.19.13

Release notes

Sourced from @​hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in honojs/node-server#292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in honojs/node-server#293

New Contributors

• @​TransparentLC made their first contribution in honojs/node-server#292
• @​otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in honojs/node-server#290

... (truncated)

Commits

• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• Additional commits viewable in compare view

Updates ai from 4.3.19 to 5.0.52

Changelog

Sourced from ai's changelog.

5.0.52

Patch Changes

• c56822d: fix(ai): update uiMessageChunkSchema to satisfy the UIMessageChunk type
• 930399b: fix(ai): download files when intermediate file cannot be downloaded
• Updated dependencies [7ca78f1]
  • @​ai-sdk/gateway@​1.0.29

5.0.51

Patch Changes

• 27645bb: Export parseJsonEventStream and uiMessageChunkSchema from "ai" package
• Updated dependencies [322901b]
  • @​ai-sdk/gateway@​1.0.28

5.0.50

Patch Changes

• Updated dependencies [c5f403a]
  • @​ai-sdk/gateway@​1.0.27

5.0.49

Patch Changes

• Updated dependencies [e304478]
  • @​ai-sdk/gateway@​1.0.26

5.0.48

Patch Changes

• Updated dependencies [4d3ff64]
  • @​ai-sdk/gateway@​1.0.25

5.0.47

Patch Changes

• Updated dependencies [c86e0f7]
• Updated dependencies [6bbae01]
  • @​ai-sdk/gateway@​1.0.24

5.0.46

Patch Changes

... (truncated)

Commits

• 63d5f66 Version Packages (#8895)
• 930399b Backport: fix(ai): download files when intermediate file cannot be downloaded...
• 85909a9 Backport: chore(ai): update test message (#8875)
• c56822d Backport: fix(ai): update uiMessageChunkSchema to satisfy the `UIMessageChu...
• 6bd07df Version Packages (#8853)
• 27645bb Backport: Export parseJsonEventStream and uiMessageChunkSchema from "ai" ...
• 8b7f0d2 Version Packages (#8843)
• 9eef198 Version Packages (#8831)
• 20bca65 Version Packages (#8799)
• 4254096 Version Packages (#8753)
• Additional commits viewable in compare view

Updates elysia from 1.4.12 to 1.4.27

Release notes

Sourced from elysia's releases.

1.4.27

What's changed

Bug fix:

• getSchemaValidator: handle TypeBox as sub type
• handle cookie prototype pollution when parsing cookie

Improvement:

• conditional async on getSchemaValidator when schema is Standard Schema
• use Response.json on Bun
• export AnySchema, UnwrapSchema, ModelsToTypes from root

Full Changelog: elysiajs/elysia@1.4.26...1.4.27

1.4.26

What's changed

Bug fix:

• #1755 deduplicate local handler from global event
• #1752 system router with trailing path doesn't match with non-trailing
• url format redos
• #1747 parsing request from mount hang

Full Changelog: elysiajs/elysia@1.4.25...1.4.26

1.4.25

What's changed

Feature:

• export ElysiaStatus

Bug fix:

• macro with conflict literal value per status
• recursive macro with conflict value per status

Full Changelog: elysiajs/elysia@1.4.24...1.4.25

1.4.24

What's Changed

Feature:

• graceful unsigned cookie transition

Bug fix:

• #1733 preserve multiple set-cookie headers in mounted handlers by @​cipher416
• object cookie with secret doesn't deserialized after parsed

New Contributors

• @​cipher416 made their first contribution in elysiajs/elysia#1733

Full Changelog: elysiajs/elysia@1.4.23...1.4.24

... (truncated)

Changelog

Sourced from elysia's changelog.

1.4.27 - 1 Mar 2026

Bug fix:

• getSchemaValidator: handle TypeBox as sub type
• handle cookie prototype pollution when parsing cookie

Improvement:

• conditional async on getSchemaValidator when schema is Standard Schema
• use Response.json on Bun

1.4.26 - 25 Feb 2026

Bug fix:

• #1755 deduplicate local handler from global event
• #1752 system router with trailing path doesn't match with non-trailing
• url format redos
• #1747 parsing request from mount hang

1.4.25 - 12 Feb 2026

Feature:

• export ElysiaStatus

Bug fix:

• macro with conflict literal value per status
• recursive macro with conflict value per status

1.4.24 - 11 Feb 2026

Feature:

• graceful unsigned cookie transition

Bug fix:

• #1733 preserve multiple set-cookie headers in mounted handlers
• object cookie with secret doesn't deserialized after parsed

1.4.23 - 9 Feb 2026

Feature:

• #1719 add t.Union/t.Intersection handling in property enumerations/checks
• #1697 extend complex formdata support to StandardSchema
• #1656 serialize custom array-like custom class with array sub class

Bug fix:

• #1721 Promise with response schema
• #1700 distinct union object
• #1683 response validation returns 500 instead of 422 for nested schemas in dynamic mode
• #1679 preserve headers when throwing from AsyncGenerator
• #1595 stream reference should point to teed value
• fix can't modify immutable headers error

Change:

• update exact-mirror to 0.2.7

1.4.22 - 14 Jan 2026

... (truncated)

Commits

• cc9159b 🎉 feat: 1.4.27
• e9d6b17 🎉 feat: 1.4.27
• 21dce4c 🎉 feat: use Response.json on Bun
• 6b44646 🔧 fix(getSchemaValidator): handle TypeBox as sub type
• bbaf6b7 🎉 feat: 1.4.26
• e596dab 🔧 fix: #1747 parsing request from mount hang
• 6561d61 🔧 fix: #1752 system router with trailing path doesn't match with non-t...
• 3c9dabc 🔧 fix: #1752 system router with trailing path doesn't match with non-t...
• d17a7aa 🔧 fix: #1755 deduplicate local handler from global event
• e5c9449 🔧 fix: recursive macro with conflict value per status
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for elysia since your current version.

Updates next from 16.1.1 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhausti...

  Description has been truncated