Bump elysia from 1.3.4 to 1.4.18

[dependabot]

Bumps elysia from 1.3.4 to 1.4.18.

Release notes

Sourced from elysia's releases.

1.4.18

What's Changed

Security

• use JSON.stringify over custom escape implementation

Full Changelog: elysiajs/elysia@1.4.17...1.4.18

1.4.17

What's Changed

Improvement:

• #1573 Server is always resolved to any when @types/bun is missing
• #1568 optimize cookie value comparison using FNV-1a hash
• #1549 Set-Cookie headers not sent when errors are thrown
• #1579 HEAD to handle Promise value

Security:

• cookie injection, prototype pollution, and RCE

Bug fix:

• #1550 excess property checking
• allow cookie.sign to be string

Change:

• #1584 change customError property to unknown
• #1556 prevent sending set-cookie header when cookie value is not modified
• #1563 standard schema on websocket
• conditional parseQuery parameter
• conditional pass c.request to handler for streaming response
• fix missing contentType type on parser

New Contributors

• @​NongTham made their first contribution in elysiajs/elysia#1558
• @​akim-bow made their first contribution in elysiajs/elysia#1567
• @​YasserGomma made their first contribution in elysiajs/elysia#1568
• @​NMNMCC made their first contribution in elysiajs/elysia#1573
• @​gosvoh made their first contribution in elysiajs/elysia#1579

Full Changelog: elysiajs/elysia@1.4.16...1.4.17

1.4.16

What's Changed

Improvement:

• ValidationError: add messageValue as an alias of errorValue
• ValidationError.detail now accept optional 2nd parameter allowUnsafeValidatorDetails
• macro: add introspect
• prevent redundant route compilation
• merge multiple macro resolve response

Bug fix:

... (truncated)

Changelog

Sourced from elysia's changelog.

1.4.18 - 4 Dec 2025

Security:

• use JSON.stringify over custom escape implementation

1.4.17 - 2 Dec 2025

Improvement:

• #1573 Server is always resolved to any when @types/bun is missing
• #1568 optimize cookie value comparison using FNV-1a hash
• #1549 Set-Cookie headers not sent when errors are thrown
• #1579 HEAD to handle Promise value

Security:

• cookie injection, prototype pollution, and RCE

Bug fix:

• #1550 excess property checking
• allow cookie.sign to be string

Change:

• #1584 change customError property to unknown
• #1556 prevent sending set-cookie header when cookie value is not modified
• #1563 standard schema on websocket
• conditional parseQuery parameter
• conditional pass c.request to handler for streaming response
• fix missing contentType type on parser

1.4.16 - 13 Nov 2025

Improvement:

• ValidationError: add messageValue as an alias of errorValue
• ValidationError.detail now accept optional 2nd parameter allowUnsafeValidatorDetails
• macro: add introspect
• prevent redundant route compilation
• merge multiple macro resolve response

Bug fix:

• #1543 respect toResponse() method on Error classes
• #1537 websocket: ping/pong not being called
• #1536 export ExtractErrorFromHandle
• #1535 skip response validation for generators and streams
• #1531 typo in ElysiaTypeCustomErrorCallback: valdation to validation
• #1528 error in parsing request body validation errors with Zod
• #1527 bracket handling in exact mirror
• #1524 head request handler not working

1.4.15 - 3 Nov 2025

Bug fix:

• 1.4.14 regression with Eden Treaty, and OpenAPI type gen

1.4.14 - 3 Nov 2025

Feature:

... (truncated)

Commits

• 07b449a Merge pull request #1593 from elysiajs/next
• 4726d5d 📘 chore: 1.4.18
• 591150d 📘 chore: use JSON.stringify over custom regex
• 1144b98 📘 chore: use JSON.stringify over custom regex
• 7085776 📘 chore: add decorate stress test
• 0726fda 📘 chore: add decorate stress test
• 68516ee 📘 chore: add decorate stress test
• 428b976 Merge pull request #1564 from elysiajs/next
• 837dd7a 🎉 feat: 1.4.17
• 3af9786 🔧 fix: sanitize cookie key
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.