Hono is a small, fast web framework built on Web Standards, designed to run on many JavaScript runtimes including Cloudflare Workers, Deno, Bun, Vercel, and Node.js. It provides routing and middleware features, with built-in support for first-class TypeScript development. Useful if you want to write the same web app code across different platforms.
Project status
- Actively maintained: The repo has very recent activity (upstream push on 2026-07-07) and frequent tagged updates in July 2026 (v4.12.28 on 2026-07-06, v4.12.27 on 2026-06-23, v4.12.26 on 2026-06-18), indicating ongoing development rather than maintenance mode.
- Update cadence: Updates appear to land roughly every 5 to 20 days across late May through early July 2026, with multiple security-focused and compatibility-related changes clustered in that period.
AI summary generated
Recent updates
v4.12.29
v4.12.29 is a bug-fix focused release touching the client request header handling, Lambda and Lambda@Edge adapters, etag middleware, and router edge cases. The release notes describe fixes for base64 encoding decisions, content-encoding binary detection, and ETag wildcard behavior, plus related test/type updates.
v4.12.28
v4.12.28 focuses on a set of bug fixes around request parsing and adapter behavior. Notable changes include serve-static handling empty string content correctly, case-insensitive Content-Type matching for body parsing and validation, and more accurate AWS Lambda V1 vs V2 event detection.
v4.12.27
v4.12.27 ships security-focused fixes addressing cross-request context leakage in hono/jsx during SSR, an SSR XSS issue involving hono/css cx() escaping, and a header de-duplication bug in the hono/aws-lambda API Gateway v1 / VPC Lattice adapters. The code diff shows substantial internal refactoring around JSX context isolation, plus additional hardening in CSS class selector handling.
Securityv4.12.26
v4.12.26 focuses on internal build and release pipeline changes. It updates the Lambda Edge adapter for Deno type compatibility, refactors the build script to use Bun-native APIs instead of arg and glob, and adjusts CI so npm publication is performed from GitHub Actions using OIDC trusted publishing. It also removes unused devcontainer and Gitpod configurations.
v4.12.25
v4.12.25 is a security-focused release, primarily hardening CORS behavior, request body size enforcement on AWS Lambda adapters, Windows static file path handling, and HTTP header and Set-Cookie handling in serverless adapters. The release notes describe fixes across hono/cors, hono/body-limit, serve-static, hono/aws-lambda, and hono/lambda-edge.
BreakingSecurityv4.12.24
v4.12.24 focuses on middleware-related fixes (Bearer Auth option validation message, IPv6 unspecified address handling), plus several test improvements around language detection and the timing middleware. It also includes package/config hygiene work, including removing an unused dev dependency and updating TypeScript/types packaging mappings.
Breakingv4.12.23
v4.12.23 includes several middleware and utility fixes plus new public exports. It adds a `contentTypeFilter` option to the `compress` middleware (with a `COMPRESSIBLE_CONTENT_TYPE_REGEX` re-export), exports the `Context` class publicly, normalizes all backslashes in file paths for static serving, and adjusts IPv6 zero-run compression behavior per RFC 5952.
Featuresv4.12.22
v4.12.22 includes middleware and utility fixes, plus test tooling updates. The release notes call out charset handling for MIME types, improved Accept-Encoding handling in the compress middleware, WebSocket subprotocol echoing for the Deno adapter, and adding msgpack to compressible content types.
Featuresv4.12.21
v4.12.21 ships security-focused changes across mount routing, IP restriction logic, cookie serialization, and JWT/JWK middleware. The release notes call out fixes for multiple GHSA advisories affecting app.mount prefix handling, ip-restriction bypasses, Set-Cookie injection, and Authorization scheme validation.
Securityv4.12.20
v4.12.20 includes two changes described in the release notes: a routing fix to preserve the base path when mounting apps via route(), and a JSX typing improvement to widen jsx/jsxFn children to Child[]. The code diff shows the routing behavior is updated to propagate and merge mount base paths through nested route() calls, and the JSX function signatures are updated accordingly.
v4.12.19
v4.12.19 adds request body parsing via `req.bytes()`, improves bearer-auth typing for typed environments, and enhances cache behavior to key entries by configured Vary headers. It also includes multiple bug fixes (serveStatic option optionality across adapters, cookie parsing duplicate handling, and stream abort handling) and upgrades `@hono/node-server` to v2.
Featuresv4.12.18
v4.12.18 is a security-focused release addressing CSS injection in the JSX SSR path, cache leakage in the cache middleware, and stricter validation of JWT NumericDate (exp, nbf, iat) during verification. The code changes go beyond the narrow release-note descriptions in at least the cache middleware, where caching is skipped for a much broader set of responses.
Securityv4.12.17
v4.12.17 contains a set of targeted fixes across JSX attribute normalization for SVG, SSG content-type defaults, and CORS option typing/behavior. It also updates TypeScript typing so responses produced by middleware are reflected in the return types of `app.on` overloads.
v4.12.16
v4.12.16 ships security-related fixes. It adds validation for JSX programmatic tag names (via `jsx()` and `createElement()`) and fixes a Body Limit middleware bypass for chunked or unknown-length requests.
Securityv4.12.15
v4.12.15 includes a JWT-related fix to correctly parse PEM keys when the PEM is provided as a single-line string. The change updates PEM header/footer stripping logic in the JWT JWS utilities and adds a corresponding test to ensure sign and verify work with single-line private keys.
v4.12.14
v4.12.14 ships security fixes for invalid JSX attribute keys to prevent XSS style injection in SSR, and for the AWS Lambda adapter to handle invalid HTTP header names. The code changes expand attribute-key validation beyond SSR into the JSX runtime and DOM rendering paths, and add broader error trapping in the Lambda handler.
Security