Back to Explore

honojs/hono

GitHub
10 updates · last 90 days1 watchersOpen source

Last release: 1 week ago

Hono is a small, fast web framework built on Web Standards, designed to run on many JavaScript runtimes including Cloudflare Workers, Deno, Bun, Vercel, and Node.js. It provides routing and middleware features, with built-in support for first-class TypeScript development. Useful if you want to write the same web app code across different platforms.

Project status

  • Actively maintained, with the upstream GitHub repo showing very recent activity (last push 2026-06-07) and multiple 4.12.x updates in May 2026 that include both feature and security-related changes.
  • Apparent update cadence is roughly weekly, based on recent version timestamps: v4.12.21 (2026-05-19), v4.12.22 (2026-05-22), v4.12.23 (2026-05-25).

AI summary generated Today

AI-generated from public sources. May be inaccurate. Report

Recent updates

  • v4.12.23

    1 week ago

    v4.12.23 includes several middleware and utility fixes plus new public exports. It adds a `contentTypeFilter` option to the `compress` middleware (with a `COMPRESSIBLE_CONTENT_TYPE_REGEX` re-export), exports the `Context` class publicly, normalizes all backslashes in file paths for static serving, and adjusts IPv6 zero-run compression behavior per RFC 5952.

    Features

  • v4.12.22

    2 weeks ago

    v4.12.22 includes middleware and utility fixes, plus test tooling updates. The release notes call out charset handling for MIME types, improved Accept-Encoding handling in the compress middleware, WebSocket subprotocol echoing for the Deno adapter, and adding msgpack to compressible content types.

    Features

  • v4.12.21

    2 weeks ago

    v4.12.21 ships security-focused changes across mount routing, IP restriction logic, cookie serialization, and JWT/JWK middleware. The release notes call out fixes for multiple GHSA advisories affecting app.mount prefix handling, ip-restriction bypasses, Set-Cookie injection, and Authorization scheme validation.

    Security

  • v4.12.20

    2 weeks ago

    v4.12.20 includes two changes described in the release notes: a routing fix to preserve the base path when mounting apps via route(), and a JSX typing improvement to widen jsx/jsxFn children to Child[]. The code diff shows the routing behavior is updated to propagate and merge mount base paths through nested route() calls, and the JSX function signatures are updated accordingly.

  • v4.12.19

    3 weeks ago

    v4.12.19 adds request body parsing via `req.bytes()`, improves bearer-auth typing for typed environments, and enhances cache behavior to key entries by configured Vary headers. It also includes multiple bug fixes (serveStatic option optionality across adapters, cookie parsing duplicate handling, and stream abort handling) and upgrades `@hono/node-server` to v2.

    Features

  • v4.12.18

    1 month ago

    v4.12.18 is a security-focused release addressing CSS injection in the JSX SSR path, cache leakage in the cache middleware, and stricter validation of JWT NumericDate (exp, nbf, iat) during verification. The code changes go beyond the narrow release-note descriptions in at least the cache middleware, where caching is skipped for a much broader set of responses.

    Security

  • v4.12.17

    1 month ago

    v4.12.17 contains a set of targeted fixes across JSX attribute normalization for SVG, SSG content-type defaults, and CORS option typing/behavior. It also updates TypeScript typing so responses produced by middleware are reflected in the return types of `app.on` overloads.

  • v4.12.16

    1 month ago

    v4.12.16 ships security-related fixes. It adds validation for JSX programmatic tag names (via `jsx()` and `createElement()`) and fixes a Body Limit middleware bypass for chunked or unknown-length requests.

    Security

  • v4.12.15

    1 month ago

    v4.12.15 includes a JWT-related fix to correctly parse PEM keys when the PEM is provided as a single-line string. The change updates PEM header/footer stripping logic in the JWT JWS utilities and adds a corresponding test to ensure sign and verify work with single-line private keys.

  • v4.12.14

    1 month ago

    v4.12.14 ships security fixes for invalid JSX attribute keys to prevent XSS style injection in SSR, and for the AWS Lambda adapter to handle invalid HTTP header names. The code changes expand attribute-key validation beyond SSR into the JSX runtime and DOM rendering paths, and add broader error trapping in the Lambda handler.

    Security