Skip to content

hono — releases

Latest 20 GitHub releases for honojs/hono. Auto-mirrored by playbooks/local/autodocgen.yml.

[!info] Pinned in BreeZ-CF: 4.x · upstream latest: v4.12.16.

v4.12.16 · v4.12.16

2026-04-30 · by @yusukebe

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15 · v4.12.15

2026-04-24 · by @yusukebe

What's Changed

  • fix(jwt): support single-line PEM keys by @hiendv in https://github.com/honojs/hono/pull/4889

New Contributors

  • @hiendv made their first contribution in https://github.com/honojs/hono/pull/4889

Full Changelog: https://github.com/honojs/hono/compare/v4.12.14...v4.12.15

v4.12.14 · v4.12.14

2026-04-15 · by @yusukebe

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

  • fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13 · v4.12.13

2026-04-15 · by @yusukebe

What's Changed

  • fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @T4ko0522 in https://github.com/honojs/hono/pull/4865
  • feat(trailing-slash): add skip option by @yusukebe in https://github.com/honojs/hono/pull/4862
  • feat(cache): add onCacheNotAvailable option by @yusukebe in https://github.com/honojs/hono/pull/4876

New Contributors

  • @T4ko0522 made their first contribution in https://github.com/honojs/hono/pull/4865

Full Changelog: https://github.com/honojs/hono/compare/v4.12.12...v4.12.13

v4.12.12 · v4.12.12

2026-04-07 · by @yusukebe

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11 · v4.12.11

2026-04-06 · by @yusukebe

What's Changed

  • feat(css): add classNameSlug option to createCssContext by @flow-pie in https://github.com/honojs/hono/pull/4834

New Contributors

  • @flow-pie made their first contribution in https://github.com/honojs/hono/pull/4834

Full Changelog: https://github.com/honojs/hono/compare/v4.12.10...v4.12.11

v4.12.10 · v4.12.10

2026-04-02 · by @yusukebe

What's Changed

  • test(router): fix Simple capturing group test by @yusukebe in https://github.com/honojs/hono/pull/4838
  • docs: fix impaired -> inspired typo in benchmark READMEs by @Abhi3975 in https://github.com/honojs/hono/pull/4843
  • fix(jsx/dom): apply select value after children are rendered by @usualoma in https://github.com/honojs/hono/pull/4847
  • fix(compress): convert strong ETag to weak ETag when compressing by @usualoma in https://github.com/honojs/hono/pull/4848
  • docs(ip-restriction): add clear JSDoc examples and param types by @VISHNU7KASIREDDY in https://github.com/honojs/hono/pull/4851

New Contributors

  • @Abhi3975 made their first contribution in https://github.com/honojs/hono/pull/4843
  • @VISHNU7KASIREDDY made their first contribution in https://github.com/honojs/hono/pull/4851

Full Changelog: https://github.com/honojs/hono/compare/v4.12.9...v4.12.10

v4.12.9 · v4.12.9

2026-03-23 · by @yusukebe

What's Changed

  • fix(request): remove parseBody from bodyCache to prevent TypeError by @yusukebe in https://github.com/honojs/hono/pull/4807
  • feat(client): add PickResponseByStatusCode type by @yusukebe in https://github.com/honojs/hono/pull/4791
  • fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @yuintei in https://github.com/honojs/hono/pull/4810
  • fix(service-worker): make fire() fallback behavior consistent with handle() by @yusukebe in https://github.com/honojs/hono/pull/4821
  • fix(cors): reflect request origin when credentials is true with wildcard by @ctonneslan in https://github.com/honojs/hono/pull/4813

New Contributors

  • @yuintei made their first contribution in https://github.com/honojs/hono/pull/4810
  • @ctonneslan made their first contribution in https://github.com/honojs/hono/pull/4813

Full Changelog: https://github.com/honojs/hono/compare/v4.12.8...v4.12.9

v4.12.8 · v4.12.8

2026-03-14 · by @yusukebe

What's Changed

  • fix(utils/mime): Normalize input extension to lowercase before MIME check by @TheEssem in https://github.com/honojs/hono/pull/4800
  • fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @otoneko1102 in https://github.com/honojs/hono/pull/4750

New Contributors

  • @TheEssem made their first contribution in https://github.com/honojs/hono/pull/4800

Full Changelog: https://github.com/honojs/hono/compare/v4.12.7...v4.12.8

v4.12.7 · v4.12.7

2026-03-10 · by @yusukebe

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: https://github.com/honojs/hono/compare/v4.12.6...v4.12.7

v4.12.6 · v4.12.6

2026-03-10 · by @yusukebe

What's Changed

  • fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in https://github.com/honojs/hono/pull/4758
  • fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in https://github.com/honojs/hono/pull/4792
  • chore(builld): tsconfig project references by @BarryThePenguin in https://github.com/honojs/hono/pull/4797
  • chore: add tsconfig.spec.json by @yusukebe in https://github.com/honojs/hono/pull/4798
  • feat(jsx-renderer): support function-based options by @3w36zj6 in https://github.com/honojs/hono/pull/4780
  • fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in https://github.com/honojs/hono/pull/4782

New Contributors

  • @t0waxx made their first contribution in https://github.com/honojs/hono/pull/4782

Full Changelog: https://github.com/honojs/hono/compare/v4.12.5...v4.12.6

v4.12.5 · v4.12.5

2026-03-04 · by @yusukebe

What's Changed

  • fix(request): return string | undefined from param() when path type is any by @andrewdamelio in https://github.com/honojs/hono/pull/4723
  • fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in https://github.com/honojs/hono/pull/4752
  • fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in https://github.com/honojs/hono/pull/4770
  • chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in https://github.com/honojs/hono/pull/4781

New Contributors

  • @andrewdamelio made their first contribution in https://github.com/honojs/hono/pull/4723
  • @otoneko1102 made their first contribution in https://github.com/honojs/hono/pull/4752
  • @gaearon made their first contribution in https://github.com/honojs/hono/pull/4770

Full Changelog: https://github.com/honojs/hono/compare/v4.12.4...v4.12.5

v4.12.4 · v4.12.4

2026-03-03 · by @yusukebe

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

Other changes

  • fix(client): preserve route schema in ApplyGlobalResponse by @agumy in https://github.com/honojs/hono/pull/4777
  • fix(utils/url): specify the return type of tryDecodeURI by @yusukebe in https://github.com/honojs/hono/pull/4779

New Contributors

  • @agumy made their first contribution in https://github.com/honojs/hono/pull/4777

Full Changelog: https://github.com/honojs/hono/compare/v4.12.3...v4.12.4

v4.12.3 · v4.12.3

2026-02-26 · by @yusukebe

What's Changed

  • fix(validator): prevent type diff bug in form data parsing by @EdamAme-x in https://github.com/honojs/hono/pull/4753
  • fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @EdamAme-x in https://github.com/honojs/hono/pull/4754
  • fix(jwt): fix JwtVariables for ContextVariableMap by @yusukebe in https://github.com/honojs/hono/pull/4764
  • fix(types): remove DOM type dependencies from ClientResponse and request method by @YevheniiKotyrlo in https://github.com/honojs/hono/pull/4768
  • fix(types): correct middleware types by @hmnd in https://github.com/honojs/hono/pull/4774
  • fix(jwt): prevent memory leak by avoiding mutation of options object by @EdamAme-x in https://github.com/honojs/hono/pull/4759

New Contributors

  • @YevheniiKotyrlo made their first contribution in https://github.com/honojs/hono/pull/4768
  • @hmnd made their first contribution in https://github.com/honojs/hono/pull/4774

Full Changelog: https://github.com/honojs/hono/compare/v4.12.2...v4.12.3

v4.12.2 · v4.12.2

2026-02-23 · by @yusukebe

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3

Thanks @EdamAme-x

What's Changed

  • fix(context): revert PR #4707 by @yusukebe in https://github.com/honojs/hono/pull/4757

Full Changelog: https://github.com/honojs/hono/compare/v4.12.1...v4.12.2

v4.12.1 · v4.12.1

2026-02-21 · by @yusukebe

What's Changed

  • fix(client): export ApplyGlobalResponse from hono/client by @sushichan044 in https://github.com/honojs/hono/pull/4743

Full Changelog: https://github.com/honojs/hono/compare/v4.12.0...v4.12.1

v4.12.0 · v4.12.0

2026-02-19 · by @yusukebe

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')

// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'

// With path parameters
const postPath = client.api.posts[':id'].$path({
  param: { id: '123' },
})
// => '/api/posts/123'

// With query parameters
const searchPath = client.api.posts.$path({
  query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))

type AppWithErrors = ApplyGlobalResponse<
  typeof app,
  {
    401: { json: { error: string; message: string } }
    500: { json: { error: string; message: string } }
  }
>

const client = hc<AppWithErrors>('http://api.example.com')
// Now client knows about both success and error responses
const res = await client.api.users.$get()
// InferResponseType includes { users: string[] } | { error: string; message: string }

Thanks @mohankumarelec!

SSG Redirect Plugin

A new redirectPlugin for SSG generates static HTML redirect pages for HTTP redirect responses (301, 302, 303, 307, 308):

import { toSSG } from 'hono/ssg'
import { defaultPlugin, redirectPlugin } from 'hono/ssg'

const app = new Hono()
app.get('/old', (c) => c.redirect('/new'))
app.get('/new', (c) => c.html('New Page'))

// redirectPlugin must be placed before defaultPlugin
await toSSG(app, fs, {
  plugins: [redirectPlugin(), defaultPlugin()],
})

The generated redirect pages include a <meta http-equiv="refresh"> tag, a canonical link, and a robots noindex meta tag.

Thanks @3w36zj6!

onAuthSuccess Callback for Basic Auth

The Basic Auth middleware now supports an onAuthSuccess callback that is invoked after successful authentication. This allows you to set context variables or perform logging without re-parsing the Authorization header:

app.use(
  '/auth/*',
  basicAuth({
    username: 'hono',
    password: 'ahotproject',
    onAuthSuccess: (c, username) => {
      c.set('user', { name: username, role: 'admin' })
      console.log(`User ${username} authenticated`)
    },
  })
)

The callback also works with async functions and the verifyUser mode.

Thanks @AprilNEA!

getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify

getConnInfo() is now available for three additional adapters:

// AWS Lambda (supports API Gateway v1, v2, and ALB)
import { handle, getConnInfo } from 'hono/aws-lambda'

// Cloudflare Pages
import { handle, getConnInfo } from 'hono/cloudflare-pages'

// Netlify
import { handle, getConnInfo } from 'hono/netlify'

app.get('/', (c) => {
  const info = getConnInfo(c)
  return c.text(`Your IP: ${info.remote.address}`)
})

Thanks @rokasta12!

alwaysRedirect Option for Trailing Slash Middleware

The trailing slash middleware now supports an alwaysRedirect option. When enabled, the middleware redirects before executing handlers, which fixes the issue where trailing slash handling doesn't work with wildcard routes:

app.use(trimTrailingSlash({ alwaysRedirect: true }))

app.get('/my-path/*', async (c) => {
  return c.text('wildcard')
})

// /my-path/something/ will be redirected to /my-path/something
// before the wildcard handler is executed

Progressive Locale Code Truncation

The normalizeLanguage function in the language middleware now supports RFC 4647 Lookup-based progressive truncation. Locale codes like ja-JP will match ja when only the base language is in supportedLanguages:

app.use(
  '/*',
  languageDetector({
    supportedLanguages: ['en', 'ja'],
    fallbackLanguage: 'en',
    order: ['cookie', 'header'],
  })
)

// Accept-Language: ja-JP → matches 'ja'
// Accept-Language: ko-KR → falls back to 'en'

Thanks @sorafujitani!

exports Field for ExecutionContext

The ExecutionContext type now includes an exports property for Cloudflare Workers. You can use module augmentation to type it with Wrangler's generated types:

import 'hono'

declare module 'hono' {
  interface ExecutionContext {
    readonly exports: Cloudflare.Exports
  }
}

Thanks @toreis-up!

Performance Improvements

TrieRouter 1.5x ~ 2.0x Faster

The TrieRouter has been significantly optimized with reduced spread syntax usage, O(1) hasChildren checks, lazy regular expression generation, and removal of redundant processes:

Route Node.js Deno Bun
short static GET /user 1.70x 1.40x 1.34x
dynamic GET /user/lookup/username/hey 1.38x 1.69x 1.51x
wildcard GET /static/index.html 1.51x 1.72x 1.43x
all together 1.58x 1.60x 1.82x

Thanks @EdamAme-x!

Fast Path for c.json()

c.json() now has the same fast path optimization as c.text(). When no custom status, headers, or finalized state exists, the Response is created directly without allocating a Headers object:

// This common pattern is now faster
return c.json({ message: 'Hello' })

Benchmark results:

Metric Before After Change
Reqs/sec 92,268 95,244 +3.2%
Latency 5.42ms 5.25ms -3.1%
Throughput 17.24MB/s 19.07MB/s +10.6%

Thanks @mgcrea!

New features

  • feat(client): Add ApplyGlobalResponse type helper for RPC Client https://github.com/honojs/hono/pull/4556
  • feat(ssg): add redirect plugin https://github.com/honojs/hono/pull/4599
  • feat(client): $path https://github.com/honojs/hono/pull/4636
  • feat(basic-auth): add context key and callback options https://github.com/honojs/hono/pull/4645
  • feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify https://github.com/honojs/hono/pull/4649
  • feat(trailing-slash): add alwaysRedirect option to support wildcard routes https://github.com/honojs/hono/pull/4658
  • feat(language): add progressive locale code truncation to normalizeLanguage https://github.com/honojs/hono/pull/4717
  • feat(types): Add exports field to ExecutionContext https://github.com/honojs/hono/pull/4719

Performance

  • perf(context): add fast path to c.json() matching c.text() optimization https://github.com/honojs/hono/pull/4707
  • perf(trie-router): improve performance (1.5x ~ 2.0x) https://github.com/honojs/hono/pull/4724
  • perf(context): use createResponseInstance for new Response https://github.com/honojs/hono/pull/4733

All changes

  • fix(jsx/dom): handle empty arrays in render children loop by @mixelburg in https://github.com/honojs/hono/pull/4729
  • perf(jsx/dom): flatten children once at the start to avoid repeated flattening by @usualoma in https://github.com/honojs/hono/pull/4730
  • fix(client): skip undefined values in form data serialization by @aidenlx in https://github.com/honojs/hono/pull/4732
  • feat(client): Add ApplyGlobalResponse type helper for RPC Client by @mohankumarelec in https://github.com/honojs/hono/pull/4556
  • feat(ssg): add redirect plugin by @3w36zj6 in https://github.com/honojs/hono/pull/4599
  • feat(client): $path by @ShaMan123 in https://github.com/honojs/hono/pull/4636
  • feat(basic-auth): add context key and callback options by @AprilNEA in https://github.com/honojs/hono/pull/4645
  • feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify by @rokasta12 in https://github.com/honojs/hono/pull/4649
  • feat(trailing-slash): add alwaysRedirect option to support wildcard routes by @yusukebe in https://github.com/honojs/hono/pull/4658
  • perf(context): add fast path to c.json() matching c.text() optimization by @mgcrea in https://github.com/honojs/hono/pull/4707
  • feat(language): add progressive locale code truncation to normalizeLanguage by @sorafujitani in https://github.com/honojs/hono/pull/4717
  • feat(types): Add exports field to ExecutionContext by @toreis-up in https://github.com/honojs/hono/pull/4719
  • perf(trie-router): improve performance (1.5x ~ 2.0x) by @EdamAme-x in https://github.com/honojs/hono/pull/4724
  • perf(context): use createResponseInstance for new Response by @yusukebe in https://github.com/honojs/hono/pull/4733
  • Next by @yusukebe in https://github.com/honojs/hono/pull/4735

New Contributors

  • @mixelburg made their first contribution in https://github.com/honojs/hono/pull/4729
  • @aidenlx made their first contribution in https://github.com/honojs/hono/pull/4732
  • @mohankumarelec made their first contribution in https://github.com/honojs/hono/pull/4556
  • @ShaMan123 made their first contribution in https://github.com/honojs/hono/pull/4636
  • @rokasta12 made their first contribution in https://github.com/honojs/hono/pull/4649
  • @mgcrea made their first contribution in https://github.com/honojs/hono/pull/4707

Full Changelog: https://github.com/honojs/hono/compare/v4.11.10...v4.12.0

v4.11.10 · v4.11.10

2026-02-18 · by @yusukebe

What's Changed

  • fix: fixed to be more properly timing safe (Merge commit from fork 91def7ca)

Full Changelog: https://github.com/honojs/hono/compare/v4.11.9...v4.11.10

v4.11.9 · v4.11.9

2026-02-08 · by @yusukebe

What's Changed

  • fix(url): ignore fragment identifiers in getPath() by @sano-suguru in https://github.com/honojs/hono/pull/4627
  • fix: determine if rendered or not by node.vC[0] instead of referring to node.pP by @usualoma in https://github.com/honojs/hono/pull/4663

Full Changelog: https://github.com/honojs/hono/compare/v4.11.8...v4.11.9

v4.11.8 · v4.11.8

2026-02-06 · by @yusukebe

What's Changed

  • fix(jsx): preserve context when using await before html helper by @kaigritun in https://github.com/honojs/hono/pull/4662
  • fix(bearer-auth): make auth-scheme case-insensitive by @bytaesu in https://github.com/honojs/hono/pull/4659

New Contributors

  • @kaigritun made their first contribution in https://github.com/honojs/hono/pull/4662

Full Changelog: https://github.com/honojs/hono/compare/v4.11.7...v4.11.8