LoginSign Up
← Back to all sparks
H

Hono

DEVOPS
Velocity5.0

Ultrafast web framework for the edge

hono.dev

Hono is in a sustained security-hardening cycle, patching middleware and serverless adapters

security-hardeningserverless-adaptersmiddlewarejwtcorsmulti-runtime
Current state
Hono, a lightweight multi-runtime web framework, is in the middle of an extended security-hardening run. Across May and June 2026, a string of releases patched serious issues — cross-request context leakage in JSX SSR, CORS credential reflection, path traversal in serve-static, JWT validation gaps, and repeated header-handling bugs in the AWS Lambda adapters. Between the security drops, development is routine: small API additions like a public Context class and request.bytes(), plus maintenance.
Where it's heading
The volume and clustering of GHSA advisories points to a concerted audit of Hono's middleware and serverless adapters rather than isolated bugs. The recurring theme is edge and serverless correctness — header de-duplication, Content-Length trust, cookie handling on ALB and Lambda — where Hono's multi-runtime reach creates the most surface area. Expect patch-level hardening to continue until the advisory backlog clears.
Prediction
Near-term releases will likely keep shipping security patches and adapter fixes at a fast cadence, with feature work staying incremental. The AWS Lambda and Lambda@Edge adapters are the most probable source of the next advisory given how often they appear in this window.

Recent moves

  1. 3d ago

    Hono v4.12.27: cross-request JSX context leak and cx() XSS fixes

    Another security release in the ongoing hardening run — most notably a per-request context isolation fix in JSX SSR that had let one request read another's context after an await, plus an SSR XSS via cx() and a Lambda header-dropping bug. Fits the pattern of middleware and serverless correctness fixes dominating recent releases.

    View source ↗
  2. 8d ago

    Hono v4.12.26: lambda-edge type fix and CI/build cleanups

    Maintenance release: a lambda-edge type fix plus CI and build housekeeping (OIDC trusted publishing, dependency cleanups). No user-facing behavior change.

    View source ↗
  3. 17d ago

    Hono v4.12.25: CORS credential leak and serve-static traversal fixes

    A heavy security release: CORS reflecting any origin with credentials under the wildcard default, a body-limit bypass on Lambda, Windows path traversal in serve-static, and Set-Cookie merging on ALB and Lattice. The serverless-adapter and middleware focus continues.

    View source ↗
  4. 18d ago

    Hono v4.12.24: IPv6 utils fixes, docs and test cleanups

    Routine fixes and docs: IPv6 address-utility corrections, a clearer bearer-auth error message, and test cleanups. Maintenance between the security drops.

    View source ↗
  5. 1mo ago

    Hono v4.12.23: public Context class and compress content-type filter

    Mixes hardening with real API surface: serve-static now normalizes all backslashes, and the Context class is exported publicly alongside a new compress contentTypeFilter option. The kind of small, useful additions that land between security releases.

    View source ↗
  6. 1mo ago

    Hono v4.12.22: MIME charset, compress, and Deno WebSocket fixes

    Incremental behavior fixes — per-MIME charset handling, compress respecting Accept-Encoding, Deno WebSocket subprotocol echo — plus msgpack added as a compressible type. Steady maintenance with several first-time contributors.

    View source ↗