honojs/hono
 Watch   
 Star   
 Fork   
简介统计版本
19 hours ago
hono
honojs

v4.12.3

What's Changed

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.12.2...v4.12.3

4 days ago
hono
honojs

v4.12.2

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3

Thanks @EdamAme-x

What's Changed

Full Changelog: https://github.com/honojs/hono/compare/v4.12.1...v4.12.2

5 days ago
hono
honojs

v4.12.1

What's Changed

Full Changelog: https://github.com/honojs/hono/compare/v4.12.0...v4.12.1

7 days ago
hono
honojs

v4.12.0

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')

// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'

// With path parameters
const postPath = client.api.posts[':id'].$path({
  param: { id: '123' },
})
// => '/api/posts/123'

// With query parameters
const searchPath = client.api.posts.$path({
  query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))

type AppWithErrors = ApplyGlobalResponse<
  typeof app,
  {
    401: { json: { error: string; message: string } }
    500: { json: { error: string; message: string } }
  }
>

const client = hc<AppWithErrors>('http://api.example.com')
// Now client knows about both success and error responses
const res = await client.api.users.$get()
// InferResponseType includes { users: string[] } | { error: string; message: string }

Thanks @mohankumarelec!

SSG Redirect Plugin

A new redirectPlugin for SSG generates static HTML redirect pages for HTTP redirect responses (301, 302, 303, 307, 308):

import { toSSG } from 'hono/ssg'
import { defaultPlugin, redirectPlugin } from 'hono/ssg'

const app = new Hono()
app.get('/old', (c) => c.redirect('/new'))
app.get('/new', (c) => c.html('New Page'))

// redirectPlugin must be placed before defaultPlugin
await toSSG(app, fs, {
  plugins: [redirectPlugin(), defaultPlugin()],
})

The generated redirect pages include a <meta http-equiv="refresh"> tag, a canonical link, and a robots noindex meta tag.

Thanks @3w36zj6!

onAuthSuccess Callback for Basic Auth

The Basic Auth middleware now supports an onAuthSuccess callback that is invoked after successful authentication. This allows you to set context variables or perform logging without re-parsing the Authorization header:

app.use(
  '/auth/*',
  basicAuth({
    username: 'hono',
    password: 'ahotproject',
    onAuthSuccess: (c, username) => {
      c.set('user', { name: username, role: 'admin' })
      console.log(`User ${username} authenticated`)
    },
  })
)

The callback also works with async functions and the verifyUser mode.

Thanks @AprilNEA!

getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify

getConnInfo() is now available for three additional adapters:

// AWS Lambda (supports API Gateway v1, v2, and ALB)
import { handle, getConnInfo } from 'hono/aws-lambda'

// Cloudflare Pages
import { handle, getConnInfo } from 'hono/cloudflare-pages'

// Netlify
import { handle, getConnInfo } from 'hono/netlify'

app.get('/', (c) => {
  const info = getConnInfo(c)
  return c.text(`Your IP: ${info.remote.address}`)
})

Thanks @rokasta12!

alwaysRedirect Option for Trailing Slash Middleware

The trailing slash middleware now supports an alwaysRedirect option. When enabled, the middleware redirects before executing handlers, which fixes the issue where trailing slash handling doesn't work with wildcard routes:

app.use(trimTrailingSlash({ alwaysRedirect: true }))

app.get('/my-path/*', async (c) => {
  return c.text('wildcard')
})

// /my-path/something/ will be redirected to /my-path/something
// before the wildcard handler is executed

Progressive Locale Code Truncation

The normalizeLanguage function in the language middleware now supports RFC 4647 Lookup-based progressive truncation. Locale codes like ja-JP will match ja when only the base language is in supportedLanguages:

app.use(
  '/*',
  languageDetector({
    supportedLanguages: ['en', 'ja'],
    fallbackLanguage: 'en',
    order: ['cookie', 'header'],
  })
)

// Accept-Language: ja-JP → matches 'ja'
// Accept-Language: ko-KR → falls back to 'en'

Thanks @sorafujitani!

exports Field for ExecutionContext

The ExecutionContext type now includes an exports property for Cloudflare Workers. You can use module augmentation to type it with Wrangler's generated types:

import 'hono'

declare module 'hono' {
  interface ExecutionContext {
    readonly exports: Cloudflare.Exports
  }
}

Thanks @toreis-up!

Performance Improvements

TrieRouter 1.5x ~ 2.0x Faster

The TrieRouter has been significantly optimized with reduced spread syntax usage, O(1) hasChildren checks, lazy regular expression generation, and removal of redundant processes:

Route Node.js Deno Bun
short static GET /user 1.70x 1.40x 1.34x
dynamic GET /user/lookup/username/hey 1.38x 1.69x 1.51x
wildcard GET /static/index.html 1.51x 1.72x 1.43x
all together 1.58x 1.60x 1.82x

Thanks @EdamAme-x!

Fast Path for c.json()

c.json() now has the same fast path optimization as c.text(). When no custom status, headers, or finalized state exists, the Response is created directly without allocating a Headers object:

// This common pattern is now faster
return c.json({ message: 'Hello' })

Benchmark results:

Metric Before After Change
Reqs/sec 92,268 95,244 +3.2%
Latency 5.42ms 5.25ms -3.1%
Throughput 17.24MB/s 19.07MB/s +10.6%

Thanks @mgcrea!

New features

Performance

All changes

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.11.10...v4.12.0

8 days ago
hono
honojs

v4.11.10

What's Changed

  • fix: fixed to be more properly timing safe (Merge commit from fork 91def7ca)

Full Changelog: https://github.com/honojs/hono/compare/v4.11.9...v4.11.10

18 days ago
hono
honojs

v4.11.9

What's Changed

Full Changelog: https://github.com/honojs/hono/compare/v4.11.8...v4.11.9

21 days ago
hono
honojs

v4.11.8

What's Changed

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.11.7...v4.11.8

2026-01-27 17:53:33
hono
honojs

v4.11.7

Security Release

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

IP Restriction Middleware

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Cache Middleware

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Serve Static Middleware (Cloudflare Workers adapter)

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

hono/jsx ErrorBoundary

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Recommendation

Users are encouraged to upgrade to this release, especially if they:

  • Use IP Restriction Middleware
  • Use Cache Middleware on Deno, Bun, or Node.js
  • Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
  • Render untrusted data inside ErrorBoundary components

Security Advisories & CVEs

Full Changelog: https://github.com/honojs/hono/compare/v4.11.6...v4.11.7

2026-01-26 22:47:13
hono
honojs

v4.11.6

What's Changed

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.11.5...v4.11.6

2026-01-22 09:10:27
hono
honojs

v4.11.5

What's Changed

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.11.4...v4.11.5