#stacks/hono/framework

Hono release notes, breaking changes, and upgrade notes.

Ultrafast web framework for the Edges StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo $track this stack plan upgrade rss

releases

breaking

security

deprecated

migrations

what stackpulse tracks

Hono releases from GitHub

StackPulse watches Hono release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed

all breaking deprecation migration security

v4.12.27criticalsecurityJun 23, 2026

v4.12.27

This release addresses several critical security issues affecting `hono/jsx`, `hono/css`, and `hono/aws-lambda` adapters, fixing context isolation, XSS vulnerabilities, and header handling problems.

affected

Users of `hono/jsx`, `hono/jsx-renderer`, `hono/css` (`cx()`), or the `hono/aws-lambda` API Gateway v1 / VPC Lattice adapters are affected.

action

Upgrade to version v4.12.27 to mitigate the security vulnerabilities.

release_signals

!hono/jsx and hono/jsx-renderer: Context stored process-wide during SSR leading to cross-request data disclosure.

!hono/css: Server-Side XSS via JSX escaping bypass in cx().

!hono/aws-lambda: API Gateway v1 adapter can drop a repeated request header value.

view source on github->

v4.12.26lowfeatureJun 18, 2026

v4.12.26

This release focuses on minor fixes and internal improvements, including updates to satisfy Deno lib types for Content-Length body encoding and replacing external dependencies with Bun native APIs in the build script.

affected

Developers using Hono with Deno or Bun may benefit from the updates.

view source on github->

v4.12.25criticalsecurityJun 9, 2026

v4.12.25

This release focuses on addressing several critical security vulnerabilities across various middleware and adapters, including CORS, body limit, static file serving, and AWS Lambda integrations.

affected

Users of Hono's CORS, body limit, static file serving, and AWS Lambda integrations are affected by these security vulnerabilities.

action

Upgrade to v4.12.25 immediately to mitigate the security risks.

release_signals

!CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard (GHSA-88fw-hqm2-52qc)

!Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length` (GHSA-rv63-4mwf-qqc2)

!Path traversal in `serve-static` on Windows via encoded backslash (`%5C`) (GHSA-wwfh-h76j-fc44)

!AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice (GHSA-j6c9-x7qj-28xf)

!Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest (GHSA-wgpf-jwqj-8h8p)

view source on github->

v4.12.24lowfeatureJun 8, 2026

v4.12.24

This release focuses on minor fixes, refactoring, and documentation updates. Key changes include improvements to IP address handling, middleware testing, and cleanup of configuration files.

affected

Developers using IP address utilities or middleware timing functionality may be affected by the fixes and improvements.

action

Update to the latest version to benefit from the fixes and improvements.

view source on github->

v4.12.23mediumfeatureMay 25, 2026

v4.12.23

This release includes fixes for path normalization in static file serving and IP address compression, along with new features like exporting the Context class publicly and adding a contentTypeFilter option for compression.

affected

Developers using static file serving or compression features may be affected by the fixes and new options.

action

Update to v4.12.23 to benefit from the latest fixes and features.

release_signals

+Export the Context class publicly

+Add contentTypeFilter option and `COMPRESSIBLE_CONTENT_TYPE_REGEX` re-export for compression

view source on github->

v4.12.22mediumfeatureMay 22, 2026

v4.12.22

This release includes updates to dependencies, fixes for MIME type handling, compression behavior, and WebSocket subprotocol negotiation, along with the addition of MessagePack as a compressible content type.

affected

Developers using Hono for handling MIME types, compression, or WebSocket subprotocols may be affected by the fixes and new features.

action

Update to v4.12.22 to benefit from the latest fixes and features.

release_signals

+Added MessagePack as a compressible content type

view source on github->

v4.12.21criticalsecurityMay 19, 2026

v4.12.21

This release addresses several critical security vulnerabilities affecting `app.mount()`, `hono/ip-restriction`, `hono/cookie`, and `hono/jwt`/`hono/jwk`.

affected

Users who use `app.mount()`, `hono/ip-restriction`, `hono/cookie`, or `hono/jwt`/`hono/jwk` are affected.

action

Upgrade to this version to mitigate security vulnerabilities.

release_signals

!Fix for `app.mount()` incorrectly stripping mount prefix using undecoded path (GHSA-2gcr-mfcq-wcc3)

!Fix for IP Restriction bypassing static deny rules for non-canonical IPv6 (GHSA-xrhx-7g5j-rcj5)

!Fix for Cookie helper not sanitizing `sameSite` and `priority`, allowing Set-Cookie injection (GHSA-3hrh-pfw6-9m5x)

!Fix for JWT middleware accepting any Authorization scheme, not only Bearer (GHSA-f577-qrjj-4474)

view source on github->