stack.pulse
#stacks/hono/framework

Hono release notes, breaking changes, and upgrade notes.

Ultrafast web framework for the Edges StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo$track this stackplan upgraderss
releases
7
breaking
0
security
3
deprecated
0
migrations
0

Get source-linked upgrade notes and occasional sponsor recommendations. No GitHub login required.

what stackpulse tracks

Hono releases from GitHub

StackPulse watches Hono release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed
allbreakingdeprecationmigrationsecurity
v4.12.27criticalsecurityJun 23, 2026

v4.12.27

This release addresses several critical security issues affecting `hono/jsx`, `hono/css`, and `hono/aws-lambda` adapters, fixing context isolation, XSS vulnerabilities, and header handling problems.

affected

Users of `hono/jsx`, `hono/jsx-renderer`, `hono/css` (`cx()`), or the `hono/aws-lambda` API Gateway v1 / VPC Lattice adapters are affected.

action

Upgrade to version v4.12.27 to mitigate the security vulnerabilities.

release_signals
!hono/jsx and hono/jsx-renderer: Context stored process-wide during SSR leading to cross-request data disclosure.
!hono/css: Server-Side XSS via JSX escaping bypass in cx().
!hono/aws-lambda: API Gateway v1 adapter can drop a repeated request header value.
view source on github->
v4.12.25criticalsecurityJun 9, 2026

v4.12.25

This release focuses on addressing several critical security vulnerabilities across various middleware and adapters, including CORS, body limit, static file serving, and AWS Lambda integrations.

affected

Users of Hono's CORS, body limit, static file serving, and AWS Lambda integrations are affected by these security vulnerabilities.

action

Upgrade to v4.12.25 immediately to mitigate the security risks.

release_signals
!CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard (GHSA-88fw-hqm2-52qc)
!Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length` (GHSA-rv63-4mwf-qqc2)
!Path traversal in `serve-static` on Windows via encoded backslash (`%5C`) (GHSA-wwfh-h76j-fc44)
!AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice (GHSA-j6c9-x7qj-28xf)
!Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest (GHSA-wgpf-jwqj-8h8p)
view source on github->
v4.12.21criticalsecurityMay 19, 2026

v4.12.21

This release addresses several critical security vulnerabilities affecting `app.mount()`, `hono/ip-restriction`, `hono/cookie`, and `hono/jwt`/`hono/jwk`.

affected

Users who use `app.mount()`, `hono/ip-restriction`, `hono/cookie`, or `hono/jwt`/`hono/jwk` are affected.

action

Upgrade to this version to mitigate security vulnerabilities.

release_signals
!Fix for `app.mount()` incorrectly stripping mount prefix using undecoded path (GHSA-2gcr-mfcq-wcc3)
!Fix for IP Restriction bypassing static deny rules for non-canonical IPv6 (GHSA-xrhx-7g5j-rcj5)
!Fix for Cookie helper not sanitizing `sameSite` and `priority`, allowing Set-Cookie injection (GHSA-3hrh-pfw6-9m5x)
!Fix for JWT middleware accepting any Authorization scheme, not only Bearer (GHSA-f577-qrjj-4474)
view source on github->