{"id":10394,"library":"hono","title":"Hono Web Framework","description":"Hono is a small, simple, and ultrafast web framework built entirely on Web Standards. It supports a wide range of JavaScript runtimes including Cloudflare Workers, Fastly Compute, Deno, Bun, Vercel, AWS Lambda, Lambda@Edge, and Node.js. The current stable version is 4.12.14, with frequent patch releases addressing bug fixes and security vulnerabilities.","status":"active","version":"4.12.14","language":"javascript","source_language":"en","source_url":"https://github.com/honojs/hono","tags":["javascript","hono","web","app","http","application","framework","router","cloudflare","typescript"],"install":[{"cmd":"npm install hono","lang":"bash","label":"npm"},{"cmd":"yarn add hono","lang":"bash","label":"yarn"},{"cmd":"pnpm add hono","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"Hono primarily uses ES Modules and ships with TypeScript types.","symbol":"Hono","correct":"import { Hono } from 'hono'"}],"quickstart":{"code":"import { Hono } from 'hono'\n\nconst app = new Hono()\n\napp.get('/', (c) => c.text('Hono!'))\n\nexport default app","lang":"typescript","description":"A minimal Hono application that responds with 'Hono!' for requests to the root path."},"warnings":[{"fix":"Upgrade Hono to v4.12.14 or newer.","message":"Hono/jsx SSR can generate malformed HTML or inject unintended attributes due to improper handling of JSX attribute names.","severity":"gotcha","affected_versions":"<4.12.14"},{"fix":"Upgrade Hono to v4.12.12 or newer to patch this middleware bypass vulnerability.","message":"The `serveStatic` middleware is vulnerable to path bypass via repeated slashes, potentially allowing unauthorized access to static files.","severity":"gotcha","affected_versions":"<4.12.12"},{"fix":"Upgrade Hono to v4.12.12 or newer to prevent path traversal in `toSSG()`.","message":"The `toSSG()` function used for static site generation has a path traversal vulnerability, which could lead to files being written outside the intended output directory.","severity":"gotcha","affected_versions":"<4.12.12"},{"fix":"Upgrade Hono to v4.12.7 or newer to ignore `__proto__` path segments during body parsing.","message":"Using `parseBody({ dot: true })` can lead to prototype pollution due to improper handling of `__proto__` path segments.","severity":"gotcha","affected_versions":"<4.12.7"}],"env_vars":null,"last_verified":"2026-04-18T00:00:00.000Z","next_check":"2026-07-17T00:00:00.000Z","problems":[{"fix":"Upgrade Hono to v4.12.9 or later to resolve the caching issue for `parseBody`.","cause":"The `parseBody` method was incorrectly cached as a property within the request body, leading to a TypeError when accessed subsequently.","error":"TypeError: 'parseBody' is not a function"},{"fix":"Upgrade Hono to v4.12.14 or later to fix JSX attribute name handling and prevent HTML corruption.","cause":"Improper validation of JSX attribute names during server-side rendering allowed malformed keys to corrupt the generated HTML output.","error":"Malformed HTML output or unexpected attributes appearing in server-side rendered JSX using `hono/jsx`."},{"fix":"Upgrade Hono to v4.12.12 or later to patch the middleware bypass vulnerability in `serveStatic`.","cause":"A path normalization inconsistency in the `serveStatic` middleware allowed repeated slashes to bypass route-based middleware protections.","error":"Unauthorized access to static files occurs when using `serveStatic` middleware with URLs containing repeated slashes (e.g., `//`)."}],"ecosystem":"npm"}