Hono Web Framework

4.12.14 · active · verified Sat Apr 18

Hono is a small, simple, and ultrafast web framework built entirely on Web Standards. It supports a wide range of JavaScript runtimes including Cloudflare Workers, Fastly Compute, Deno, Bun, Vercel, AWS Lambda, Lambda@Edge, and Node.js. The current stable version is 4.12.14, with frequent patch releases addressing bug fixes and security vulnerabilities.

Common errors

```
TypeError: 'parseBody' is not a function
```
cause The `parseBody` method was incorrectly cached as a property within the request body, leading to a TypeError when accessed subsequently.

fix Upgrade Hono to v4.12.9 or later to resolve the caching issue for `parseBody`.
```
Malformed HTML output or unexpected attributes appearing in server-side rendered JSX using `hono/jsx`.
```
cause Improper validation of JSX attribute names during server-side rendering allowed malformed keys to corrupt the generated HTML output.

fix Upgrade Hono to v4.12.14 or later to fix JSX attribute name handling and prevent HTML corruption.
```
Unauthorized access to static files occurs when using `serveStatic` middleware with URLs containing repeated slashes (e.g., `//`).
```
cause A path normalization inconsistency in the `serveStatic` middleware allowed repeated slashes to bypass route-based middleware protections.

fix Upgrade Hono to v4.12.12 or later to patch the middleware bypass vulnerability in `serveStatic`.

Warnings

gotcha Hono/jsx SSR can generate malformed HTML or inject unintended attributes due to improper handling of JSX attribute names.
Fix: Upgrade Hono to v4.12.14 or newer.
gotcha The `serveStatic` middleware is vulnerable to path bypass via repeated slashes, potentially allowing unauthorized access to static files.
Fix: Upgrade Hono to v4.12.12 or newer to patch this middleware bypass vulnerability.
gotcha The `toSSG()` function used for static site generation has a path traversal vulnerability, which could lead to files being written outside the intended output directory.
Fix: Upgrade Hono to v4.12.12 or newer to prevent path traversal in `toSSG()`.
gotcha Using `parseBody({ dot: true })` can lead to prototype pollution due to improper handling of `__proto__` path segments.
Fix: Upgrade Hono to v4.12.7 or newer to ignore `__proto__` path segments during body parsing.

Install

npm install hono npm
yarn add hono yarn
pnpm add hono pnpm

Imports

Hono
```
import { Hono } from 'hono'
```
Hono primarily uses ES Modules and ships with TypeScript types.

Quickstart

A minimal Hono application that responds with 'Hono!' for requests to the root path.

import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hono!'))

export default app

view raw JSON →