v0.23.0

Compare Source

Minor Changes

• #​295 c81946732953c3dec4d8c41217654eb9ce30ddc9 Thanks @​3w36zj6! - add base option to configure application routing base path

v0.22.0

Compare Source

Minor Changes

• #​296 a9aa4b0a294c11b3702002a0a517e04d9afb7ab4 Thanks @​nakasyou! - support .vue and .svelte for excluding

v0.21.1

Compare Source

Patch Changes

• #​293 59de7dc8653971297692503b61e42f7f0c2f4ed9 Thanks @​chtushar! - feat: add support for TanStack Router code splitting in dev-server

v0.21.0

Compare Source

Minor Changes

• #​286 6313a175bbe20002840ef7b1d781be06ae7aab62 Thanks @​Its-Just-Nans! - use the vitejs base for the vite injection

v0.20.1

Compare Source

Patch Changes

• #​281 275a177401b7c8402890c0089ad90f4ed95dbf8f Thanks @​yusukebe! - fix: inject vite client script at end of streaming response

v0.20.0

Compare Source

Minor Changes

• #​252 56d7c63933da084418bf9798b151d2fee696fa95 Thanks @​Hill-98! - feat: add getConnInfo helper function

v0.19.1

Compare Source

Patch Changes

• #​264 2eb66db9b43131e4b41417e2ddc31ebf16db383e Thanks @​zachnoble! - chore: bump @hono/node-server to 1.14.2

v0.19.0

Compare Source

Minor Changes

• #​235 367d2b088c14c29ae12701ab702305209b1959ce Thanks @​yusukebe! - feat: add handleHotUpdate option

v0.18.3

Compare Source

Patch Changes

• #​233 1dbcbb8654739f54beb0e4082b3639f4f4a9468f Thanks @​yusukebe! - fix: enable HMR for client-side

v0.18.2

Compare Source

Patch Changes

• #​231 eb196d52a7f2059540c64a9c0b94298d49a00b90 Thanks @​yusukebe! - fix: support hot reload for Vite6

• #​228 5153b84779b279274836512f7172c53e5cc11ae7 Thanks @​mo36924! - fix: Fixed problem with source map not working when reading entry files

v0.18.1

Compare Source

Patch Changes

• #​212 01d28ca426646f4b75754767baeb41a11e0d8dfd Thanks @​gobengo! - dev-server plugin getRequestListener fetchCallback now always returns Promise instead of sometimes returning Promise

v0.7.4

Compare Source

Patch Changes

• #​1502 d6102352531aa3f030051f0b85065bd1051ebdac Thanks @​BThero! - Fix a minor Zod v4 error type inference bug

v0.7.3

Compare Source

Patch Changes

• #​1436 713a9392f9adf521920d2d814894c4433ae718bf Thanks @​yusukebe! - fix: correct fallback behavior when using coerce

v0.7.2

Compare Source

Patch Changes

• #​1315 c6a16ab7aa8fba2403d4294e7673f96796020c65 Thanks @​yusukebe! - fix: support transform

v0.7.1

Compare Source

Patch Changes

• #​1302 9f6278f51c846a171a9baa6335fb8fbd9b42cb1c Thanks @​kiki-kanri! - correctly set the zod version to follow the official website doc

• #​1302 9f6278f51c846a171a9baa6335fb8fbd9b42cb1c Thanks @​kiki-kanri! - upgrade zod to v4 and import style to be more tree-shakeable in README.md

v0.7.0

Compare Source

Minor Changes

• #​1180 5c3f61f889f5d96f2ff4a79c9df89c03e25dd7f3 Thanks @​yusukebe! - feat: update peerDependency to Zod ^3.25.0 and fix the types

v0.6.0

Compare Source

Minor Changes

• #​1173 a62b59f4505d10f41523a36ad7c02776f9e1cb01 Thanks @​yusukebe! - feat: support Zod v4

v0.5.0

Compare Source

Minor Changes

• #​1140 8ed99d9d791ed6bd8b897c705289b0464947e632 Thanks @​yusukebe! - feat: add validationFunction option

v0.4.3

Compare Source

Patch Changes

• #​968 b65d5a58616f861520047dd08babc9cd1d81cbd1 Thanks @​yusukebe! - fix: fix commonjs import problem

v3.2.0

Compare Source

What's Changed

• case sensitive is off by @​Rupreht in #​19
• Adding 1.8.0 stuff by @​dcarbone in #​20

New Contributors

• @​Rupreht made their first contribution in #​19

Full Changelog: dcarbone/install-jq-action@v3.1.1...v3.2.0

v3.1.1

Compare Source

What's Changed

• 1.7.1 for windows and some small cleanup by @​dcarbone in #​17

Full Changelog: dcarbone/install-jq-action@v3...v3.1.1

v3.1.0

Compare Source

What's Changed

• bumping default to jq 1.7.1 by @​dcarbone in #​16

Full Changelog: dcarbone/install-jq-action@v3...v3.1.0

v4.10.1

Compare Source

What's Changed

• fix(types): cannot .use non-return mw from createMiddleware by @​NamesMT in #​4465

Full Changelog: honojs/hono@v4.10.0...v4.10.1

v4.10.0

Compare Source

Release Notes

Hono v4.10.0 is now available!

This release brings improved TypeScript support and new utilities.

The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients.

Middleware Type Improvements

Imagine the following app:

import { Hono } from 'hono'

const app = new Hono()

const routes = app.get(
  '/',
  (c) => {
    return c.json({ errorMessage: 'Error!' }, 500)
  },
  (c) => {
    return c.json({ message: 'Success!' }, 200)
  }
)

The client with RPC:

import { hc } from 'hono/client'

const client = hc<typeof routes>('/')

const res = await client.index.$get()

if (res.status === 500) {
}

if (res.status === 200) {
}

Previously, it couldn't infer the responses from middleware, so a type error was thrown.

Now the responses are correctly typed.

This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true.

Thank you for the great work @​slawekkolodziej!

cloneRawRequest Utility

The new cloneRawRequest utility allows you to clone the raw Request object after it has been consumed by validators or middleware.

import { cloneRawRequest } from 'hono/request'

app.post('/api', async (c) => {
  const body = await c.req.json()

  // Clone the consumed request
  const clonedRequest = cloneRawRequest(c.req)
  await externalLibrary.process(clonedRequest)
})

Thanks @​kamaal111!

New features

• feat(types): passing middleware types #​4393
• feat(ssg): add default plugin that defines the recommended behavior #​4394
• feat(request): add cloneRawRequest utility for request cloning #​4382

All changes

• feat(types): passing middleware types by @​slawekkolodziej in #​4393
• feat(ssg): add default plugin that defines the recommended behavior by @​3w36zj6 in #​4394
• feat(request): add cloneRawRequest utility for request cloning by @​kamaal111 in #​4382
• fix(proxy): Correct hop-by-hop header handling per RFC 9110 by @​sugar-cat7 in #​4459

New Contributors

• @​slawekkolodziej made their first contribution in #​4393
• @​kamaal111 made their first contribution in #​4382

Full Changelog: honojs/hono@v4.9.12...v4.10.0

v4.9.12

Compare Source

What's Changed

• refactor: internal structure of PreparedRegExpRouter for optimization and added tests by @​usualoma in #​4456
• refactor: use protected methods instead of computed properties to allow tree shaking by @​usualoma in #​4458

Full Changelog: honojs/hono@v4.9.11...v4.9.12

v4.9.11

Compare Source

What's Changed

• fix(types): fix 4.9.8 regression by @​aadito123 in #​4448
• feat(reg-exp-router): Introduced PreparedRegExpRouter by @​usualoma in #​1796

New Contributors

• @​aadito123 made their first contribution in #​4448

Full Changelog: honojs/hono@v4.9.10...v4.9.11

v4.9.10

Compare Source

What's Changed

• fix(context): Fix #​4427 type regression by removing non-public export by @​aantthony in #​4433
• fix(aws-lambda): sanitize non-ASCII header values to prevent ByteString errors by @​yusukebe in #​4437

Full Changelog: honojs/hono@v4.9.9...v4.9.10

v4.9.9

Compare Source

What's Changed

• fix(service-worker): Update service-worker fire() to accept generic variants of Hono app instance by @​harmony7 in #​4420
• fix(service-worker): correct generics for handle by @​yusukebe in #​4421
• feat(helper/route): enable to get route path at specific index by @​usualoma in #​4423

New Contributors

• @​harmony7 made their first contribution in #​4420

Full Changelog: honojs/hono@v4.9.8...v4.9.9

v4.9.8

Compare Source

What's Changed

• fix(types): JSONParsed infer unknown values by @​BarryThePenguin in #​4405
• refactor(types): remove SimplifyDeepArray from json types by @​BarryThePenguin in #​4406
• refactor(types): fix the type definitions in hono-base by @​yusukebe in #​4407
• fix(request): return empty string for empty catch-all param by @​amitksingh0880 in #​4395

New Contributors

• @​amitksingh0880 made their first contribution in #​4395

Full Changelog: honojs/hono@v4.9.7...v4.9.8

v4.9.7

Compare Source

Security

• Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory

What's Changed

• fix(client): Fix parseResponse not parsing json in react native by @​lr0pb in #​4399
• chore: add .tool-versions file by @​3w36zj6 in #​4397
• chore: update bun install commands to use --frozen-lockfile by @​3w36zj6 in #​4398
• test(jwk): Add tests of JWK token verification by @​buckett in #​4402

New Contributors

• @​lr0pb made their first contribution in #​4399
• @​buckett made their first contribution in #​4402

Full Changelog: honojs/hono@v4.9.6...v4.9.7

v4.9.6

Compare Source

Security

Fixed a bug in URL path parsing (getPath) that could cause path confusion under malformed requests.

If you rely on reverse proxies (e.g. Nginx) for ACLs or restrict access to endpoints like /admin, please update immediately.

See advisory for details: GHSA-9hp6-4448-45g2

What's Changed

• chore: update packages in the router bench by @​yusukebe in #​4386
• chore(benchmarks): remove comment-out from router bench by @​yusukebe in #​4387

Full Changelog: honojs/hono@v4.9.5...v4.9.6

v4.9.5

Compare Source

What's Changed

• chore: replace supertest with undici by @​BarryThePenguin in #​4365
• fix(aws-lambda): preserve percent-encoded values in query strings by @​yusukebe in #​4372
• feat(cors): Allow async functions for origin and allowMethods by @​jobrk in #​4373
• feat(cors): Correct origin function return type asynchronously returning null or undefined for origin by @​jobrk in #​4375
• fix(service-worker): correct args for app.fetch in handle by @​yusukebe in #​4374
• fix(language-detector): Detect language from path after getPath changed by @​iflamed in #​4369

New Contributors

• @​jobrk made their first contribution in #​4373
• @​iflamed made their first contribution in #​4369

Full Changelog: honojs/hono@v4.9.4...v4.9.5

v4.9.4

Compare Source

What's Changed

• chore: add a type cast to run deno publish by @​yusukebe in #​4364

Full Changelog: honojs/hono@v4.9.3...v4.9.4

v4.9.3

Compare Source

What's Changed

• feat(csrf): Add modern CSRF protection with Fetch Metadata support by @​meck93 in #​4353
• tests: use vitest projects by @​BarryThePenguin in #​4359
• feat(proxy): add customFetch option to allow custom fetch function by @​yusukebe in #​4360
• chore: update typescript to 5.9.2 by @​yusukebe in #​4362
• chore: add packageManager field to package.json by @​yusukebe in #​4363

Full Changelog: honojs/hono@v4.9.2...v4.9.3

v4.9.2

Compare Source

What's Changed

• fix(jsx): 'plaintext-only' value for contenteditable attribute by @​object1037 in #​4349
• fix(client): handle query parameters in removeIndexString by @​yusukebe in #​4352

New Contributors

• @​object1037 made their first contribution in #​4349

Full Changelog: honojs/hono@v4.9.1...v4.9.2

v4.9.1

Compare Source

What's Changed

• feat(parseResponse): set DetailedError.name (+ error tests) by @​NamesMT in #​4344
• fix(parseResponse): should not include error responses in result by @​NamesMT in #​4348

Full Changelog: honojs/hono@v4.9.0...v4.9.1

v4.9.0

Compare Source

Release Notes

Hono v4.9.0 is now available!

This release introduces several enhancements and utilities.

The main highlight is the new parseResponse utility that makes it easier to work with RPC client responses.

parseResponse Utility

The new parseResponse utility provides a convenient way to parse responses from Hono RPC clients (hc). It automatically handles different response formats and throws structured errors for failed requests.

import { parseResponse, DetailedError } from 'hono/client'

// result contains the parsed response body (automatically parsed based on Content-Type)
const result = await parseResponse(client.hello.$get()).catch(
  // parseResponse automatically throws an error if response is not ok
  (e: DetailedError) => {
    console.error(e)
  }
)

This makes working with RPC client responses much more straightforward and type-safe.

Thanks @​NamesMT!

New features

• feat(bun): allow importing upgradeWebSocket and websocket directly #​4242
• feat(aws-lambda): specify content-type as binary #​4250
• feat(jwt): add validation for the issuer (iss) claim #​4253
• feat(jwk): add headerName to JWK middleware #​4279
• feat(cookie): add generateCookie and generateSignedCookie helpers #​4285
• feat(serve-static): use join to correct path resolution #​4291
• feat(jwt): expose utility function verifyWithJwks for external use #​4302
• feat: add parseResponse util to smartly parse hc's Response #​4314
• feat(ssg): mark old hook options as deprecated #​4331

All changes

• feat(aws-lambda): specify content-type as binary by @​Kanahiro in #​4250
• feat(jwt): added validation for the issuer (iss) claim by @​yolocat-dev in #​4253
• feat(jwk): Add custom headerName to JWK middleware by @​JoaquinGimenez1 in #​4279
• feat(cookie): generateCookie and generateSignedCookie helpers by @​Soviut in #​4285
• feat(serve-static): use join to correct path resolution by @​yusukebe in #​4291
• feat(jwt): Exposing utility function verifyWithJwks for external use by @​Beyondo in #​4302
• feat: add parseResponse util to smartly parse hc's Response by @​NamesMT in #​4314
• feat(ssg): mark old hook options as deprecated by @​3w36zj6 in #​4331
• fix(bun): exports functions related to websocket by @​yusukebe in #​4341
• Next by @​yusukebe in #​4340
• chore: enable skipLibCheck to resolve TypeScript compilation issues by @​yusukebe in #​4342

New Contributors

• @​yolocat-dev made their first contribution in #​4253
• @​JoaquinGimenez1 made their first contribution in #​4279
• @​Soviut made their first contribution in #​4285

Full Changelog: honojs/hono@v4.8.12...v4.9.0

v4.8.12

Compare Source

What's Changed

• fix(router): support /files/:name{.*} by @​yusukebe in #​4329

Full Changelog: honojs/hono@v4.8.11...v4.8.12

v4.8.11

Compare Source

What's Changed

• fix(types): should populate output type for c.body() by @​NamesMT in #​4318
• ci: add editorconfig-checker by @​3w36zj6 in #​4321
• fix(service-worker): pass FetchEvent as second argument to app.fetch by @​yusukebe in #​4328
• chore(ci): upgrade bun version to 1.2.19 by @​BarryThePenguin in #​4323
• chore: bump @hono/eslint-config by @​yusukebe in #​4330
• chore: autofix ci by @​BarryThePenguin in #​4322

Full Changelog: honojs/hono@v4.8.10...v4.8.11

v4.8.10

Compare Source

What's Changed

• chore: add EditorConfig by @​3w36zj6 in #​4309
• chore: format JSON, YAML, and Markdown by @​yusukebe in #​4310
• chore: format and lint benchmarks/* by @​yusukebe in #​4317
• refactor(types): bring adapter/service-worker types up to date by @​idealsh in #​4315
• chore: add editorconfig-checker by @​3w36zj6 in #​4312
• fix(cookie): support lowercase priority for compatibility with other libraries by @​bytaesu in #​4293

New Contributors

• @​idealsh made their first contribution in #​4315
• @​bytaesu made their first contribution in #​4293

Full Changelog: honojs/hono@v4.8.9...v4.8.10

v4.8.9

Compare Source

What's Changed

• fix(context): use isByteString in c.redirect by @​yusukebe in #​4307

Full Changelog: honojs/hono@v4.8.8...v4.8.9

v4.8.8

Compare Source

What's Changed

• docs: simplify the readme by @​yusukebe in #​4305
• fix(utils/url): prevent double encoding in safeEncodeURI by @​yusukebe in #​4306

Full Changelog: honojs/hono@v4.8.7...v4.8.8

v4.8.7

Compare Source

What's Changed

• chore: fix the deno version for publishing to jsr by @​yusukebe in #​4304

Full Changelog: honojs/hono@v4.8.6...v4.8.7

v4.8.6

Compare Source

What's Changed

• perf(types): remove unnecessary default types by @​yusukebe in #​4282
• fix(context): encode the redirect location by @​yayugu in #​4297

Full Changelog: honojs/hono@v4.8.5...v4.8.6

v4.8.5

Compare Source

What's Changed

• fix(serve-static): support Windows by @​yusukebe in #​3477

Full Changelog: honojs/hono@v4.8.4...v4.8.5

v4.8.4

Compare Source

What's Changed

• test: correct usages of Proxy to support Node.js 24 by @​yusukebe in #​4260
• fix(cookie): remove not used signingSecret option by @​yusukebe in #​4263
• fix(jsx): cloneElement didn't copy children by @​yayugu in #​4257
• fix(client): remove index string when calling $url() by @​yusukebe in #​4267
• fix(ssg): invoke callback when it's only a dynamic route by @​yusukebe in #​4249
• fix(request): req.json() keeps the content as is by @​yusukebe in #​4269

Full Changelog: honojs/hono@v4.8.3...v4.8.4

v4.8.3

Compare Source

What's Changed

• fix(cookie): use tryDecode when parsing cookie by @​yusukebe in #​4240
• fix(jsx): throw new Error instead of string by @​usualoma in #​4241
• fix(jwt): fix the JwtTokenIssuedAt error message by @​yusukebe in #​4244
• fix(jsx): Fix the JSXNode validation. Allow the function type for props.ref by @​yayugu in #​4236
• chore(cr): continuation release to pkg.pr.new by @​NEKOYASAN in #​4245

New Contributors

• @​yayugu made their first contribution in #​4236
• @​NEKOYASAN made their first contribution in #​4245

Full Changelog: honojs/hono@v4.8.2...v4.8.3

v4.8.2

Compare Source

What's Changed

• fix(utils/color): avoid resolving pacakages via Bun.build by @​ryuapp in #​4239

Full Changelog: honojs/hono@v4.8.1...v4.8.2

v4.8.1

Compare Source

What's Changed

• docs(bearer-auth): fix typo by @​Einherjar1632 in #​4238
• fix(utils/color): avoid unhandled scheme errors by @​ryuapp in #​4234

New Contributors

• @​Einherjar1632 made their first contribution in #​4238

Full Changelog: honojs/hono@v4.8.0...v4.8.1

v4.8.0

Compare Source

Release Notes

Hono v4.8.0 is now available!

This release enhances existing features with new options and introduces powerful helpers for routing and static site generation. Additionally, we're introducing new third-party middleware packages.

• Route Helper
• JWT Custom Header Location
• JSX Streaming Nonce Support
• CORS Dynamic allowedMethods
• JWK Allow Anonymous Access
• Cache Status Codes Option
• Service Worker fire() Function
• SSG Plugin System

Plus new third-party middleware:

• MCP Middleware
• UA Blocker Middleware
• Zod Validator v4 Support

Let's look at each of these.

Reduced the code size

First, this update reduces the code size! The smallest hono/tiny package has been reduced by about 800 bytes from v4.7.11, bringing it down to approximately 11 KB. When gzipped, it's only 4.5 KB. Very tiny!

Route Helper

New route helper functions provide easy access to route information and path utilities.

import { Hono } from 'hono'
import {
  matchedRoutes,
  routePath,
  baseRoutePath,
  basePath,
} from 'hono/route'

const api = new Hono()

api.get('/users/:id/posts/:postId', (c) => {
  const matched = matchedRoutes(c) // Array of matched route handlers
  const current = routePath(c) // '/api/users/:id/posts/:postId'
  const base = baseRoutePath(c) // '/api' Base route path
  const appBase = basePath(c) // '/api' Base path
  return c.json({ matched, current, base, appBase })
})

const app = new Hono()
app.route('/api', api)

export default app

These helpers make route introspection cleaner and more explicit.

Thanks @​usualoma!

JWT Custom Header Location

JWT middleware now supports custom header locations beyond the standard Authorization header. You can specify any header name to retrieve JWT tokens from.

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'secret-key',
    headerName: 'X-Auth-Token', // Custom header name
  })
)

app.get('/api/protected', (c) => {
  return c.json({ message: 'Protected resource' })
})

This is useful when working with APIs that use non-standard authentication headers.

Thanks @​kunalbhagawati!

JSX Streaming Nonce Support

JSX streaming now supports nonce values for Content Security Policy (CSP) compliance. The streaming context can include a nonce that gets applied to inline scripts.

import { Hono } from 'hono'
import {
  renderToReadableStream,
  Suspense,
  StreamingContext,
} from 'hono/jsx/streaming'

const app = new Hono()

app.get('/', (c) => {
  const stream = renderToReadableStream(
    <html>
      <body>
        <StreamingContext
          value={{ scriptNonce: 'random-nonce-value' }}
        >
          <Suspense fallback={<div>Loading...</div>}>
            <AsyncComponent />
          </Suspense>
        </StreamingContext>
      </body>
    </html>
  )

  return c.body(stream, {
    headers: {
      'Content-Type': 'text/html; charset=UTF-8',
      'Transfer-Encoding': 'chunked',
      'Content-Security-Policy':
        "script-src 'nonce-random-nonce-value'",
    },
  })
})

Thanks @​usualoma!

CORS Dynamic allowedMethods

CORS middleware now supports dynamic allowedMethods based on the request origin. You can provide a function that returns different allowed methods depending on the origin.

import { Hono } from 'hono'
import { cors } from 'hono/cors'

const app = new Hono()

app.use(
  '*',
  cors({
    origin: ['https://example.com', 'https://api.example.com'],
    allowMethods: (origin) => {
      if (origin === 'https://api.example.com') {
        return ['GET', 'POST', 'PUT', 'DELETE']
      }
      return ['GET', 'POST'] // Default for other origins
    },
  })
)

This enables fine-grained control over CORS policies per origin.

Thanks @​Kanahiro!

JWK Allow Anonymous Access

JWK middleware now supports anonymous access with the allow_anon option. When enabled, requests without valid tokens can still proceed to your handlers.

import { Hono } from 'hono'
import { jwk } from 'hono/jwk'

const app = new Hono()

app.use(
  '/api/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    allow_anon: true,
  })
)

app.get('/api/data', (c) => {
  const payload = c.get('jwtPayload')
  if (payload) {
    return c.json({ message: 'Authenticated user', user: payload })
  }
  return c.json({ message: 'Anonymous access' })
})

Additionally, keys and jwks_uri options now support functions that receive the context, enabling dynamic key resolution.

Thanks @​Beyondo!

Cache Status Codes Option

Cache middleware now allows you to specify which status codes should be cached using the cacheableStatusCodes option.

import { Hono } from 'hono'
import { cache } from 'hono/cache'

const app = new Hono()

app.use(
  '*',
  cache({
    cacheName: 'my-cache',
    cacheControl: 'max-age=3600',
    cacheableStatusCodes: [200, 404], // Cache both success and not found responses
  })
)

Thanks @​miyamo2!

Service Worker fire() Function

A new fire() functi