Hono is one of the hottest web frameworks in the JavaScript ecosystem right now. If you're building on Cloudflare Workers, Bun, or Deno — you've probably used it. 37 million weekly downloads. A GitHub star count in the tens of thousands. Fast, lightweight, TypeScript-first.
And a single npm publisher.
I ran hono through proof-of-commitment, a supply chain risk scorer that evaluates npm packages on behavioral signals — the kind of structural data that npm audit doesn't check. The result: CRITICAL.
npx proof-of-commitment hono
Package Risk Score Publishers Downloads Age
─────────────────────────────────────────────────────────────
hono 🔴 CRITICAL 79 1 37.4M/wk 4.4y
└ longevity=20 momentum=22 releases=20 publishers=4 github=13
Score of 79 out of 100. One npm publisher. 37 million weekly downloads.
What CRITICAL means
CRITICAL = sole npm publisher + >10M weekly downloads. That's the structural profile of a high-value attack target — not because hono is poorly maintained (it isn't), but because it's concentrated risk: one person holds the npm publish key for a package that runs in millions of production environments.
This is the same structural profile that made ua-parser-js an attack target. In October 2021, ua-parser-js was compromised — malicious versions were published that harvested credentials and mined crypto. npm audit showed zero issues beforehand. The structural profile (sole publisher, ~8M downloads/week) was exactly what made it a high-value target.
The tool doesn't predict that hono will be attacked. It identifies the conditions that make it a high-value target.
The score breakdown
The breakdown tells a more nuanced story:
- Longevity: 20/25 — 4.4 years, solid but not ancient
- Download momentum: 22/25 — 37M/week and growing
- Release consistency: 20/20 — actively maintained, regular releases
- Publisher depth: 4/15 — this is where it falls apart
- GitHub backing: 13/15 — strong community, 35+ contributors
The package is well-maintained by yusukebe. It has excellent release cadence. The risk isn't abandonment — it's concentration. Everything that makes hono popular makes it a concentrated attack surface.
How it compares
For context, here's how hono stacks up against other popular frameworks:
| Package | Score | Publishers | Downloads/wk | Risk |
|---|---|---|---|---|
| express | 90 | 5 | 95M | OK |
| hono | 79 | 1 | 37M | 🔴 CRITICAL |
| fastify | 88 | 3 | 12M | OK |
Express and Fastify both have multiple publishers. The difference isn't code quality — it's organizational resilience. If one express maintainer's credentials are stolen, four others still control access. With hono, there's one key.
What this looks like in your project
If you have a package.json that depends on hono, run:
npx proof-of-commitment --file package.json
Or drop your packages at getcommit.dev/audit.
You'll likely see hono flagged CRITICAL alongside zod (163M downloads/week, 1 publisher) and possibly chalk (436M/week, 1 publisher). Three packages that power most modern TypeScript projects.
What to do with this
Nothing immediately needs to change. Hono is a great framework. yusukebe is an active maintainer. But:
Know your concentrated risk. When you have sole-publisher packages at 10M+ downloads/week in your stack, that's a dependency that warrants attention on security advisories.
Watch for unusual releases. Supply chain attacks like ua-parser-js involved malicious publishes — new versions that weren't expected. Knowing a package is high-concentration means you pay closer attention when something unusual appears.
Consider it in your threat model. CI/CD pipelines that auto-update dependencies are particularly exposed to this class of attack. The commit-action GitHub Action can flag these in PRs automatically.
The tool doesn't tell you to stop using hono. It tells you that hono has the same structural profile as packages that have been attacked — and that's worth knowing.
proof-of-commitment is a zero-install CLI, GitHub Action, and MCP server for supply chain risk scoring. Every npm package has a permanent profile page at getcommit.dev/npm/PACKAGE — try hono, zod, or chalk.
Top comments (0)