Hono is one of the hottest web frameworks in the JavaScript ecosystem right now. If you're building on Cloudflare Workers, Bun, or Deno — you've probably used it. 35 million weekly downloads. A GitHub star count in the tens of thousands. Fast, lightweight, TypeScript-first.
And a single npm publisher.
I ran hono through proof-of-commitment, a supply chain risk scorer that evaluates npm packages on behavioral signals — the kind of structural data that npm audit doesn't check. The result: CRITICAL.
npx proof-of-commitment hono
Package Risk Score Publishers Downloads Age
─────────────────────────────────────────────────────────────
hono 🔴 CRITICAL 82 1 35.1M/wk 4.3y
└ longevity=20 momentum=25 releases=20 publishers=4 github=13
Score of 82 out of 100. One npm publisher. 35 million weekly downloads.
What CRITICAL means
CRITICAL = sole publisher + >10M weekly downloads. That's the structural profile of a high-value attack target — not because hono is poorly maintained (it isn't), but because it's concentrated risk: one person holds the npm publish key for a package that runs in millions of production environments.
This is the same structural profile that made ua-parser-js an attack target. In October 2021, ua-parser-js was compromised — malicious versions were published that harvested credentials and mined crypto. npm audit showed zero issues beforehand. The structural profile (sole publisher, ~8M downloads/week) was exactly what made it a high-value target (CVE-2021-41265/CVE-2021-41266).
The tool doesn't predict that hono will be attacked. It identifies the conditions that make it a high-value target.
The score breakdown
The breakdown tells a more nuanced story:
- Longevity: 20/25 — 4.3 years, solid but not ancient
- Download momentum: 25/25 — 35M/week and growing fast (full marks)
- Release consistency: 20/20 — actively maintained, regular releases
- Publisher depth: 4/15 — this is where it falls apart
- GitHub backing: 13/15 — strong
The package is well-maintained by yusukebe. It has excellent release cadence. The risk isn't abandonment — it's concentration. Everything that makes hono popular makes it a concentrated attack surface.
What this looks like in your project
If you have a package.json that depends on hono, run:
npx proof-of-commitment --file package.json
Or drop your package.json at getcommit.dev/audit.
You'll likely see hono flagged CRITICAL alongside zod (160M downloads/week, 1 publisher) and chalk (424M/week, 1 publisher). Three packages that power most modern TypeScript projects.
What to do with this
Nothing immediately needs to change. Hono is a great framework. yusukebe is an active maintainer. But:
Know your concentrated risk. When you have sole-publisher packages at 10M+ downloads/week in your stack, that's a dependency that warrants extra attention on security advisories.
Watch for unusual releases. Supply chain attacks like ua-parser-js (Oct 2021) involved malicious publishes — new versions that weren't expected. Having awareness that a package is high-concentration means you pay closer attention when something unusual appears.
Consider it in your threat model. CI/CD pipelines that auto-update dependencies are particularly exposed to this class of attack.
The tool doesn't tell you to stop using hono. It tells you that hono has the same structural profile as packages that have been attacked — and that's worth knowing.
proof-of-commitment is a zero-install CLI, GitHub Action, and MCP server for supply chain risk scoring. Try it live — pre-loaded with common packages, auto-runs on arrival.
Top comments (0)