A Major Version Without a Single CVE
HTMX released its v4.0.0-beta5 this week, marking the fifth beta iteration of a major version milestone. For a framework that has accumulated over 44,000 GitHub stars, the release carries an unusual distinction: HTMX has never had a critical CVE assigned against it. Not in version 1, not in version 2, and not through the entire 4.0 development cycle. In a landscape where every major JavaScript framework maintains an active security advisory page, HTMX's track record is an outlier worth examining.
The Security Arithmetic of Less JavaScript
WebPulse scans across 466,000+ sites reveal a consistent pattern: attack surface correlates directly with JavaScript bundle size and dependency depth. WordPress, the dominant CMS by detection volume, carries 18,005 CVEs in the NVD database. React's ecosystem — including its router, state management libraries, and build tooling — has accumulated dozens of advisories in 2026 alone. HTMX sidesteps this math entirely. By extending HTML with attributes rather than replacing it with a virtual DOM, the framework eliminates entire vulnerability classes: XSS through template injection, prototype pollution through deep object manipulation, and supply chain attacks through transitive dependencies.
The 4.0 release continues this philosophy. New features arrive as HTML attributes, not as JavaScript APIs requiring bundlers, transpilers, or build-time transforms. The total dependency count for an HTMX project remains what it was in version 1: zero npm packages required.
Enterprise Adoption Signal
HTMX's GitHub star trajectory tells a specific story about adoption timing. The project crossed 20,000 stars in late 2024 and has more than doubled since. That growth curve is steeper than what Angular, Vue, or Svelte showed at equivalent points in their lifecycles. More importantly, WebPulse detection data shows HTMX appearing in enterprise-grade deployments — financial services portals, government agency dashboards, and healthcare administration interfaces — categories where security compliance costs drive technology selection.
Version Parity Changes the Conversation
Version numbers carry symbolic weight in enterprise procurement. A framework at version 1.x reads as experimental. Version 4.0 reads as mature, maintained, and committed to backward compatibility. HTMX reaching this milestone while React sits at version 19 and Angular at version 22 does not make them equivalent in scope — but it does make HTMX a credible line item in an RFP response. For organizations evaluating framework risk, the question has shifted from whether HTMX is production-ready to whether the JavaScript-heavy alternatives can justify their accumulated security overhead.
What the Data Points To
WebPulse framework scoring evaluates seven dimensions, including security posture, community velocity, and AI-readiness. HTMX scores at the top of the security dimension — a perfect record is difficult to beat. Its community velocity score reflects the 4.0 milestone and sustained contributor engagement. The framework's constraint — it is not a full application framework and does not replace React for complex single-page applications — is also its strength. By doing less, it exposes less. For the growing number of applications where server-rendered HTML with selective interactivity is sufficient, HTMX 4.0 offers a proposition that no JavaScript framework can match: major version maturity with zero security debt.
