Skip to content

Hookwarden

[email protected] scope: hookwarden Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

cli developer-tools hmac php python static-analysis
+4 more
security signature-verification typescript webhook-security

Affected surfaces

auth deps

ReleasePort's take

Light signal
editorial:auto 4d

Hookwarden 0.6.0 introduces a detector for CVE‑2026‑41432 that bypasses Stripe empty‑secret checks in JavaScript and TypeScript variants.

Why it matters: CVE‑2026‑41432 has severity 90; the new detector protects JS/TS applications using affected Stripe SDK versions.

Summary

AI summary

Updates Patch Changes, Minor Changes, and c81cc40 across a mixed release.

Changes in this release

Security Critical

Adds CVE-2026-41432 Stripe empty‑secret bypass detector for JS/TS variants 1, 2, 3, 6.

Adds CVE-2026-41432 Stripe empty‑secret bypass detector for JS/TS variants 1, 2, 3, 6.

Source: llm_adapter@2026-05-30

Confidence: high
Feature Low

Adds 15 new provider rule packs (Zendesk, DocuSign, Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry, PagerDuty, Bitbucket, Notion, Calendly, Zoom).

Adds 15 new provider rule packs (Zendesk, DocuSign, Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry, PagerDuty, Bitbucket, Notion, Calendly, Zoom).

Source: llm_adapter@2026-05-30

Confidence: high
Feature Low

Adds CVE-CORPUS-01 with 5 fixture pairs and a drift‑guard test ensuring corpus coverage.

Adds CVE-CORPUS-01 with 5 fixture pairs and a drift‑guard test ensuring corpus coverage.

Source: llm_adapter@2026-05-30

Confidence: high
Dependency Low

Updates dependencies: @hookwarden/[email protected], @hookwarden/[email protected], @hookwarden/[email protected].

Updates dependencies: @hookwarden/[email protected], @hookwarden/[email protected], @hookwarden/[email protected].

Source: llm_adapter@2026-05-30

Confidence: high
Full changelog

Minor Changes

  • c81cc40: Phase 8.3 rule pack expansion. 15 new provider rule packs (Zendesk, DocuSign,
    Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry,
    PagerDuty, Bitbucket, Notion, Calendly, Zoom) + CVE-2026-41432 Stripe
    empty-secret bypass detector (JS/TS variants 1, 2, 3, 6 — variants 4 + 5 +
    Python + PHP deferred to Plan 17b) + CVE-CORPUS-01 with 5 fixture pairs and a
    drift-guard test asserting every CVE in the public corpus maps to a registered
    rule. Effective provider coverage 9 → ~31 (including Standard Webhooks
    conformant providers swept in via Phase 8.3 Plan 16). 517 → 700 rule pack
    tests. See CHANGELOG.md for the full release notes.

Patch Changes

Security Fixes

  • CVE-2026-41432 — Stripe empty-secret bypass detector for JS/TS variants 1, 2, 3, 6.
  • CVE-CORPUS-01 — adds detection fixtures and drift‑guard test mapping all public CVEs to registered rules.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hookwarden

Get notified when new releases ship.

Sign up free

About Hookwarden

All releases →

Related context

Related CVEs

Beta — feedback welcome: [email protected]