Skip to content

Hookwarden

v@hookwarden/[email protected] Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1mo Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

cli developer-tools hmac php python static-analysis
+4 more
security signature-verification typescript webhook-security

Affected surfaces

auth rbac

Summary

AI summary

Updates Minor Changes, Patch Changes, and D-64 across a mixed release.

Full changelog

Minor Changes

  • 0a15cd1: feat(engine, rules): add provider_docs_url + path_severity_overrides to RuleDefinition

    D-57 RULES-05: per-rule path_severity_overrides (post-emit severity rewrite, no state change).
    D-58 RULES-08: provider_docs_url required field on every rule.
    Engine ships pure-functional applyPathSeverityOverrides helper; rules schema bumps Ajv strict shape.
    Smoke-rule github/missing-timing-safe-equal.yaml updated to satisfy new required field.

  • c7b39d1: Phase 4 — CLI distribution surface.

    The CLI is now usable in any CI environment:

    • --format json emits a versioned, sorted-keys JSON envelope (CLI-02; D-59)
    • --format sarif emits SARIF 2.1.0 conformant against the OASIS schema and uploads cleanly to GitHub Code Scanning (CLI-03 + CLI-11; D-60 + D-76)
    • Exit codes 0/1/2/3/4 with documented precedence 3 > 2 > 4 > 1 > 0 (CLI-04; D-65)
    • --fail-on severity threshold; suppressed findings never count (CLI-05; D-66)
    • Inline // hookwarden-disable-next-line <rule-id> comments (CLI-06; D-61)
    • .hookwardenignore (gitignore syntax) for path-level suppression (CLI-07; D-62)
    • --diff-only for CI acceleration (CLI-08; D-72 + D-74)
    • --baseline write / auto-read for non-greenfield adoption (CLI-10; D-68 + D-69 + D-70)
    • Bundle-inspection gate now runs on every release tag (CLI-09)
    • hookwarden.config.yaml config file with the full schema (D-75)

    Engine schema additive: ScanMetadata gains parse_candidates_count (D-64). Finding gains suppressed payload (D-63). Both additive — no breaking changes.

    Standalone binaries via bun build --compile (macOS arm64/x64, Linux x64/arm64, Windows x64) are deferred to Phase 4.x (D-73). Trigger to revisit: a measurable repeat-install metric on npx hookwarden, or a paying customer requesting an air-gapped install path.

Patch Changes

  • 89746ba: Engine ScanMetadata gains parse_candidates_count: number (D-64). Additive type bump; co-versioned across engine, rules, and CLI per D-05.
  • 43379cb: Engine Finding gains optional suppressed payload (D-63: { source: "inline" | "ignore" | "baseline", pattern?, comment?, baselined_at? }). Additive type bump; co-versioned across engine, rules, and CLI per D-05. CLI Phase 4 suppression annotator populates non-null values; engine emit sites set suppressed: null (or omit, since the field is optional).
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hookwarden

Get notified when new releases ship.

Sign up free

About Hookwarden

All releases →

Related context

Beta — feedback welcome: [email protected]