Skip to content

Hookwarden

v@hookwarden/[email protected] Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

cli developer-tools hmac php python static-analysis
+4 more
security signature-verification typescript webhook-security

Affected surfaces

auth

ReleasePort's take

Moderate signal
editorial:auto 4d

The release adds 15 new provider rule packs and a detector for CVE‑2026‑41432 in JS/TS variants.

Why it matters: CVE‑2026‑41432 detection severity is high (severity 90); integrate the detector to protect Stripe integrations immediately.

Summary

AI summary

Added 15 new provider rule packs and CVE detectors expanding coverage to ~31 providers.

Changes in this release

Security Critical

Adds CVE-2026-41432 Stripe empty-secret bypass detector for JS/TS variants 1, 2, 3, 6.

Adds CVE-2026-41432 Stripe empty-secret bypass detector for JS/TS variants 1, 2, 3, 6.

Source: llm_adapter@2026-05-30

Confidence: high
Feature Low

Adds 15 new provider rule packs (Zendesk, DocuSign, Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry, PagerDuty, Bitbucket, Notion, Calendly, Zoom).

Adds 15 new provider rule packs (Zendesk, DocuSign, Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry, PagerDuty, Bitbucket, Notion, Calendly, Zoom).

Source: llm_adapter@2026-05-30

Confidence: high
Feature Low

Adds CVE-CORPUS-01 with 5 fixture pairs and a drift‑guard test ensuring every public CVE maps to a registered rule.

Adds CVE-CORPUS-01 with 5 fixture pairs and a drift‑guard test ensuring every public CVE maps to a registered rule.

Source: llm_adapter@2026-05-30

Confidence: high
Full changelog

Minor Changes

  • c81cc40: Phase 8.3 rule pack expansion. 15 new provider rule packs (Zendesk, DocuSign,
    Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry,
    PagerDuty, Bitbucket, Notion, Calendly, Zoom) + CVE-2026-41432 Stripe
    empty-secret bypass detector (JS/TS variants 1, 2, 3, 6 — variants 4 + 5 +
    Python + PHP deferred to Plan 17b) + CVE-CORPUS-01 with 5 fixture pairs and a
    drift-guard test asserting every CVE in the public corpus maps to a registered
    rule. Effective provider coverage 9 → ~31 (including Standard Webhooks
    conformant providers swept in via Phase 8.3 Plan 16). 517 → 700 rule pack
    tests. See CHANGELOG.md for the full release notes.

Security Fixes

  • CVE-2026-41432 — Stripe empty‑secret bypass detection for JS/TS (variants 1, 2, 3, 6)
  • CVE-CORPUS-01 — added fixture pairs and drift‑guard test to ensure all public CVEs map to registered rules
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hookwarden

Get notified when new releases ship.

Sign up free

About Hookwarden

All releases →

Related context

Related CVEs

Beta — feedback welcome: [email protected]