Hookwarden

v@hookwarden/[email protected] Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

cli developer-tools hmac php python static-analysis

+4 more

security signature-verification typescript webhook-security

Affected surfaces

auth deps

ReleasePort's take

Light signal

editorial:auto 4d

The release adds 15 new provider rule packs and introduces a detector for CVE-2026-41432 in JS/TS variants.

Why it matters: CVE-2026-41432 detection (severity 90) alerts teams to Stripe empty‑secret bypasses across affected variants, prompting immediate review of related code paths.

Summary

AI summary

Added 15 new provider rule packs and two CVE detectors.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Adds CVE-2026-41432 Stripe empty-secret bypass detector for JS/TS variants 1, 2, 3, and 6. Adds CVE-2026-41432 Stripe empty-secret bypass detector for JS/TS variants 1, 2, 3, and 6. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Low	Adds 15 new provider rule packs (Zendesk, DocuSign, Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry, PagerDuty, Bitbucket, Notion, Calendly, Zoom). Adds 15 new provider rule packs (Zendesk, DocuSign, Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry, PagerDuty, Bitbucket, Notion, Calendly, Zoom). Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Low	Adds CVE-CORPUS-01 with 5 fixture pairs and a drift‑guard test ensuring corpus CVEs map to registered rules. Adds CVE-CORPUS-01 with 5 fixture pairs and a drift‑guard test ensuring corpus CVEs map to registered rules. Source: llm_adapter@2026-05-30 Confidence: high	—
Dependency	Low	Updates dependency @hookwarden/engine to version 0.6.0. Updates dependency @hookwarden/engine to version 0.6.0. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

Minor Changes

c81cc40: Phase 8.3 rule pack expansion. 15 new provider rule packs (Zendesk, DocuSign,
Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry,
PagerDuty, Bitbucket, Notion, Calendly, Zoom) + CVE-2026-41432 Stripe
empty-secret bypass detector (JS/TS variants 1, 2, 3, 6 — variants 4 + 5 +
Python + PHP deferred to Plan 17b) + CVE-CORPUS-01 with 5 fixture pairs and a
drift-guard test asserting every CVE in the public corpus maps to a registered
rule. Effective provider coverage 9 → ~31 (including Standard Webhooks
conformant providers swept in via Phase 8.3 Plan 16). 517 → 700 rule pack
tests. See CHANGELOG.md for the full release notes.

Patch Changes

Updated dependencies [c81cc40]
- @hookwarden/[email protected]

Security Fixes

CVE-2026-41432 — Stripe empty‑secret bypass detector added for JS/TS
CVE-CORPUS-01 — rule coverage test ensuring every public CVE maps to a registered rule

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hookwarden

Get notified when new releases ship.

About Hookwarden

All releases →

Related context

Related tools

Related CVEs

CVE-2026-41432 NVD KEV EPSS