Hookwarden

v@hookwarden/[email protected] Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

cli developer-tools hmac php python static-analysis

+4 more

security signature-verification typescript webhook-security

Affected surfaces

auth deps

ReleasePort's take

Light signal

editorial:auto 4d

The @hookwarden/rules package v0.6.0 introduces 15 new provider rule packs and critical CVE detectors for Stripe secret bypasses.

Why it matters: Adds detection for high‑severity CVE‑2026‑41432 (severity 90) affecting JS/TS Stripe variants; operators should apply the update immediately to mitigate risk.

Summary

AI summary

Updates Patch Changes, Minor Changes, and c81cc40 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Adds CVE-2026-41432 Stripe empty-secret bypass detector for JS/TS variants 1,2,3,6. Adds CVE-2026-41432 Stripe empty-secret bypass detector for JS/TS variants 1,2,3,6. Source: llm_adapter@2026-05-30 Confidence: high	—
Security	High	Adds CVE-CORPUS-01 with 5 fixture pairs and drift-guard test ensuring corpus CVE mapping. Adds CVE-CORPUS-01 with 5 fixture pairs and drift-guard test ensuring corpus CVE mapping. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Low	Adds 15 new provider rule packs (Zendesk, DocuSign, Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry, PagerDuty, Bitbucket, Notion, Calendly, Zoom). Adds 15 new provider rule packs (Zendesk, DocuSign, Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry, PagerDuty, Bitbucket, Notion, Calendly, Zoom). Source: llm_adapter@2026-05-30 Confidence: high	—
Dependency	Low	Updates @hookwarden/engine to 0.6.0 and @hookwarden/fix to 0.6.0. Updates @hookwarden/engine to 0.6.0 and @hookwarden/fix to 0.6.0. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

Minor Changes

c81cc40: Phase 8.3 rule pack expansion. 15 new provider rule packs (Zendesk, DocuSign,
Intercom, Linear, HubSpot, Auth0, Mailchimp, Postmark, Datadog, Sentry,
PagerDuty, Bitbucket, Notion, Calendly, Zoom) + CVE-2026-41432 Stripe
empty-secret bypass detector (JS/TS variants 1, 2, 3, 6 — variants 4 + 5 +
Python + PHP deferred to Plan 17b) + CVE-CORPUS-01 with 5 fixture pairs and a
drift-guard test asserting every CVE in the public corpus maps to a registered
rule. Effective provider coverage 9 → ~31 (including Standard Webhooks
conformant providers swept in via Phase 8.3 Plan 16). 517 → 700 rule pack
tests. See CHANGELOG.md for the full release notes.

Patch Changes

Updated dependencies [c81cc40]
- @hookwarden/[email protected]
- @hookwarden/[email protected]

Security Fixes

CVE-2026-41432 — Stripe empty‑secret bypass detector for JavaScript/TypeScript variants 1, 2, 3, and 6.
CVE-CORPUS-01 — Added rule pack with fixture pairs to assert mapping of every CVE in the public corpus to a registered rule.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hookwarden

Get notified when new releases ship.

About Hookwarden

All releases →

Related context

Related tools

Related CVEs

CVE-2026-41432 NVD KEV EPSS