Skip to content

Hookwarden

v0.1.1 Bugfix

This release fixes issues for SREs watching stability and regressions.

Published 1mo Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

cli developer-tools hmac php python static-analysis
+4 more
security signature-verification typescript webhook-security

Summary

AI summary

Updates Verification, https://www.npmjs.com/package/hookwarden, and https://github.com/Hookwarden/hookwarden/issues across a mixed release.

Full changelog

v0.1.1 — release notes

Published: 2026-05-04
npm: [email protected]
Install: npx hookwarden scan ./your-app

What changed

A single targeted false-positive fix in the engine.

Fixed — stripe/raw-body-misuse no longer fires on inline express.raw middleware

Hookwarden previously flagged correct Stripe webhook handlers as not-verified when the raw-body middleware was passed inline as a route argument:

// BEFORE: hookwarden incorrectly flagged this as not-verified
app.post('/webhook', express.raw({ type: 'application/json' }), handler)

This is the canonical pattern from Stripe's own docs. The bug was in the engine's evidence-collection layer: text-search-based collectors couldn't see middleware passed as a route argument — only middleware registered via separate app.use() calls.

Fix: assembleHandler now bridges the parser's middleware_chain analysis (which sees inline route args) into the evidence overlay (which collectors read). All previously flagged code-correct examples now resolve to verified.

If you ran npx hookwarden scan against a Stripe webhook handler in v0.1.0 and saw stripe/raw-body-misuse fire on the pattern above, re-scan with v0.1.1 — the finding will resolve correctly.

Verification

  • New e2e test: stripe-happy-path.test.ts covers the inline-middleware pattern end-to-end
  • Tightened EM-fail-on-low threshold post-fix to lock the regression-free baseline
  • All existing tests pass; SARIF round-trip against real GitHub Code Scanning is green

Engineering reflection

The bug was a perfect demonstration of why three-state verdicts matter. The legitimate handler was reported as not-verified rather than as a definitive bug, which is the system saying "I cannot prove this is safe via the path I follow." That's the correct epistemic posture — but in this case, the path the analyzer didn't follow was a path it should have. The fix didn't change the verdict semantics; it changed what evidence the analyzer could see. False positives are a feature only when they're honest.

Compatibility

No API changes. No CLI flag changes. No SARIF schema changes. Pure engine fix.

npx hookwarden@latest scan ./your-app

Coming next

We're watching install signal before deciding the next phase. If you've installed hookwarden and have a moment, the most useful thing you can do is open a GitHub issue at Hookwarden/hookwarden telling us:

  • Did it find a real bug? (We want to know.)
  • Did it false-positive? (We want to know more.)
  • Which package manager would you prefer to install through? (npm? Homebrew? pip? pre-commit hook?)

That last question decides whether 0.2 ships standalone binaries + Homebrew/Scoop/WinGet manifests, or skips that work entirely.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hookwarden

Get notified when new releases ship.

Sign up free

About Hookwarden

All releases →

Related context

Beta — feedback welcome: [email protected]